New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Dec 11
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment
link

Issue 908342: authpolicy: Use cached GPO files

Reported by ljusten@chromium.org, Nov 26 Project Member

Issue description

Keep track of version info in GPO files and do not re-download them if the version did not change.
 

Comment 1 by bugdroid1@chromium.org, Dec 3

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/6c15618c7348f2e0d225f5f96c62943ac037a9a5

commit 6c15618c7348f2e0d225f5f96c62943ac037a9a5
Author: Lutz Justen <ljusten@chromium.org>
Date: Mon Dec 03 20:43:41 2018

authpolicy: Add GpoVersionCache

Adds a small class for caching GPO versions between Fetch*Policy calls.
The class will be used in subsequent CLs.

BUG= chromium:908342 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: I1eb13a378885979b49ab0f11971f5ae24ee9806e
Reviewed-on: https://chromium-review.googlesource.com/1352419
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[add] https://crrev.com/6c15618c7348f2e0d225f5f96c62943ac037a9a5/authpolicy/gpo_version_cache_unittest.cc
[add] https://crrev.com/6c15618c7348f2e0d225f5f96c62943ac037a9a5/authpolicy/gpo_version_cache.h
[modify] https://crrev.com/6c15618c7348f2e0d225f5f96c62943ac037a9a5/authpolicy/BUILD.gn
[add] https://crrev.com/6c15618c7348f2e0d225f5f96c62943ac037a9a5/authpolicy/gpo_version_cache.cc

Comment 2 by bugdroid1@chromium.org, Dec 8

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26

commit 4eb9e1fc6adf07299aad87651cc4e55cbac6cf26
Author: Lutz Justen <ljusten@chromium.org>
Date: Sat Dec 08 19:23:18 2018

authpolicy: Refactor generic cross-process counter

Refactors a method to count kinit calls into a generic cross-process
counter that will be used for GPO version counting in a future CL. The
counter can't just use a static variable since invocations usually
happen from different processes, so it uses a file-based counter.

Also makes some other code more robust by checking for unexpectedly
empty file paths and cleans up unused includes.

BUG= chromium:908342 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: I5a84252a835206301aa2a38e5902db5f70756df6
Reviewed-on: https://chromium-review.googlesource.com/1352420
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/process_executor.cc
[modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_smbclient_main.cc
[modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_common.h
[modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_common.cc
[modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/samba_helper_unittest.cc
[modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_kinit_main.cc
[modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/samba_helper.cc
[modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/samba_helper.h
[modify] https://crrev.com/4eb9e1fc6adf07299aad87651cc4e55cbac6cf26/authpolicy/stub_net_main.cc

Comment 3 by bugdroid1@chromium.org, Dec 8

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a

commit 6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a
Author: Lutz Justen <ljusten@chromium.org>
Date: Sat Dec 08 19:23:18 2018

authpolicy: Cache GPOs if version did not change

Reuses cached GPO files if their version did not change. The daemon
already keeps GPO files somewhere in a tmpfs-mounted /tmp folder. Note
that this will NOT cache GPO files between logins (logging out restarts
authpolicyd and hence wipes the cache).

Wipes the cache every 75 hours. Note that the number is not a multiple
of 24 hours as you don't want users to wait longer for policy fetch
every N-th day in the morning when they log in for the first time.

Right now, the cache cannot be turned off, but there will be a device
policy in the future that controls the TTL and can be used to toggle the
cache.

BUG= chromium:908342 
TEST=Log in on an Active Directory managed device:
     Open Crosh and enter 'authpolicy_debug 1'
     Open chrome://policy and reload policies a few times
     Open shell and enter 'grep "GPO Cache" /var/log/authpolicy.log'.
     Most recent logs should say "Using cached version..." and NOT
     "Downloading (not in cache)".

Change-Id: I1b8b3d85e0638ea5ad4080407f52a923c5e11c45
Reviewed-on: https://chromium-review.googlesource.com/1352421
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/stub_common.h
[modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/samba_interface.cc
[modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/authpolicy_parser_main.cc
[modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/samba_interface.h
[modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/stub_common.cc
[modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/stub_net_main.cc
[modify] https://crrev.com/6a2a72bafb4a4ed5d7ff590c312e565ff9fc0d5a/authpolicy/proto/authpolicy_containers.proto

Comment 4 by ljusten@chromium.org, Dec 11

Status: Fixed (was: Assigned)

Comment 5 by bugdroid1@chromium.org, Dec 14

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d

commit 4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d
Author: Lutz Justen <ljusten@chromium.org>
Date: Fri Dec 14 13:53:43 2018

Add Active Directory cache lifetime policies

Adds policies to control the lifetime of cached Active Directory Group
Policy Objects (GPOs) and cached authentication data. Both policies will
be used in the authpolicy daemon in Chrome OS. The caches reduce server
load (prevent unnecessary GPO downloads) and improve sign-in speed.
The policies apply to Active Directory managed Chrome OS devices only.

