Force online sign-in if policy is lost in existing managed profile |
||||
Issue descriptionWhen the locally-stored policy is lost in an existing managed profile, chrome doesn't enter a user session. - PolicyEnforcement is PolicyEnforcement::kPolicyRequired[1] - cached policy is not available - chrome tries to fetch an access token from cookies, but we don't have gaia cookies because sign-in was offline (existing profile) - we will exit (cancelling[2] the wait for a policy fetch, then calling the fatal error callback[3]). The symptoms look like this: We should force online-sign in, so we have gaia cookies the next time and the access token fetch has a chance to succeed. TODO: We may want to do this only when we actually fail on token fetch, or in the general case in the fatal error callback. [1] https://cs.chromium.org/chromium/src/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h?l=56&gs=kythe%253A%252F%252Fchromium%253Flang%253Dc%25252B%25252B%253Fpath%253Dsrc%252Fchrome%252Fbrowser%252Fchromeos%252Fpolicy%252Fuser_cloud_policy_manager_chromeos.h%2523J3TJ4FBFG5Io636%25252F1%25252Bk3tIfHq1LgwOzDZUbfE2q%25252B16c%25253D&gsn=kPolicyOptional&ct=xref_usages [2] https://cs.chromium.org/chromium/src/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc?rcl=e81fab496202e46b7f3834d418520c7750014918&l=518 [3] https://cs.chromium.org/chromium/src/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc?rcl=e81fab496202e46b7f3834d418520c7750014918&l=555
,
Apr 9 2018
Shouldn't this be a higher priority since it can prevent sign-in?
,
Apr 9 2018
Raised the priority. But currently we don't have evidence that this can affect many users - short of some yet-unknown bug, this is expected to happen in cases of filesystem corruption.
,
Apr 9 2018
Since it is hitting a very small number of people, the priority also depends on how complicated the fix is. If it is trivial (which it seems to be at first glance), we should definitely try to land this soon.
,
Apr 9 2018
,
Apr 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c28c8d485a6290022f1ea2849533060fe08aad73 commit c28c8d485a6290022f1ea2849533060fe08aad73 Author: Maksim Ivanov <emaxx@chromium.org> Date: Thu Apr 12 12:05:54 2018 Force online sign-in after fatal policy init error Store the online sign-in enforcement flag before terminating the browser when a fatal policy initialization error happens. This should fix the inability to sign into existing managed profiles in the case when the policy files got corrupted. In such case the user session is immediately terminated, because there's currently no mechanism to fetch the missing policy without going through an online sign-in flow. The problem was that the next sign-in attempts are likely to go through the same steps and fail again. This CL addresses this by enforcing the online authentication for the next sign-in attempt of that user. BUG=chromium:830654 TEST=Manual: delete user policy files from existing profile, try to sign in - the session should immediately terminate, then try to sign in again - the online sign-in should take place, and the session should start. Change-Id: I1ff4c555999b4063a118c751598ecb0515839b3c Reviewed-on: https://chromium-review.googlesource.com/1000867 Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Drew Wilson <atwilson@chromium.org> Commit-Queue: Maksim Ivanov <emaxx@chromium.org> Cr-Commit-Position: refs/heads/master@{#550154} [modify] https://crrev.com/c28c8d485a6290022f1ea2849533060fe08aad73/chrome/browser/chromeos/policy/user_policy_manager_factory_chromeos.cc
,
Apr 27 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1cd2c16c0a1693ffa5fb7c918f7c8fd58bb9b7c0 commit 1cd2c16c0a1693ffa5fb7c918f7c8fd58bb9b7c0 Author: Maksim Ivanov <emaxx@chromium.org> Date: Fri Apr 27 21:45:36 2018 Add UMAs on session abort due to fatal policy error Gather statistics on the number of cases when the fatal Chrome OS user policy initialization happens, which leads to termination of the user session. BUG=chromium:830654 TEST=none Change-Id: Iae8e2455e36e3daae5663b3ff2266199bd6283dd Reviewed-on: https://chromium-review.googlesource.com/1017124 Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Jesse Doherty <jwd@chromium.org> Commit-Queue: Maksim Ivanov <emaxx@chromium.org> Cr-Commit-Position: refs/heads/master@{#554519} [modify] https://crrev.com/1cd2c16c0a1693ffa5fb7c918f7c8fd58bb9b7c0/chrome/browser/chromeos/policy/user_policy_manager_factory_chromeos.cc [modify] https://crrev.com/1cd2c16c0a1693ffa5fb7c918f7c8fd58bb9b7c0/components/policy/core/common/cloud/enterprise_metrics.cc [modify] https://crrev.com/1cd2c16c0a1693ffa5fb7c918f7c8fd58bb9b7c0/components/policy/core/common/cloud/enterprise_metrics.h [modify] https://crrev.com/1cd2c16c0a1693ffa5fb7c918f7c8fd58bb9b7c0/tools/metrics/histograms/enums.xml [modify] https://crrev.com/1cd2c16c0a1693ffa5fb7c918f7c8fd58bb9b7c0/tools/metrics/histograms/histograms.xml |
||||
►
Sign in to add a comment |
||||
Comment 1 by pmarko@chromium.org
, Apr 9 2018