Re: Note about auth refcounting state / ntlm in trunk

On Mon, 16 Aug 2010 02:51:33 +0200, Henrik Nordström
<henrik_at_henriknordstrom.net> wrote:
> sön 2010-08-15 klockan 23:26 +0000 skrev Amos Jeffries:
>
>> > - Fails if external acls is used (any, not just with grace=.. as in
>> > 3.1)
>>
>> any ideas why?
>
> No, haven't really dug into the code yet. Was just observing to verify
> that the claims in 2936 could be reproduced and found a much worse
> situation than expected.
>
>> > - Fails with refcount error on second NTLM handshake.
>>
>> If I've been following the snippets in IRC right, this is due to the
>> absorb() function which attempts to combine duplicate credentials and
>> maintain a single state. Which requires that the absorbed credentials
be
>> discarded immediately after. The assert is there to make it obvious
when
>> this requirement is broken.
>
> Design error?

yes in teh user tracking.
>
> Was too long since I was in NTLM/Negotiate land (haven't seriously
> touched it since throwing out the challenge reuse layer years ago) and
> no longer remembers the details about this temp credentials and
> absorbing.. but I do have a memory of it being a bit strange.

Basic flow around that absorb is:
 create empty AuthUser "local_auth_user"
 use local_auth_user to parse the received credentials header
  * (a) authenticate the local_auth_user credentials!!
 lookup existing user of local_auth_user in the cache "usernamehash"
 absorb() the local_auth_user details into usernamehash
 replace current requests local_auth_user with usernamehash
  ** leave any state links from (a) out to dry.

So, it should be fine forgoing the absorb() and simply updating the
username hash cache with the freshly authed local_auth_user credentials. Or
maybe reversing the absorb, so newer local_auth_user preserves any
accounting history needed from usernamehash.

I'm not sure what/how to check for max_user_ip though.

There is a secondary flow though I think which should be preventing that
re-auth on an existing pconn. I cant easily find the code path though.

 open pconn receives second request + credentials
 lookup conn->user() credentials
 verify token exists in AuthUser::proxy_match_cache
  * auth new token if need be, adding to the resulting user credentials
proxy_match_cache.

Amos
Received on Mon Aug 16 2010 - 01:43:46 MDT