External Authentication Caching #5943
Conversation
contificate
force-pushed
the
ad_caching
branch
from
ffeaabf
to
d6bee5e
Compare
contificate
force-pushed
the
ad_caching
branch
from
d6bee5e
to
54b3d70
Compare
Factors out logic for transforming custom specifications into standard specifications in order to permit custom argument specifications to be provided alongside descriptions. Introduces a new list of options for this purpose. Signed-off-by: Colin James <[email protected]>
In preparation for memoization, we wrap a region of
"login_with_password" (the part calling out to external authentication code)
within a nested function ("query_external_auth").
We introduce a new record type "external_auth_result" that represents the set
of downward exposed variables that that are bound within the code our nested
function has incorporated. This record becomes the result of
"query_external_auth". Consequently, the function is immediately invoked and
its result is matched upon to bring all of the fields into scope. The future
memoization code will treat a call to this function as the "slow path".
Signed-off-by: Colin James <[email protected]>
Implements a wrapper for Psq that provides maximum capacity behaviour. Signed-off-by: Colin James <[email protected]>
Adds basic functional testing for a bounded priority search queue. Signed-off-by: Colin James <[email protected]>
Provides a simple authentication cache built using a bounded priority search queue. The structure of the cache is effectively a (bounded) priority search queue, mapping usernames to entries - where entries have an explicit time-to-live and can store arbitrary data (optionally secured with a cryptographic hash). Also provides a configurable expiry span in the form of a global in Xapi_globs, "external_authentication_expiry". This time span is added to the current time - upon entering data into the cache - to provide an expiration time. Its default value is 5 minutes. The input is specified in seconds. The underlying priority search queue treats the minimum entry as being the entry with highest priority. Therefore, as entries are compared by their expiration time, the entry that is soonest to expire is the one that is evicted when attempting to add a new entry when the cache is at capacity. Signed-off-by: Colin James <[email protected]>
Signed-off-by: Colin James <[email protected]>
contificate
force-pushed
the
ad_caching
branch
from
54b3d70
to
1cd9a60
Compare
|
@contificate Given this is a big update, could you please run XenRT suite: Authentication Sanity Test before merge. |
contificate
force-pushed
the
ad_caching
branch
from
1cd9a60
to
e818e1f
Compare
I've started suite run ( |
|
From a user's perspective, do we need millisecond precision here? And would it not be better to use a float of seconds - which could still provide this precision if needed? |
I ought to fix the PR's description but, as of recent changes, it's now provided as seconds (with sub-second precision possible, as I believe |
|
|
||
| type secret = string | ||
|
|
||
| type t = digest * salt * secret |
There was a problem hiding this comment.
These are all strings - so easy to confuse. Would a record help to avoid that?
There was a problem hiding this comment.
Yeah. I avoided this for stylistic reasons but it could be done that way, in principle.
val create : digest -> salt -> secret -> t
val read : t -> digest * salt * secretI wanted it to be the case that these injection and projection functions that Secrets are forced to provide evidently don't talk about the key (as that should only be used ephemerally). The users of Secret have t as opaque, so one could use whatever they want for that, provided they provide suitable implementations of the above functions. OCaml lacks anonymous record types (as SML has), which would permit a nice pattern like:
val read : t -> { digest: digest; salt: salt; secret: secret; }and then order-independent projections at usage sites using record patterns (as you suggest), whilst keeping the components transparent in the signature.
All that said, I could define a record type in the signature and use it there, but then it'd be val read : t -> components and marginally less evident. If people are keen on that, I'd be happy to do that change.
|
Yeah. And thanks for for this excellent real world example of OCaml modules and functors. I learned a lot from the reviewing. |
The job run looks pretty good. All green except one blocked and another a known issue (to my understanding). The job was run with the cache being enabled (hardcoded). A later XenRT test is in discussions to exercise more extreme conditions. |
- Adds mirage-crypto-rng and mirage-crypto-rng.unix libraries to xapi's dune file. These are used to provide random number generation used for generating salts. - Introduces a cache implementation that secures authenticated sessions (results) using SHA-512 hashes (computed using libcrypt's crypt_r function). Signed-off-by: Colin James <[email protected]>
Adds configurable options "enable-external-authentication-cache" and "external-authentication-cache-size" to Xapi_globs, which control whether the cache is enabled and the maximum capacity of the cache, respectively. Also adds "external-authentication-expiry" option, which permits configuration of the time-to-live assigned to each cache entry. The global that it manipulates in Xapi_globs was introduced earlier. In future, these configuration options may become a pool-wide feature. Signed-off-by: Colin James <[email protected]>
This change provides the workings required to allow the previously functionalised section of login_with_password to be bypassed by consulting an authentication cache. Before attempting to execute that section of login_with_password (which calls out to external authentication plugins), a cache is consulted. If a previously-computed result resides within the cache, that is provided. If there is no such result present in the cache, or external authentication caching is disabled, the previous section of code (the "slow path") is invoked. Signed-off-by: Colin James <[email protected]>
contificate
force-pushed
the
ad_caching
branch
from
e818e1f
to
318156e
Compare
|
Reintroduced dependency upon |
This change introduces the ability to cache valid results obtained from external authentication services (such as winbind for active directory). Currently, it is a per-host feature. In future, it may be promoted to a pool-wide feature.
The cache is configured by 3 entries in
xapi.conf, for example:This configuration would create a cache of capacity 10 and gives each cached entry a TTL of 30 seconds. By default, the cache is disabled. The data structure underlying the cache is a bounded priority search queue: if you attempt to insert a fresh entry when the cache is at capacity, the entry that is soonest to expire is evicted to make space for the new entry.
This has been tested using real AD services internally. Important behaviour such as bruteforce protection on invalid credentials is retained by this feature, as the cache only stores authenticated credentials (and falls back to the "slow path" - querying the external auth plugin - when no valid cache entry exists).
The above interaction shows the authentication, without caching, taking just over a second. Then, subsequent logins taking roughly half a second. The interaction then delays for 15 seconds (the TTL of the cache being used) and shows that it regresses to taking around original amount of time (as it no longer uses the cached result, as it has expired).
The above interaction demonstrates that, even when a valid credential for a user is cached, the presence of the cache won't undermine the default bruteforce protection behaviour of sleeping for roughly 4-5 seconds.