autopolicy: Add policy for UserPolicyMode (loopback processing) |
|||
Issue description- Add a device policy for loopback processing, similar to the Windows policy - Use that policy in authpolicyd instead of the Windows policy - Get rid of WindowsPolicy in authpolicyd
,
Feb 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/59b7c899b3748fd384bbe753964a0242e56db587 commit 59b7c899b3748fd384bbe753964a0242e56db587 Author: Lutz Justen <ljusten@chromium.org> Date: Fri Feb 02 18:14:53 2018 Add DeviceUserPolicyLoopbackProcessingMode policy Adds the DeviceUserPolicyLoopbackProcessingMode Chrome OS device policy. For Active Directory managed Chromebooks, which receive their policy via Active Directory group policy objects (GPOs), the policy controls whether user policy in device GPOs is taken into account and how it interacts with the usual user policy in user GPOs. This is called loopback processing. The policy is the Chrome OS equivalent of the UserPolicyMode policy on Windows. It is consumed in the AuthPolicy daemon in Chrome OS. Chrome doesn't touch it. BUG= chromium:807999 TEST=Tryjobs Copied proto file over manually to Chrome OS and made sure it works Change-Id: I909267c9a4d8b354f01e7f9ad4853068512ed58f Reviewed-on: https://chromium-review.googlesource.com/899144 Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> Commit-Queue: Lutz Justen <ljusten@chromium.org> Cr-Commit-Position: refs/heads/master@{#534099} [modify] https://crrev.com/59b7c899b3748fd384bbe753964a0242e56db587/chrome/test/data/policy/policy_test_cases.json [modify] https://crrev.com/59b7c899b3748fd384bbe753964a0242e56db587/components/policy/proto/chrome_device_policy.proto [modify] https://crrev.com/59b7c899b3748fd384bbe753964a0242e56db587/components/policy/resources/policy_templates.json [modify] https://crrev.com/59b7c899b3748fd384bbe753964a0242e56db587/tools/metrics/histograms/enums.xml
,
Feb 5 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5bf1ab96c7cc1d799c6cda0ff6731c2a4de3403e commit 5bf1ab96c7cc1d799c6cda0ff6731c2a4de3403e Author: Lutz Justen <ljusten@chromium.org> Date: Mon Feb 05 12:11:06 2018 Decode new device policies Reads two new device policies DeviceUserPolicyLoopbackProcessingMode and DeviceKerberosEncryptionTypes from the proto to the policy map, so that they show up on chrome://policy. Other than that, the policies are not used in Chrome, only in authpolicyd. Also fixes the name of the DeviceUserPolicyLoopbackProcessingMode field to match naming conventions (it's not used anywhere yet). BUG=chromium:801704, chromium:807999 TEST=Tryjobs Tested manually on Chrome OS device Change-Id: Ic64fb43716bba43c28e8719c5aaa6c2a354e0e5e Reviewed-on: https://chromium-review.googlesource.com/901323 Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Commit-Queue: Lutz Justen <ljusten@chromium.org> Cr-Commit-Position: refs/heads/master@{#534370} [modify] https://crrev.com/5bf1ab96c7cc1d799c6cda0ff6731c2a4de3403e/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc [modify] https://crrev.com/5bf1ab96c7cc1d799c6cda0ff6731c2a4de3403e/components/policy/proto/chrome_device_policy.proto
,
Feb 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/system_api/+/046823f5dd63e7d62ef082ca2b9d4f33b049f763 commit 046823f5dd63e7d62ef082ca2b9d4f33b049f763 Author: Lutz Justen <ljusten@chromium.org> Date: Thu Feb 08 12:02:01 2018 authpolicy: Rename an error enum We decided to get rid of Windows policy in the authpolicy daemon and instead replicate the one Windows policy we use so far as device policy. Thus, user policy fetch now relies on the availability of device policy, not Windows policy, but it's still the same error. Keeps the old error until Chrome uses the new one. BUG= chromium:807999 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Change-Id: I6e9b30b13532a8e601e66847e7d944b1d3859d41 Reviewed-on: https://chromium-review.googlesource.com/901285 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Dan Erat <derat@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/046823f5dd63e7d62ef082ca2b9d4f33b049f763/dbus/authpolicy/active_directory_info.proto
,
