Bug 786199
Summary: | [RFE] CLI session support (Store session cookie in ccache for cli users) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | high | ||
Version: | 6.3 | CC: | jamsmith, jgalipea, ksiddiqu, mkosek |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-6.el6 | Doc Type: | Enhancement |
Doc Text: |
The identity policy audit command ipa now takes advantage of server-side sessions using a secure cookie. This provides a significant performance improvement because each client request no longer requires full Kerberos authentication. The session cookie is stored in the session keyring, @s (see keyctl(1)).
Prior to this update, each ipa command-line request required a full Kerberos authentication which is very time consuming. This was particularly evident when trying to script a series of ipa commands.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:09:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dmitri Pal
2012-01-31 17:23:31 UTC
*** Bug 805270 has been marked as a duplicate of this bug. *** *** Bug 768159 has been marked as a duplicate of this bug. *** Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/54135ecd9a96f59429cfd535f3add282b535d3e3 Testing info taken from the upstream ticket: This should be invisible to the user. Use the keyctl command to list your keys: $ keyctl list @s 2 keys in keyring: 353548226: --alswrv 1000 -1 keyring: _uid.1000 941350591: --alswrv 1000 1000 user: ipa_session_cookie To remove a key: $ keyctl unlink 941350591 @s Some things to test: Single IPA server 1. Multiple IPA servers w/SRV records 2. Multiple IPA servers w/SRV records, bring primary down 3. After creating a session restart ipa_memcached on server and ensure that a new session is eventually created 4. Use the -vv option to ipa to see the request conversation, e.g. ipa -vv user-show admin You should see a request go to /ipa/session/xml, respond with a 401, then go to /ipa/xml. All subsequent requests should go to /ipa/session/xml and have the cookie accepted. The xmlrpclib.py in Python 2.6 is different enough from 2.7 that this is going to require a patch. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3022 Another issue we noticed is that we are not sending a correct cookie back to the server, we're including extraneous cookie information from the browser only Set-Cookie header. We should only be sending the cookie value (e.g. ipa_session=xxxxxxxxxxxxxxxx). You can see this when using a session: $ ipa -vv user-show admin You'll see the Cookie header in the POST request output. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |