Bug 734753 - Improve TCMS performance [NEEDINFO]
Summary: Improve TCMS performance
Keywords:
Status: ASSIGNED
Alias: None
Product: TCMS
Classification: Other
Component: Web UI
Version: 3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.0
Assignee: June Zhang
QA Contact: Nobody
URL:
Whiteboard:
Depends On:
Blocks: 593666 729996
TreeView+ depends on / blocked
 
Reported: 2011-08-31 11:04 UTC by Daniel Mach
Modified: 2025-01-01 08:27 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-05-21 06:34:42 UTC
Embargoed:
azelinka: needinfo? (nli)


Attachments (Terms of Use)

Description Daniel Mach 2011-08-31 11:04:46 UTC
According to Nitrate sources, everything under '/' location is kerberized (KrbMethodNegotiate on).

If you turn it off for the whole site except a login page and use a session cookie to authenticate on other places, it will significantly boost overall performance.


If you want to know more details, let me know.
I've implemented auth this way in several tools and it really helped.

Comment 1 cqi 2012-03-27 09:00:07 UTC
Thanks for your suggestion. However, this refers to the deployment and according to redhat security policy, it does not allow to do that way.

Comment 2 Marian Ganisin 2012-03-27 10:29:27 UTC
(In reply to comment #1)
> Thanks for your suggestion. However, this refers to the deployment and
> according to redhat security policy, it does not allow to do that way.

This sounds strange, bugzilla is using exactly this approach, authenticate once, then use cookie to keep authorized session. I don't think that bugzilla is not in accordance with security policy.

Comment 3 Daniel Mach 2012-03-27 10:50:33 UTC
Could you point me to that policy?
If it really says we can't use session cookies, it's the best time to contact it's author and convince him otherwise :)

Comment 4 cqi 2012-03-27 11:35:46 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > Thanks for your suggestion. However, this refers to the deployment and
> > according to redhat security policy, it does not allow to do that way.
> 
> This sounds strange, bugzilla is using exactly this approach, authenticate
> once, then use cookie to keep authorized session. I don't think that bugzilla
> is not in accordance with security policy.

My reply is mainly aimed at this point "If you turn it off for the whole site except a login page". Bugzilla does not use Kerberos authentication. This is different from the what TCMS does.

Comment 5 cqi 2012-03-27 11:44:49 UTC
(In reply to comment #3)
> Could you point me to that policy?
> If it really says we can't use session cookies, it's the best time to contact
> it's author and convince him otherwise :)

https://home.corp.redhat.com/wiki/information-security

I mean that to turn off HTTPS does not follow the policy.

Comment 6 Marian Ganisin 2012-03-27 12:00:43 UTC
This is not request to turn off https, authentication or authorization. nobody asked for that.

This request is about reducing amount of http auth requests. Session cookie can be assigned to the user based on successful http authentication, this cookie can be used for further authorization. If request without valid cookie arrives http auth is requested again.

This is common approach used by many sites, as an advance it will significantly improve response of tcms.

Comment 7 Daniel Mach 2012-03-27 12:04:12 UTC
It's not about turning HTTPS off completely.
I proposed to turn kerberos off except the login page.

Typical workflow:
 1) user visits web page via *HTTPS*
 2) no session cookie -> redirect to a *kerberized* login page
 3) session cookie is created
 4) redirect back to the original address, no kerberos auth used, only the valid session cookie

Comment 8 cqi 2012-03-28 01:21:52 UTC
(In reply to comment #7)
> It's not about turning HTTPS off completely.
> I proposed to turn kerberos off except the login page.
> 
> Typical workflow:
>  1) user visits web page via *HTTPS*
>  2) no session cookie -> redirect to a *kerberized* login page
>  3) session cookie is created
>  4) redirect back to the original address, no kerberos auth used, only the
> valid session cookie

I known this workflow, that is a normal workflow for authenticating subsequent requests in a Web app. You really pointed out an aspect that we should pay more attention. Thanks again.

Comment 9 cqi 2012-03-29 07:17:50 UTC
(In reply to comment #0)
> According to Nitrate sources, everything under '/' location is kerberized
> (KrbMethodNegotiate on).
> 
> If you turn it off for the whole site except a login page and use a session
> cookie to authenticate on other places, it will significantly boost overall
> performance.
> 
> 
> If you want to know more details, let me know.
> I've implemented auth this way in several tools and it really helped.

If client's Web browser, like Firefox, does not turn negotiation mode, each request is authenticated by HTTP Basic authentication mechanism, thus there is only one step to authenticate client.

Comment 10 Marian Ganisin 2012-05-21 06:48:41 UTC
(In reply to comment #9)
> If client's Web browser, like Firefox, does not turn negotiation mode, each
> request is authenticated by HTTP Basic authentication mechanism, thus there
> is only one step to authenticate client.

Basic authentication doesn't seem to be sufficient as it requires kerberos password sent in plain text. We all turn on Negotiate because of 2 reasons: comfort and security.

Comment 11 Ales Zelinka 2012-12-05 18:25:06 UTC
ping, any progress on this?

Comment 12 yawei Li 2012-12-12 06:24:38 UTC
We are investigating the performance improvement solutions for tcms 4.0. Your suggestion is one of the solutions, we need eng-ops confirmation on this solution. If they agree, we will implement it in tcms 4.0, along with other solutions.
Will update the confirmation with eng-ops.


Note You need to log in before you can comment on or make changes to this bug.