Bug 786199 - [RFE] CLI session support (Store session cookie in ccache for cli users)
Summary: [RFE] CLI session support (Store session cookie in ccache for cli users)
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Namita Soman
: 768159 805270 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2012-01-31 17:23 UTC by Dmitri Pal
Modified: 2018-08-06 17:03 UTC (History)
4 users (show)

Fixed In Version: ipa-3.0.0-6.el6
Doc Type: Enhancement
Doc Text:
The identity policy audit command ipa now takes advantage of server-side sessions using a secure cookie. This provides a significant performance improvement because each client request no longer requires full Kerberos authentication. The session cookie is stored in the session keyring, @s (see keyctl(1)). Prior to this update, each ipa command-line request required a full Kerberos authentication which is very time consuming. This was particularly evident when trying to script a series of ipa commands.
Clone Of:
Last Closed: 2013-02-21 09:09:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 08:22:21 UTC

Description Dmitri Pal 2012-01-31 17:23:31 UTC
This bug is created as a clone of upstream ticket:

Once session support is complete (1204, 2095) support will need to be added so the CLI can take advantage of this as well.

The plan is to store the cookie in the user's ccache.

Comment 1 Dmitri Pal 2012-03-20 18:41:28 UTC
*** Bug 805270 has been marked as a duplicate of this bug. ***

Comment 2 Dmitri Pal 2012-04-16 21:44:13 UTC
*** Bug 768159 has been marked as a duplicate of this bug. ***

Comment 3 Martin Kosek 2012-06-14 12:06:39 UTC
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/54135ecd9a96f59429cfd535f3add282b535d3e3

Testing info taken from the upstream ticket:

This should be invisible to the user.

Use the keyctl command to list your keys:

$ keyctl list @s
2 keys in keyring:
353548226: --alswrv  1000    -1 keyring: _uid.1000
941350591: --alswrv  1000  1000 user: ipa_session_cookie

To remove a key:

$ keyctl unlink 941350591 @s 

Some things to test:

Single IPA server
1. Multiple IPA servers w/SRV records
2. Multiple IPA servers w/SRV records, bring primary down
3. After creating a session restart ipa_memcached on server and ensure that a new session is eventually created
4. Use the -vv option to ipa to see the request conversation, e.g. ipa -vv user-show admin

You should see a request go to /ipa/session/xml, respond with a 401, then go to /ipa/xml. All subsequent requests should go to /ipa/session/xml and have the cookie accepted.

Comment 5 Rob Crittenden 2012-10-16 19:00:37 UTC
The xmlrpclib.py in Python 2.6 is different enough from 2.7 that this is going to require a patch.

Comment 6 Rob Crittenden 2012-10-23 14:46:09 UTC
Upstream ticket:

Comment 7 Rob Crittenden 2012-11-06 16:48:40 UTC
Another issue we noticed is that we are not sending a correct cookie back to the server, we're including extraneous cookie information from the browser only Set-Cookie header. We should only be sending the cookie value (e.g. ipa_session=xxxxxxxxxxxxxxxx). 

You can see this when using a session:

$ ipa -vv user-show admin

You'll see the Cookie header in the POST request output.

Comment 12 errata-xmlrpc 2013-02-21 09:09:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.