BUG= chromium:908342 ,  chromium:912312 
TEST=Tryjobs, tested on device that policies show up in chrome://policy

Change-Id: I2f2d68fb78816aa14c950accdf31e8008f072ec8
Reviewed-on: https://chromium-review.googlesource.com/c/1374979
Reviewed-by: Thiemo Nagel <tnagel@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>
Commit-Queue: Lutz Justen <ljusten@chromium.org>
Cr-Commit-Position: refs/heads/master@{#616657}
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/components/policy/proto/chrome_device_policy.proto
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/components/policy/resources/policy_templates.json
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/tools/metrics/histograms/enums.xml

Comment 6 by ibezmenov@chromium.org, Dec 19

I have checked that authpolicy uses cached GPO files:

localhost / # grep "GPO Cache" /var/log/authpolicy.log 
2018-12-19T19:00:04.579021+00:00 INFO authpolicyd[4837]: GPO Cache: {31B2F340-016D-11D2-945F-00C04FB984F9}-M: Using cached version 9
2018-12-19T19:00:04.579112+00:00 INFO authpolicyd[4837]: GPO Cache: {7B4466F3-6682-4621-A9B1-CD456B1A44AB}-M: Using cached version 101
2018-12-19T19:00:08.359487+00:00 INFO authpolicyd[4837]: GPO Cache: {7B4466F3-6682-4621-A9B1-CD456B1A44AB}-U: Using cached version 120
2018-12-19T19:01:53.778837+00:00 INFO authpolicyd[4837]: GPO Cache: {31B2F340-016D-11D2-945F-00C04FB984F9}-M: Using cached version 9
2018-12-19T19:01:53.778924+00:00 INFO authpolicyd[4837]: GPO Cache: {7B4466F3-6682-4621-A9B1-CD456B1A44AB}-M: Using cached version 101
2018-12-19T19:01:58.601623+00:00 INFO authpolicyd[4837]: GPO Cache: {7B4466F3-6682-4621-A9B1-CD456B1A44AB}-U: Using cached version 120
localhost / # 

Two new policies are present in chrome://policy (see attached screenshot).

Is it good enough for verification?

Chrome OS: 11429.0.0, Chrome: 73.0.3644.0, device: Nautilus
Screenshot 2018-12-19 at 12.50.25 PM.png
278 KB View Download

Comment 7 by ljusten@google.com, Dec 21

Yes, this should be enough to verify the cache and the policies.

The policies are not wired up yet. I'll do this in a follow-up CL that we'll have to verify separately.

Comment 8 by ibezmenov@chromium.org, Dec 21

Status: Verified (was: Fixed)
Thanks, Lutz!

Comment 9 by bugdroid1@chromium.org, Jan 8

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/3560a5973a5da1e90fa71d97ffe757f04021498f

commit 3560a5973a5da1e90fa71d97ffe757f04021498f
Author: Lutz Justen <ljusten@chromium.org>
Date: Tue Jan 08 19:43:55 2019

authpolicy: Add debug flag for toggling cache logs

Adds a "log_caches" flag and uses it to toggle logs of GPOVersionCache
and AuthDataCache. Renders those cache logs in light yellow.

BUG= chromium:908342 
TEST=On DUT, enter
       echo '{"log_caches":true}'> /etc/authpolicyd_flags
     Log out and back in. Refresh policy a few times.
     /var/log/authpolicy.log should contain logs starting with
     "GPO Cache:" and "Auth Data Cache:".

Change-Id: Ide12b3b3e62ebc1cb1007533b03a9c9eb280cf7a
Reviewed-on: https://chromium-review.googlesource.com/1388488
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/auth_data_cache.cc
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/auth_data_cache_unittest.cc
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/log_colors.h
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/log_colors.cc
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/gpo_version_cache.cc
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/proto/authpolicy_containers.proto
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/gpo_version_cache_unittest.cc
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/authpolicy_flags.cc
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/gpo_version_cache.h
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/samba_interface.cc
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/auth_data_cache.h
[modify] https://crrev.com/3560a5973a5da1e90fa71d97ffe757f04021498f/authpolicy/authpolicy_flags_unittest.cc

Comment 10 by bugdroid1@chromium.org, Jan 9

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/c24baba4e0cf19aea5c69f2e7d97a522434296e7

commit c24baba4e0cf19aea5c69f2e7d97a522434296e7
Author: Lutz Justen <ljusten@chromium.org>
Date: Wed Jan 09 17:38:47 2019

authpolicy: Wire up cache lifetime policies

Uses the value of DeviceGpoCacheLifetime and DeviceAuthDataCacheLifetime
to set the lifetime of cache entries of the GPO version cache and the
auth data cache. If set to 0, the caches are turned off.

Also adds a small optimization to detect affiliation on the machine
domain.

BUG= chromium:908342 , chromium:912312 
TEST=Set DeviceGpoCacheLifetime and DeviceAuthDataCacheLifetime policies
     to 0 in GPO editor to turn the caches off. Verify caches are off:
     Reload policies. On device, enter
       echo '{"log_caches":true}'> /etc/authpolicyd_flags
     Reload policies a few times. Make sure the logs say
       GPO Cache: ... Downloading (not in cache)
     and not "Using cached version".
     Now log out and back in. Make sure the logs say
       Auth Data cache: No ... cached
     and not "Using cached ...".
     Repeat after setting both policies to 1 and repeat. This time, the
     opposite should happen (caches should be used). Note that logging
     out and back in clears the GPO cache.

Change-Id: I191af32c1ddef4183bcb28cd71f0c9a24d10b994
Reviewed-on: https://chromium-review.googlesource.com/1388489
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/auth_data_cache.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/auth_data_cache_unittest.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/stub_common.h
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/samba_interface.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/gpo_version_cache_unittest.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/samba_interface.h
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/samba_helper.h
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/stub_net_main.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/auth_data_cache.h

Sign in to add a comment