Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1335488

Summary: Groups resolution shouldn't be done on authn stage
Product: [oVirt] ovirt-engine Reporter: Ondra Machacek <omachace>
Component: Builtin-Extesnsion.KerbLDAPAssignee: Ondra Machacek <omachace>
Status: CLOSED CURRENTRELEASE QA Contact: Gonza <grafuls>
Severity: high Docs Contact:
Priority: high    
Version: 3.6.3CC: audgiri, bugs, gscott, mperina, oourfali, pstehlik, sherold
Target Milestone: ovirt-3.6.7Keywords: Regression, ZStream
Target Release: 3.6.7Flags: rule-engine: ovirt-3.6.z+
rule-engine: blocker+
sherold: planning_ack+
omachace: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1335638 (view as bug list) Environment:
Last Closed: 2016-07-04 12:29:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1335638    
Attachments:
Description Flags
login log none

Description Ondra Machacek 2016-05-12 10:14:25 UTC 
For kerbldap we are resolving groups also in authn stage, not only in authz stage.
This was caused in 3.5 when we moved to using extensions, as before authz + authn was done in one stage in 
LdapAuthenticateUserCommand.java and in 3.5 it was split into two stages, but code unfortunatelly preserved.
Comment 1 Red Hat Bugzilla Rules Engine 2016-05-12 10:14:31 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 2 Ondra Machacek 2016-05-12 10:15:56 UTC 
The result is that login time is ~two times longer.
Comment 5 Martin Perina 2016-05-17 19:23:41 UTC 
On the other hand aaa-ldap uses connection pooling (which could improve things especially with multiple concurrent user logins) and also uses caching during nested group resolution (which means, that we won't query same group multiple times during authz phase if user is indirect member of the group and this indirect membership is reachable from several groups from direct membership). But yes, aaa-ldap is especially about adding missing functionality ...
Comment 6 Gonza 2016-06-09 08:17:18 UTC 
Created attachment 1166195 [details]
login log

Verified with:
rhevm-3.6.7.2-0.1.el6.noarch

Log attached.