Bug 786199

Summary: [RFE] CLI session support (Store session cookie in ccache for cli users)
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.3CC: jamsmith, jgalipea, ksiddiqu, mkosek
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-6.el6 Doc Type: Enhancement
Doc Text:
The identity policy audit command ipa now takes advantage of server-side sessions using a secure cookie. This provides a significant performance improvement because each client request no longer requires full Kerberos authentication. The session cookie is stored in the session keyring, @s (see keyctl(1)). Prior to this update, each ipa command-line request required a full Kerberos authentication which is very time consuming. This was particularly evident when trying to script a series of ipa commands.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:09:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2012-01-31 17:23:31 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2331

Once session support is complete (1204, 2095) support will need to be added so the CLI can take advantage of this as well.

The plan is to store the cookie in the user's ccache.
Comment 1 Dmitri Pal 2012-03-20 18:41:28 UTC 
*** Bug 805270 has been marked as a duplicate of this bug. ***
Comment 2 Dmitri Pal 2012-04-16 21:44:13 UTC 
*** Bug 768159 has been marked as a duplicate of this bug. ***
Comment 3 Martin Kosek 2012-06-14 12:06:39 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/54135ecd9a96f59429cfd535f3add282b535d3e3

Testing info taken from the upstream ticket:

This should be invisible to the user.

Use the keyctl command to list your keys:

$ keyctl list @s
2 keys in keyring:
353548226: --alswrv  1000    -1 keyring: _uid.1000
941350591: --alswrv  1000  1000 user: ipa_session_cookie

To remove a key:

$ keyctl unlink 941350591 @s 

Some things to test:

Single IPA server
1. Multiple IPA servers w/SRV records
2. Multiple IPA servers w/SRV records, bring primary down
3. After creating a session restart ipa_memcached on server and ensure that a new session is eventually created
4. Use the -vv option to ipa to see the request conversation, e.g. ipa -vv user-show admin

You should see a request go to /ipa/session/xml, respond with a 401, then go to /ipa/xml. All subsequent requests should go to /ipa/session/xml and have the cookie accepted.
Comment 5 Rob Crittenden 2012-10-16 19:00:37 UTC 
The xmlrpclib.py in Python 2.6 is different enough from 2.7 that this is going to require a patch.
Comment 6 Rob Crittenden 2012-10-23 14:46:09 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3022
Comment 7 Rob Crittenden 2012-11-06 16:48:40 UTC 
Another issue we noticed is that we are not sending a correct cookie back to the server, we're including extraneous cookie information from the browser only Set-Cookie header. We should only be sending the cookie value (e.g. ipa_session=xxxxxxxxxxxxxxxx). 

You can see this when using a session:

$ ipa -vv user-show admin

You'll see the Cookie header in the POST request output.
Comment 12 errata-xmlrpc 2013-02-21 09:09:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html