New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jan 14
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug



Sign in to add a comment
link

Issue 912312: authpolicy: Cache authentication data

Reported by ljusten@google.com, Dec 5 Project Member

Issue description

Comment 1 by bugdroid1@chromium.org, Dec 14

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d

commit 4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d
Author: Lutz Justen <ljusten@chromium.org>
Date: Fri Dec 14 13:53:43 2018

Add Active Directory cache lifetime policies

Adds policies to control the lifetime of cached Active Directory Group
Policy Objects (GPOs) and cached authentication data. Both policies will
be used in the authpolicy daemon in Chrome OS. The caches reduce server
load (prevent unnecessary GPO downloads) and improve sign-in speed.
The policies apply to Active Directory managed Chrome OS devices only.

BUG= chromium:908342 ,  chromium:912312 
TEST=Tryjobs, tested on device that policies show up in chrome://policy

Change-Id: I2f2d68fb78816aa14c950accdf31e8008f072ec8
Reviewed-on: https://chromium-review.googlesource.com/c/1374979
Reviewed-by: Thiemo Nagel <tnagel@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>
Commit-Queue: Lutz Justen <ljusten@chromium.org>
Cr-Commit-Position: refs/heads/master@{#616657}
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/components/policy/proto/chrome_device_policy.proto
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/components/policy/resources/policy_templates.json
[modify] https://crrev.com/4c1e11e8ebdd1d3dc87a50c59f1e9e162a2cf54d/tools/metrics/histograms/enums.xml

Comment 2 by bugdroid1@chromium.org, Dec 20

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd

commit 44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd
Author: Lutz Justen <ljusten@chromium.org>
Date: Thu Dec 20 18:03:50 2018

authpolicy: Add AuthDataCache

Adds a small class for caching authentication data between authpolicyd
runs (i.e. across user logout and login). The class will be used in
subsequent CLs.

BUG= chromium:912312 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: I16074a653245d1ba11362512ef766d811d3287d4
Reviewed-on: https://chromium-review.googlesource.com/1365331
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[add] https://crrev.com/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd/authpolicy/auth_data_cache.cc
[add] https://crrev.com/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd/authpolicy/auth_data_cache_unittest.cc
[modify] https://crrev.com/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd/authpolicy/BUILD.gn
[modify] https://crrev.com/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd/authpolicy/samba_interface.cc
[modify] https://crrev.com/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd/authpolicy/tgt_manager.cc
[modify] https://crrev.com/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd/authpolicy/proto/authpolicy_containers.proto
[modify] https://crrev.com/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd/authpolicy/gpo_version_cache_unittest.cc
[modify] https://crrev.com/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd/authpolicy/authpolicy.cc
[add] https://crrev.com/44c3e7045eb7e3e3d479ab64ab78e0fc46aea8dd/authpolicy/auth_data_cache.h

Comment 3 by bugdroid1@chromium.org, Jan 3

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/dce46ea72278f6e3ccae3634020e41169ad111aa

commit dce46ea72278f6e3ccae3634020e41169ad111aa
Author: Lutz Justen <ljusten@chromium.org>
Date: Thu Jan 03 02:14:06 2019

authpolicy: Cache authentication data

Keeps a map realm -> (workgroup, KDC IP, DC name, is_affiliated) that is
persisted in /run, so that it survives authpolicyd restarts. The map is
used to speed up calls to AuthenticateUser. It gets rid of net ads
workgroup/info/lookup/search calls. Right now, the cache can only be
wiped on reboot (or if /run/authpolicyd/auth_data is deleted).

Only caches data for affiliated realms for privacy reasons.

The change in stub_kinit_main was necessary for
AuthPolicyTest.AuthDataCacheWorksForWorkgroupAndKdcIp. For fetching
policy, HasMachinePrincipal() tested for <machine_name>$@|kUserRealm|,
but this test authenticates with <machine_name>$@|kMachineRealm|.

BUG= chromium:912312 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: I09bf0c0923d0cac21169034d661bb9202e87ea6b
Reviewed-on: https://chromium-review.googlesource.com/1366555
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/dce46ea72278f6e3ccae3634020e41169ad111aa/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/dce46ea72278f6e3ccae3634020e41169ad111aa/authpolicy/samba_interface.cc
[modify] https://crrev.com/dce46ea72278f6e3ccae3634020e41169ad111aa/authpolicy/samba_interface.h
[modify] https://crrev.com/dce46ea72278f6e3ccae3634020e41169ad111aa/authpolicy/stub_kinit_main.cc
[modify] https://crrev.com/dce46ea72278f6e3ccae3634020e41169ad111aa/authpolicy/path_service.cc
[modify] https://crrev.com/dce46ea72278f6e3ccae3634020e41169ad111aa/authpolicy/path_service.h
[modify] https://crrev.com/dce46ea72278f6e3ccae3634020e41169ad111aa/authpolicy/etc/init/authpolicyd.conf

Comment 4 by ljusten@chromium.org, Jan 9

Status: Started (was: Assigned)

Comment 5 by bugdroid1@chromium.org, Jan 9

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/c24baba4e0cf19aea5c69f2e7d97a522434296e7

commit c24baba4e0cf19aea5c69f2e7d97a522434296e7
Author: Lutz Justen <ljusten@chromium.org>
Date: Wed Jan 09 17:38:47 2019

authpolicy: Wire up cache lifetime policies

Uses the value of DeviceGpoCacheLifetime and DeviceAuthDataCacheLifetime
to set the lifetime of cache entries of the GPO version cache and the
auth data cache. If set to 0, the caches are turned off.

Also adds a small optimization to detect affiliation on the machine
domain.

BUG= chromium:908342 , chromium:912312 
TEST=Set DeviceGpoCacheLifetime and DeviceAuthDataCacheLifetime policies
     to 0 in GPO editor to turn the caches off. Verify caches are off:
     Reload policies. On device, enter
       echo '{"log_caches":true}'> /etc/authpolicyd_flags
     Reload policies a few times. Make sure the logs say
       GPO Cache: ... Downloading (not in cache)
     and not "Using cached version".
     Now log out and back in. Make sure the logs say
       Auth Data cache: No ... cached
     and not "Using cached ...".
     Repeat after setting both policies to 1 and repeat. This time, the
     opposite should happen (caches should be used). Note that logging
     out and back in clears the GPO cache.

Change-Id: I191af32c1ddef4183bcb28cd71f0c9a24d10b994
Reviewed-on: https://chromium-review.googlesource.com/1388489
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/auth_data_cache.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/auth_data_cache_unittest.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/stub_common.h
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/samba_interface.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/gpo_version_cache_unittest.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/samba_interface.h
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/samba_helper.h
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/stub_net_main.cc
[modify] https://crrev.com/c24baba4e0cf19aea5c69f2e7d97a522434296e7/authpolicy/auth_data_cache.h

Comment 6 by ljusten@chromium.org, Jan 14

Status: Fixed (was: Started)

Sign in to add a comment