1335488 – Groups resolution shouldn't be done on authn stage

Bug 1335488 - Groups resolution shouldn't be done on authn stage

Summary: Groups resolution shouldn't be done on authn stage

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Builtin-Extesnsion.KerbLDAP
Sub Component:
Version:	3.6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-3.6.7
Target Release:	3.6.7
Assignee:	Ondra Machacek
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1335638
TreeView+	depends on / blocked

Reported:	2016-05-12 10:14 UTC by Ondra Machacek
Modified:	2019-11-14 08:02 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Clones:	1335638 (view as bug list)
Environment:
Last Closed:	2016-07-04 12:29:09 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-3.6.z+ rule-engine: blocker+ sherold: planning_ack+ omachace: devel_ack+ pstehlik: testing_ack+

Attachments	(Terms of Use)
login log (5.80 KB, text/plain) 2016-06-09 08:17 UTC, Gonza	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	57356	0	ovirt-engine-3.6	MERGED	aaa: kerbldap: don't resolve groups in authn stage	2016-05-14 20:03:01 UTC

Description Ondra Machacek 2016-05-12 10:14:25 UTC

For kerbldap we are resolving groups also in authn stage, not only in authz stage.
This was caused in 3.5 when we moved to using extensions, as before authz + authn was done in one stage in 
LdapAuthenticateUserCommand.java and in 3.5 it was split into two stages, but code unfortunatelly preserved.

Comment 1 Red Hat Bugzilla Rules Engine 2016-05-12 10:14:31 UTC

This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.

Comment 2 Ondra Machacek 2016-05-12 10:15:56 UTC

The result is that login time is ~two times longer.

Comment 5 Martin Perina 2016-05-17 19:23:41 UTC

On the other hand aaa-ldap uses connection pooling (which could improve things especially with multiple concurrent user logins) and also uses caching during nested group resolution (which means, that we won't query same group multiple times during authz phase if user is indirect member of the group and this indirect membership is reachable from several groups from direct membership). But yes, aaa-ldap is especially about adding missing functionality ...

Comment 6 Gonza 2016-06-09 08:17:18 UTC

Created attachment 1166195 [details]
login log

Verified with:
rhevm-3.6.7.2-0.1.el6.noarch

Log attached.

Note You need to log in before you can comment on or make changes to this bug.