authpolicy: Use cached GPO files |
|||
Issue descriptionKeep track of version info in GPO files and do not re-download them if the version did not change.
,
Dec 8
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26 commit 4eb9e1fc6adf07299aad87651cc4e55cbac6cf26 Author: Lutz Justen <ljusten@chromium.org> Date: Sat Dec 08 19:23:18 2018 authpolicy: Refactor generic cross-process counter Refactors a method to count kinit calls into a generic cross-process counter that will be used for GPO version counting in a future CL. The counter can't just use a static variable since invocations usually happen from different processes, so it uses a file-based counter. Also makes some other code more robust by checking for unexpectedly empty file paths and cleans up unused includes. BUG= chromium:908342 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Change-Id: I5a84252a835206301aa2a38e5902db5f70756df6 Reviewed-on: https://chromium-review.googlesource.com/1352420 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/process_executor.cc [modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_smbclient_main.cc [modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_common.h [modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_common.cc [modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/samba_helper_unittest.cc [modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_kinit_main.cc [modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/samba_helper.cc [modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/samba_helper.h [modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_net_main.cc
,
Dec 8
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a commit 6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a Author: Lutz Justen <ljusten@chromium.org> Date: Sat Dec 08 19:23:18 2018 authpolicy: Cache GPOs if version did not change Reuses cached GPO files if their version did not change. The daemon already keeps GPO files somewhere in a tmpfs-mounted /tmp folder. Note that this will NOT cache GPO files between logins (logging out restarts authpolicyd and hence wipes the cache). Wipes the cache every 75 hours. Note that the number is not a multiple of 24 hours as you don't want users to wait longer for policy fetch every N-th day in the morning when they log in for the first time. Right now, the cache cannot be turned off, but there will be a device policy in the future that controls the TTL and can be used to toggle the cache. BUG= chromium:908342 TEST=Log in on an Active Directory managed device: Open Crosh and enter 'authpolicy_debug 1' Open chrome://policy and reload policies a few times Open shell and enter 'grep "GPO Cache" /var/log/authpolicy.log'. Most recent logs should say "Using cached version..." and NOT "Downloading (not in cache)". Change-Id: I1b8b3d85e0638ea5ad4080407f52a923c5e11c45 Reviewed-on: https://chromium-review.googlesource.com/1352421 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/stub_common.h [modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/samba_interface.cc [modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/authpolicy_parser_main.cc [modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/samba_interface.h [modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/stub_common.cc [modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/stub_net_main.cc [modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/proto/authpolicy_containers.proto
,
Dec 11
,
Dec 14
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d commit 4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d Author: Lutz Justen <ljusten@chromium.org> Date: Fri Dec 14 13:53:43 2018 Add Active Directory cache lifetime policies Adds policies to control the lifetime of cached Active Directory Group Policy Objects (GPOs) and cached authentication data. Both policies will be used in the authpolicy daemon in Chrome OS. The caches reduce server load (prevent unnecessary GPO downloads) and improve sign-in speed. The policies apply to Active Directory managed Chrome OS devices only. BUG= chromium:908342 , chromium:912312 TEST=Tryjobs, tested on device that policies show up in chrome://policy Change-Id: I2f2d68fb78816aa14c950accdf31e8008f072ec8 Reviewed-on: https://chromium-review.googlesource.com/c/1374979 Reviewed-by: Thiemo Nagel <tnagel@chromium.org> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> Commit-Queue: Lutz Justen <ljusten@chromium.org> Cr-Commit-Position: refs/heads/master@{#616657} [modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc [modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/chrome/test/data/policy/policy_test_cases.json [modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/components/policy/proto/chrome_device_policy.proto [modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/components/policy/resources/policy_templates.json [modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/tools/metrics/histograms/enums.xml
,
Dec 19
I have checked that authpolicy uses cached GPO files:
localhost / # grep "GPO Cache" /var/log/authpolicy.log
2018-12-19T19:00:04.579021+00:00 INFO authpolicyd[4837]: GPO Cache: {31B2F340-016D-11D2-945F-00C04FB984F9}-M: Using cached version 9
2018-12-19T19:00:04.579112+00:00 INFO authpolicyd[4837]: GPO Cache: {7B4466F3-6682-4621-A9B1-CD456B1A44AB}-M: Using cached version 101
2018-12-19T19:00:08.359487+00:00 INFO authpolicyd[4837]: GPO Cache: {7B4466F3-6682-4621-A9B1-CD456B1A44AB}-U: Using cached version 120
2018-12-19T19:01:53.778837+00:00 INFO authpolicyd[4837]: GPO Cache: {31B2F340-016D-11D2-945F-00C04FB984F9}-M: Using cached version 9
2018-12-19T19:01:53.778924+00:00 INFO authpolicyd[4837]: GPO Cache: {7B4466F3-6682-4621-A9B1-CD456B1A44AB}-M: Using cached version 101
2018-12-19T19:01:58.601623+00:00 INFO authpolicyd[4837]: GPO Cache: {7B4466F3-6682-4621-A9B1-CD456B1A44AB}-U: Using cached version 120
localhost / #
Two new policies are present in chrome://policy (see attached screenshot).
