User affiliation is not correctly determined on chrome restart |
|||||||||
Issue descriptionIt seems that after a chrome restart, the system token is not available to affiliated users. (We're currently doing restarts more often due to the SiteForProcess/IsolateOrigins policies.) The IsAffiliated() check in profile_io_data.cc[1] seems to return false. The usual way for IsAffiliated() to be initialized is: - UserCloudPolicyStoreChromeOS finishes loading and calls its observers' OnStoreLoaded function. - One of those is UserCloudPolicyManagerChromeOS::OnStoreLoaded. It calls ChromeUserManager::SetUserAffiliation[2]. <This is not confirmed information> Note: I *think* this is *not* related to https://chromium-review.googlesource.com/c/chromium/src/+/719838 . It seems that in the restart case, we load the store synchronously before instantiating the UserCloudPolicyManagerChromeOS [3], so the observer does not get called and the affiliation check does not get called. UserCloudPolicyManagerChromeOS still publishes policy (in its ctor) through a special branch[4]. </This is not confirmed information> [1] https://cs.chromium.org/chromium/src/chrome/browser/profiles/profile_io_data.cc?rcl=1d9beb96d2862cba33cecd848753e6d7f4cbc641&l=500 [2] https://cs.chromium.org/chromium/src/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc?rcl=3d739276a42a3288fec6c6a08d2c63fa96311f73&l=393 [3] https://cs.chromium.org/chromium/src/chrome/browser/chromeos/policy/user_policy_manager_factory_chromeos.cc?rcl=a09578fc46a7a76bac748499356baaa8fb412587&l=352 [4] https://cs.chromium.org/chromium/src/components/policy/core/common/cloud/cloud_policy_manager.cc?rcl=4653fb7432bff1ed03d6ec7cf207dcb4e20c43ad&l=51
,
Feb 7 2018
Also feels like we should have a CHECK/DCHECK() if we ever have user policy without an affiliation ID, but not sure where the right place is to check that.
,
Feb 8 2018
,
Feb 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7983fe99488b53b800dbd1434e261590a70c3cbe commit 7983fe99488b53b800dbd1434e261590a70c3cbe Author: Pavol Marko <pmarko@chromium.org> Date: Fri Feb 16 09:39:24 2018 Properly determine user affiliation on synchronous profile load When a synchronous profile load is happening (e.g. after chrome restart on Chrome OS), make sure to invoke UserCloudPolicyManagerChromeOS's OnStoreLoaded handling. This is also the place where user affilitaion is determined. BUG= 810013 TEST=browser_tests --gtest_filter=*UserAffiliation* Change-Id: Ib4a4b1ad3e61eba637f527dfa89cb5cd1fd2159b Reviewed-on: https://chromium-review.googlesource.com/908565 Reviewed-by: Sergey Poromov <poromov@chromium.org> Reviewed-by: Drew Wilson <atwilson@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Commit-Queue: Pavol Marko <pmarko@chromium.org> Cr-Commit-Position: refs/heads/master@{#537267} [modify] https://crrev.com/7983fe99488b53b800dbd1434e261590a70c3cbe/chrome/browser/chromeos/policy/user_affiliation_browsertest.cc [modify] https://crrev.com/7983fe99488b53b800dbd1434e261590a70c3cbe/components/policy/core/common/cloud/cloud_policy_manager.cc
,
Feb 19 2018
I don't think we need a merge unless someone complains. WDYT?
,
Mar 14 2018
Update: This may be contributing to people losing access to ARC++ when the UnaffiliatedArcAllowed policy is set to true. The fix CL above landed in 66.0.3350.0.
,
Mar 14 2018
Correction for Comment #6: when the UnaffiliatedArcAllowed policy is set to *false*.
,
Mar 14 2018
+dskaram +bhthompson This is probably causing issues on Chrome OS when - Site isolaton policies are enabled (causing a chrome restart to apply them) - UnaffiliatedArcAllowed policy is set to false. The result is that users lose access to the ARC. Is merging to M-65 (which will be on stable for a while) still an option? The CL above is rather small, has not caused any issues on dev since it landed and has broad browsertest coverage. Thanks!
,
Mar 14 2018
Adding official merge request.
,
Mar 14 2018
,
Mar 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/835b3e92d3b5a834daa0df2765f6374937cd1b95 commit 835b3e92d3b5a834daa0df2765f6374937cd1b95 Author: Pavol Marko <pmarko@chromium.org> Date: Wed Mar 14 21:47:24 2018 [Merge to M65] Properly determine user affiliation on synchronous profile load When a synchronous profile load is happening (e.g. after chrome restart on Chrome OS), make sure to invoke UserCloudPolicyManagerChromeOS's OnStoreLoaded handling. This is also the place where user affilitaion is determined. BUG= 810013 TEST=browser_tests --gtest_filter=*UserAffiliation* TBR=pmarko@chromium.org (cherry picked from commit 7983fe99488b53b800dbd1434e261590a70c3cbe) Change-Id: Ib4a4b1ad3e61eba637f527dfa89cb5cd1fd2159b Reviewed-on: https://chromium-review.googlesource.com/908565 Reviewed-by: Sergey Poromov <poromov@chromium.org> Reviewed-by: Drew Wilson <atwilson@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Commit-Queue: Pavol Marko <pmarko@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#537267} Reviewed-on: https://chromium-review.googlesource.com/963421 Reviewed-by: Pavol Marko <pmarko@chromium.org> Cr-Commit-Position: refs/branch-heads/3325@{#705} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/835b3e92d3b5a834daa0df2765f6374937cd1b95/chrome/browser/chromeos/policy/user_affiliation_browsertest.cc [modify] https://crrev.com/835b3e92d3b5a834daa0df2765f6374937cd1b95/components/policy/core/common/cloud/cloud_policy_manager.cc
,
Mar 15 2018
The above merge has reached 65.0.3325.167.
,
Mar 15 2018
,
Mar 19 2018
Verified on build 65.0.3325.169 that the fix works correctly with the UnaffiliatedArcAllowed policy. (While I haven't performed the verification on 65.0.3325.167, it should work there regardless)
,
Mar 19 2018
Verified that the issue reproduces on M-64, but does not reproduce on M-65 after the fix landed: https://docs.google.com/spreadsheets/d/135vF0P5Vqnr6Wye1LNRpKes3QiEnPZG-OU0xT-SMGt0/edit#gid=0 |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by atwilson@chromium.org
, Feb 7 2018