Feb 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3 commit f5b9fbfce7c04907c9a696c754ee84d9a31f98e3 Author: Lutz Justen <ljusten@chromium.org> Date: Thu Feb 08 12:01:59 2018 authpolicy: Use user policy mode from device policy We decided not to use Windows policies and replicate any Windows policy we use as Chrome OS policy to keep things clean and to reduce confusion for admins. Therefore, DeviceUserPolicyLoopbackProcessingMode was created to replace the equivalent Windows policy. It is the only Windows policy used so far. This CL gets rid of any WindowsPolicy specific code and reads DeviceUserPolicyLoopbackProcessingMode instead. CQ-DEPEND=CL:906426,CL:901285 BUG= chromium:807999 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Change-Id: I018c91ebb5ce09f8373005d5401b4748737b858c Reviewed-on: https://chromium-review.googlesource.com/906424 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [delete] https://crrev.com/141a3bd63cea89d62080b921761bc3a3de609f9a/authpolicy/policy/windows_policy_encoder.cc [delete] https://crrev.com/141a3bd63cea89d62080b921761bc3a3de609f9a/authpolicy/windows_policy_manager_unittest.cc [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/policy/device_policy_encoder.cc [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/policy/preg_policy_encoder.cc [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/path_service.cc [delete] https://crrev.com/141a3bd63cea89d62080b921761bc3a3de609f9a/authpolicy/policy/windows_policy_encoder.h [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/policy/policy_encoder_helper.cc [delete] https://crrev.com/141a3bd63cea89d62080b921761bc3a3de609f9a/authpolicy/policy/windows_policy_encoder_unittest.cc [delete] https://crrev.com/141a3bd63cea89d62080b921761bc3a3de609f9a/authpolicy/windows_policy_manager.cc [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/policy/preg_policy_writer.cc [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/samba_interface.cc [delete] https://crrev.com/141a3bd63cea89d62080b921761bc3a3de609f9a/authpolicy/policy/windows_policy_keys.h [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/authpolicy_parser_main.cc [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/path_service.h [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/policy/preg_policy_encoder.h [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/proto/authpolicy_containers.proto [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/authpolicy.gyp [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/policy/device_policy_encoder_unittest.cc [delete] https://crrev.com/141a3bd63cea89d62080b921761bc3a3de609f9a/authpolicy/policy/windows_policy_keys.cc [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/samba_interface.h [modify] https://crrev.com/f5b9fbfce7c04907c9a696c754ee84d9a31f98e3/authpolicy/policy/preg_policy_writer.h [delete] https://crrev.com/141a3bd63cea89d62080b921761bc3a3de609f9a/authpolicy/windows_policy_manager.h
,
Feb 8 2018
,
Apr 25 2018
Verified, the DeviceUserPolicyLoopbackProcessingMode policy is present, authpolicyd fetches and parses Device and then User policies using Active Directory GPO: 2018-04-24T14:22:26.681492-07:00 INFO authpolicyd[8343]: #033[41;1;97mReceived 'RefreshDevicePolicy' request#033[0m 2018-04-24T14:22:32.102479-07:00 INFO authpolicyd[8343]: Getting device GPO list for device account 2018-04-24T14:22:44.811438-07:00 INFO authpolicyd[8343]: Device policy fetch and parsing succeeded 2018-04-24T14:22:44.812014-07:00 INFO authpolicyd[8343]: #033[41;1;97mReceived 'RefreshUserPolicy' request#033[0m 2018-04-24T14:22:50.136232-07:00 INFO authpolicyd[8343]: Getting user GPO list for user account 2018-04-24T14:22:59.249760-07:00 INFO authpolicyd[8343]: User policy fetch and parsing succeeded 2018-04-24T14:22:59.250606-07:00 INFO authpolicyd[8343]: All 1 calls to StoreUnsignedPolicyEx succeeded. 2018-04-24T14:22:59.264659-07:00 INFO authpolicyd[8343]: All 1 calls to StoreUnsignedPolicyEx succeeded. Chrome OS: 10575.12.0 Chrome: 67.0.3396.16 Device: Santa |
|||
►
Sign in to add a comment |
|||
Comment 1 by ljusten@chromium.org
, Feb 2 2018