Change session handling

Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-08-19 09:23:55 -04:00
parent 11ef2cacbf
commit c894ebefc5
25 changed files with 172 additions and 1572 deletions
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -32,7 +32,7 @@ from ipalib.util import (
 import ipaclient.install.ntpconf
 from ipaserver.install import (
    bindinstance, ca, cainstance, certs, dns, dsinstance,
-    httpinstance, installutils, kra, krbinstance, memcacheinstance,
+    httpinstance, installutils, kra, krbinstance,
    ntpinstance, otpdinstance, custodiainstance, replication, service,
    sysupgrade)
 from ipaserver.install.installutils import (
@@ -804,10 +804,6 @@ def install(installer):
    # generated
    ds.add_cert_to_service()

-    memcache = memcacheinstance.MemcacheInstance()
-    memcache.create_instance('MEMCACHE', host_name,
-                             ipautil.realm_to_suffix(realm_name))
-
    otpd = otpdinstance.OtpdInstance()
    otpd.create_instance('OTPD', host_name,
                         ipautil.realm_to_suffix(realm_name))
@@ -1052,7 +1048,6 @@ def uninstall(installer):
    if _server_trust_ad_installed:
        adtrustinstance.ADTRUSTInstance(fstore).uninstall()
    custodiainstance.CustodiaInstance().uninstall()
-    memcacheinstance.MemcacheInstance().uninstall()
    otpdinstance.OtpdInstance().uninstall()
    tasks.restore_hostname(fstore, sstore)
    fstore.restore_all_files()
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -37,7 +37,7 @@ from ipalib.util import (
 from ipaclient.install.client import configure_krb5_conf, purge_host_keytab
 from ipaserver.install import (
    bindinstance, ca, certs, dns, dsinstance, httpinstance,
-    installutils, kra, krbinstance, memcacheinstance,
+    installutils, kra, krbinstance,
    ntpinstance, otpdinstance, custodiainstance, service)
 from ipaserver.install.installutils import (
    create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
@@ -163,9 +163,6 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
        pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12",
                                       "http_pin.txt")

-    memcache = memcacheinstance.MemcacheInstance()
-    memcache.create_instance('MEMCACHE', config.host_name,
-                             ipautil.realm_to_suffix(config.realm_name))

    http = httpinstance.HTTPInstance()
    http.create_instance(
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -34,7 +34,6 @@ from ipaplatform.paths import paths
 from ipaserver.install import installutils
 from ipaserver.install import dsinstance
 from ipaserver.install import httpinstance
-from ipaserver.install import memcacheinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import bindinstance
 from ipaserver.install import service
@@ -74,6 +73,21 @@ def uninstall_ipa_kpasswd():
    if enabled is not None and not enabled:
        ipa_kpasswd.remove()

+
+def uninstall_ipa_memcached():
+    """
+    We can't use the full service uninstaller because that will attempt
+    to stop and disable the service which by now doesn't exist. We just
+    want to clean up sysrestore.state to remove all references to
+    ipa_kpasswd.
+    """
+    ipa_memcached = service.SimpleServiceInstance('ipa_memcached')
+
+    enabled = not ipa_memcached.restore_state("enabled")
+
+    if enabled is not None and not enabled:
+        ipa_memcached.remove()
+
 def backup_file(filename, ext):
    """Make a backup of filename using ext as the extension. Do not overwrite
       previous backups."""
@@ -1570,6 +1584,7 @@ def upgrade_configuration():

    update_dbmodules(api.env.realm)
    uninstall_ipa_kpasswd()
+    uninstall_ipa_memcached()

    removed_sysconfig_file = paths.SYSCONFIG_HTTPD
    if fstore.has_file(removed_sysconfig_file):
@@ -1620,7 +1635,6 @@ def upgrade_configuration():
    uninstall_dogtag_9(ds, http)

    simple_service_list = (
-        (memcacheinstance.MemcacheInstance(), 'MEMCACHE'),
        (otpdinstance.OtpdInstance(), 'OTPD'),
    )