Bug 1256518

Summary: database cleanup/expire procedure
Product: Red Hat Enterprise Linux 7 Reporter: Nathan Kinder <nkinder>
Component: ipsilonAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.2CC: jpazdziora, puiterwijk, spoore, vkabatov
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipsilon-1.0.0-11.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:50:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathan Kinder 2015-08-24 19:57:06 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/ipsilon/ticket/155

Currently on the saml2 session database has a background task for cleanup. A generic mechanism is needed to clean up/expire old entries across any database.

The default should be to do nothing as some (e.g. config) don't need cleanup.
Comment 3 Patrick Uiterwijk 2015-09-06 17:11:39 UTC 
This has been fixed upstream in the following commits:
Framework: 1e985d549481a2ca0e03440e410912b4e2b49271
TranStore: 2b17119bb97eba45030d18f590624c2b2a9f257e
Sessions: 24fa1f2acd9cb84342064ec59b311968353fd0ae
OpenIDStore: 11bbbe3ac6a0842599ab2e5110427758ebaa5573
Comment 6 Patrick Uiterwijk 2015-09-22 16:32:40 UTC 
*** Bug 1265261 has been marked as a duplicate of this bug. ***
Comment 7 Jan Pazdziora 2015-09-23 06:16:33 UTC 
Per bug 1265261, things are broken in ipsilon-1.0.0-10 so this bugzilla should likely be in ASSIGNED, for fix in the backport.
Comment 9 Scott Poore 2015-10-14 17:43:33 UTC 
Verified.

Version ::

ipsilon-1.0.0-12.el7.noarch

Results ::

I installed IPA Server and 2 clients.  1 IPA client setup as IDP server and the other setup as SP.

Create a user and login to a third IPA client workstation with X.  Configure firefox for kerberos for the IPA domain.

Setup IDP debug logging:

/etc/ipsilon/idp/ipsilon.conf
[global]
debug = True
tools.log_request_response.on = True
...
db.conn.log = True
log.screen = True
...

Then connect via GSSAPI from workstation as user to SP.  Check logs on IDP for scheduled cleanups:

[Wed Oct 14 11:09:53.937544 2015] [:error] [pid 11211] [14/Oct/2015:11:09:53] ENGINE Started monitor thread 'Session cleanup'.
...
[Wed Oct 14 11:09:53.942111 2015] [:error] [pid 11211] [14/Oct/2015:11:09:53]  DEBUG(ipsilon/util/data.py:317 TranStore._schedule_cleanup()): Scheduling cleanups for TranStore
...
[Wed Oct 14 11:10:53.971045 2015] [:error] [pid 11211] [14/Oct/2015:11:10:53]  DEBUG(ipsilon/util/data.py:345 SAML2SessionStore._maybe_run_cleanup()): Cleaned up 0 entries for SAML2SessionStore
Comment 10 errata-xmlrpc 2015-11-19 10:50:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-2319.html