Is it good enough for verification?
Chrome OS: 11429.0.0, Chrome: 73.0.3644.0, device: Nautilus
,
Dec 21
Yes, this should be enough to verify the cache and the policies. The policies are not wired up yet. I'll do this in a follow-up CL that we'll have to verify separately.
,
Dec 21
Thanks, Lutz!
,
Jan 8
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/3560a5973a5da1e90fa71d97ffe757f04021498f commit 3560a5973a5da1e90fa71d97ffe757f04021498f Author: Lutz Justen <ljusten@chromium.org> Date: Tue Jan 08 19:43:55 2019 authpolicy: Add debug flag for toggling cache logs Adds a "log_caches" flag and uses it to toggle logs of GPOVersionCache and AuthDataCache. Renders those cache logs in light yellow. BUG= chromium:908342 TEST=On DUT, enter echo '{"log_caches":true}'> /etc/authpolicyd_flags Log out and back in. Refresh policy a few times. /var/log/authpolicy.log should contain logs starting with "GPO Cache:" and "Auth Data Cache:". Change-Id: Ide12b3b3e62ebc1cb1007533b03a9c9eb280cf7a Reviewed-on: https://chromium-review.googlesource.com/1388488 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/auth_data_cache.cc [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/auth_data_cache_unittest.cc [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/log_colors.h [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/log_colors.cc [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/gpo_version_cache.cc [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/proto/authpolicy_containers.proto [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/gpo_version_cache_unittest.cc [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/authpolicy_flags.cc [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/gpo_version_cache.h [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/samba_interface.cc [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/auth_data_cache.h [modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/authpolicy_flags_unittest.cc
,
Jan 9
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/c24baba4e0cf19aea5c69f2e7d97a522434296e7 commit c24baba4e0cf19aea5c69f2e7d97a522434296e7 Author: Lutz Justen <ljusten@chromium.org> Date: Wed Jan 09 17:38:47 2019 authpolicy: Wire up cache lifetime policies Uses the value of DeviceGpoCacheLifetime and DeviceAuthDataCacheLifetime to set the lifetime of cache entries of the GPO version cache and the auth data cache. If set to 0, the caches are turned off. Also adds a small optimization to detect affiliation on the machine domain. BUG= chromium:908342 , chromium:912312 TEST=Set DeviceGpoCacheLifetime and DeviceAuthDataCacheLifetime policies to 0 in GPO editor to turn the caches off. Verify caches are off: Reload policies. On device, enter echo '{"log_caches":true}'> /etc/authpolicyd_flags Reload policies a few times. Make sure the logs say GPO Cache: ... Downloading (not in cache) and not "Using cached version". Now log out and back in. Make sure the logs say Auth Data cache: No ... cached and not "Using cached ...". Repeat after setting both policies to 1 and repeat. This time, the opposite should happen (caches should be used). Note that logging out and back in clears the GPO cache. Change-Id: I191af32c1ddef4183bcb28cd71f0c9a24d10b994 Reviewed-on: https://chromium-review.googlesource.com/1388489 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/auth_data_cache.cc [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/auth_data_cache_unittest.cc [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/authpolicy_unittest.cc [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/stub_common.h [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/samba_interface.cc [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/gpo_version_cache_unittest.cc [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/samba_interface.h [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/samba_helper.h [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/stub_net_main.cc [modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/auth_data_cache.h |
|||
►
Sign in to add a comment |
|||
Comment 1 by bugdroid1@chromium.org
, Dec 3