First Last Prev Next    This bug is not in your last search results.
Bug 55424 - make SAML identity cache database configurable
make SAML identity cache database configurable
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-2-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
Depends on: 54880
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-14 13:18 CET by Florian Best
Modified: 2023-12-19 12:12 CET (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain: 0.429
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2022-11-14 13:18:36 CET 
The current SAML identity cache has problems with concurrent write operations.
Therefor we should make it configurable via UCR if a in-memory storage should be used or a shelve/bdb database.

+++ This bug was initially created as a clone of Bug #54880 +++

The following traceback shows, if you are login with saml on a school replica.

UCS: 5.0-1 errata310
Installed: cups=2.2.1 dhcp-server=12.0 prometheus-node-exporter=2.0.1
radius=5.0 samba4=4.13 squid=3.5 ucsschool=5.0 v1
4.4/ucsschool-veyon-proxy=1.1
Upgradable:

17.06.22 15:28:30.238  MAIN        ( ERROR   ) : Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/usr/lib/python3/dist-packages/cherrypy/lib/encoding.py", line 220, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/cherrypy/_cpdispatch.py", line 60, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/usr/sbin/univention-management-console-web-server", line 1258, in index
    return acs(binding, message, relay_state)
  File "/usr/sbin/univention-management-console-web-server", line 1281, in attribute_consuming_service_iframe
    response = self.acs(message, binding)
  File "/usr/sbin/univention-management-console-web-server", line 1395, in acs
    response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries)
  File "/usr/lib/python3/dist-packages/saml2/client_base.py", line 717, in parse_authn_request_response
    self.users.add_information_about_person(resp.session_info())
  File "/usr/lib/python3/dist-packages/saml2/population.py", line 27, in add_information_about_person
    session_info["not_on_or_after"])
  File "/usr/lib/python3/dist-packages/saml2/cache.py", line 129, in set
    self._db[cni] = data
  File "/usr/lib/python3.7/shelve.py", line 125, in __setitem__
    self.dict[key.encode(self.keyencoding)] = f.getvalue()
_dbm.error: cannot add item to database

I have no idea were this comes from and what the root cause is. Restarting the services does not fix the problem.
Comment 1 Dirk Wiesenthal univentionstaff 2022-11-14 13:32:19 CET 
We should make the in-memory store the default, I think
Comment 2 Florian Best univentionstaff 2022-11-14 18:16:09 CET 
The SAML identity cache is now configurable via UCR variable umc/saml/in-memory-identity-cache.
By default it is used, except when multiprocessing is enabled via umc/http/processes at the time of the upgrade.

univention-management-console.yaml
b827e4fd5652 | feat(umc saml): make SAML identity cache configurable

univention-management-console (12.0.13-3)
b827e4fd5652 | feat(umc saml): make SAML identity cache configurable
Comment 3 Dirk Wiesenthal univentionstaff 2022-11-15 17:16:44 CET 
umc/saml/in-memory-identity-cache=true: OK
umc/saml/in-memory-identity-cache=false: OK
YAML: OK
First Last Prev Next    This bug is not in your last search results.