Issue 813585 link

Starred by 1 user

Issue metadata

Status:	Assigned
Owner:	pmarko@chromium.org
Cc:	ljusten@chromium.org atwilson@chromium.org
Components:	Enterprise
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	3
Type:	Task
pmarko-backlog

Add PRESUBMIT to check warning about dynamic_refresh=False, (per_profile=False), device_only=False policies supported on Chrome OS

Project Member Reported by pmarko@chromium.org, Feb 19 2018

Issue description

Such policies most probably don't work correctly, because
- they're device policies, so whatever they map to is not queried/initialized on user session start
- they can't be applied dynamically (dynamic_refresh=False)

They will not work at least on enrollment (because the device policy changes way after chrome process start), and in many cases probably also not on normal operation (depending on at which point on chrome process start it is evaluated).

Such policies most probably don't work correctly, because when the user session is entered on Chrome OS, the process is usually not restarted (instead, the chrome process that was displaying the sign-in screen gets another profile).

As these policies are probably implemented by querying things on chrome process start, they can't apply for user sessions started like this.

This caused bug 800117.

Comment 1 Deleted

Comment 2 by pmarko@chromium.org, Feb 20 2018

Summary: Add PRESUBMIT to check warning about dynamic_refresh=False, (per_profile=False), device_only=False policies supported on Chrome OS (was: Add PRESUBMIT to check warning about dynamic_refresh=False, per_profile=False, device_only=True policies)

Comment 3 by pmarko@chromium.org, Feb 20 2018

Description: Show this description

Comment 4 by pmarko@chromium.org, Feb 20 2018

Cc: ljusten@chromium.org

List of policies that currently live in policy_templates.json with this combination of flags.

== Policies that WAI ==
(I remember the reasons they have this combination of flags)
- QuicAllowed
  dynamic_refresh: False:
    This policy only accepts dynamic changes from true -> false.
  per_profile: False
    The value set for the primary profile will be used for all profiles
- EcryptfsMigrationStrategy
  dynamic_refresh: False:
    This policy is only (and explicitly) evaluated on primary user sign-in.
  per_profile: False
    This policy is only evaluated when mounting the primary user's user home.

== Policies that were indeed buggy ==
- IsolateOrigins
- SitePerProcess

== Policies I'm unsure about - tbd ==
- WPADQuickCheckEnabled
- Http09OnNonDefaultPortsEnabled
- SuppressUnsupportedOSWarning
- PacHttpsUrlStrippingEnabled
- ComponentUpdatesEnabled

== AD-specific policies I'm unsure about - tbd ==
(=policies that also have 'supported_chrome_os_management': ['active_directory'])
- AuthSchemes
- DisableAuthNegotiateCnameLookup
- EnableAuthNegotiatePort
- AuthServerWhitelist
- AuthNegotiateDelegateWhitelist
- AuthNegotiateDelegateWhitelist

Comment 5 by ljusten@chromium.org, Feb 21 2018

Looked over the code for 5 minutes. I believe AuthSchemes might only be read once in the constructor of IoThread, so it's too early. The others seem to be used by the negotiate handler, which might only be created on demand, so they might be fine (see HttpAuthPreferences, HttpAuthHandlerNegotiate).

►

Issue 813585 link

Issue metadata

Add PRESUBMIT to check warning about dynamic_refresh=False, (per_profile=False), device_only=False policies supported on Chrome OS

Issue description

Comment 1 Deleted

Comment 2 by pmarko@chromium.org, Feb 20 2018

Comment 2 Deleted

Comment 3 by pmarko@chromium.org, Feb 20 2018

Comment 3 Deleted

Comment 4 by pmarko@chromium.org, Feb 20 2018

Comment 4 Deleted

Comment 5 by ljusten@chromium.org, Feb 21 2018

Comment 5 Deleted

Sign in to add a comment