|Summary:||[RFE] CLI session support (Store session cookie in ccache for cli users)|
|Product:||Red Hat Enterprise Linux 6||Reporter:||Dmitri Pal <dpal>|
|Component:||ipa||Assignee:||Rob Crittenden <rcritten>|
|Status:||CLOSED ERRATA||QA Contact:||Namita Soman <nsoman>|
|Version:||6.3||CC:||jamsmith, jgalipea, ksiddiqu, mkosek|
|Fixed In Version:||ipa-3.0.0-6.el6||Doc Type:||Enhancement|
The identity policy audit command ipa now takes advantage of server-side sessions using a secure cookie. This provides a significant performance improvement because each client request no longer requires full Kerberos authentication. The session cookie is stored in the session keyring, @s (see keyctl(1)). Prior to this update, each ipa command-line request required a full Kerberos authentication which is very time consuming. This was particularly evident when trying to script a series of ipa commands.
|Last Closed:||2013-02-21 09:09:51 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Dmitri Pal 2012-01-31 17:23:31 UTC
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/2331 Once session support is complete (1204, 2095) support will need to be added so the CLI can take advantage of this as well. The plan is to store the cookie in the user's ccache.
Comment 1 Dmitri Pal 2012-03-20 18:41:28 UTC
*** Bug 805270 has been marked as a duplicate of this bug. ***
Comment 2 Dmitri Pal 2012-04-16 21:44:13 UTC
*** Bug 768159 has been marked as a duplicate of this bug. ***
Comment 3 Martin Kosek 2012-06-14 12:06:39 UTC
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/54135ecd9a96f59429cfd535f3add282b535d3e3 Testing info taken from the upstream ticket: This should be invisible to the user. Use the keyctl command to list your keys: $ keyctl list @s 2 keys in keyring: 353548226: --alswrv 1000 -1 keyring: _uid.1000 941350591: --alswrv 1000 1000 user: ipa_session_cookie To remove a key: $ keyctl unlink 941350591 @s Some things to test: Single IPA server 1. Multiple IPA servers w/SRV records 2. Multiple IPA servers w/SRV records, bring primary down 3. After creating a session restart ipa_memcached on server and ensure that a new session is eventually created 4. Use the -vv option to ipa to see the request conversation, e.g. ipa -vv user-show admin You should see a request go to /ipa/session/xml, respond with a 401, then go to /ipa/xml. All subsequent requests should go to /ipa/session/xml and have the cookie accepted.
Comment 5 Rob Crittenden 2012-10-16 19:00:37 UTC
The xmlrpclib.py in Python 2.6 is different enough from 2.7 that this is going to require a patch.
Comment 6 Rob Crittenden 2012-10-23 14:46:09 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3022
Comment 7 Rob Crittenden 2012-11-06 16:48:40 UTC
Another issue we noticed is that we are not sending a correct cookie back to the server, we're including extraneous cookie information from the browser only Set-Cookie header. We should only be sending the cookie value (e.g. ipa_session=xxxxxxxxxxxxxxxx). You can see this when using a session: $ ipa -vv user-show admin You'll see the Cookie header in the POST request output.
Comment 12 errata-xmlrpc 2013-02-21 09:09:51 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html