786199 – [RFE] CLI session support (Store session cookie in ccache for cli users)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 786199 - [RFE] CLI session support (Store session cookie in ccache for cli users)

Summary: [RFE] CLI session support (Store session cookie in ccache for cli users)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	768159 805270 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-31 17:23 UTC by Dmitri Pal
Modified:	2018-08-06 17:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-3.0.0-6.el6
Doc Type:	Enhancement
Doc Text:	The identity policy audit command ipa now takes advantage of server-side sessions using a secure cookie. This provides a significant performance improvement because each client request no longer requires full Kerberos authentication. The session cookie is stored in the session keyring, @s (see keyctl(1)). Prior to this update, each ipa command-line request required a full Kerberos authentication which is very time consuming. This was particularly evident when trying to script a series of ipa commands.
Clone Of:
Environment:
Last Closed:	2013-02-21 09:09:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0528	0	normal	SHIPPED_LIVE	Low: ipa security, bug fix and enhancement update	2013-02-21 08:22:21 UTC

Description Dmitri Pal 2012-01-31 17:23:31 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2331

Once session support is complete (1204, 2095) support will need to be added so the CLI can take advantage of this as well.

The plan is to store the cookie in the user's ccache.

Comment 1 Dmitri Pal 2012-03-20 18:41:28 UTC

*** Bug 805270 has been marked as a duplicate of this bug. ***

Comment 2 Dmitri Pal 2012-04-16 21:44:13 UTC

*** Bug 768159 has been marked as a duplicate of this bug. ***

Comment 3 Martin Kosek 2012-06-14 12:06:39 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/54135ecd9a96f59429cfd535f3add282b535d3e3

Testing info taken from the upstream ticket:

This should be invisible to the user.

Use the keyctl command to list your keys:

$ keyctl list @s
2 keys in keyring:
353548226: --alswrv  1000    -1 keyring: _uid.1000
941350591: --alswrv  1000  1000 user: ipa_session_cookie

To remove a key:

$ keyctl unlink 941350591 @s 

Some things to test:

Single IPA server
1. Multiple IPA servers w/SRV records
2. Multiple IPA servers w/SRV records, bring primary down
3. After creating a session restart ipa_memcached on server and ensure that a new session is eventually created
4. Use the -vv option to ipa to see the request conversation, e.g. ipa -vv user-show admin

You should see a request go to /ipa/session/xml, respond with a 401, then go to /ipa/xml. All subsequent requests should go to /ipa/session/xml and have the cookie accepted.

Comment 5 Rob Crittenden 2012-10-16 19:00:37 UTC

The xmlrpclib.py in Python 2.6 is different enough from 2.7 that this is going to require a patch.

Comment 6 Rob Crittenden 2012-10-23 14:46:09 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3022

Comment 7 Rob Crittenden 2012-11-06 16:48:40 UTC

Another issue we noticed is that we are not sending a correct cookie back to the server, we're including extraneous cookie information from the browser only Set-Cookie header. We should only be sending the cookie value (e.g. ipa_session=xxxxxxxxxxxxxxxx). 

You can see this when using a session:

$ ipa -vv user-show admin

You'll see the Cookie header in the POST request output.

Comment 12 errata-xmlrpc 2013-02-21 09:09:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.