	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cosign Loop Breaking

To: Cory Snavely <csnavely@xxxxxxxxx>
Subject: Re: Cosign Loop Breaking
From: Wesley D Craig <wes@xxxxxxxxx>
Date: Tue, 8 Jun 2004 22:55:52 -0400
Cc: Cosign Discussion <cosign-discuss@xxxxxxxxx>
In-reply-to: <40C61583.4090303@umich.edu>
References: <5DE44794-B584-11D8-AD07-000A95E48A4E@umich.edu> <Pine.SOL.4.58.0406081354460.3073@mozi.lsait.lsa.umich.edu> <40C61583.4090303@umich.edu>

On 08 Jun 2004, at 15:37, Cory Snavely wrote:

But maybe I've just offended the person with the weirdo application 8), and maybe the rationale for having protection from this in COSIGN is clearer if we know the types of misconfigurations where this can happen. Could you share more details?

cosignd replication is lazy and lossy. There is no requirement in the protocol for all of the cosignd's to have exactly the same data. This managed inconsistency is dealt with by having the cosign filters query multiple cosignd's if the first cosignd responds with "I don't know."

At UMich, we saw the looping problem in a big way due to a bug in one of the cosign filter implementations. In particular, the java cosign filter had an error where it would not fail over to other cosignd's when the information it was looking for was not present on the one-and-only cosignd it was currently connected to.

The effect of this bug was that users would visit the protected service, be redirected to the cosign registration service, be redirected back to the service, ad nauseam. Since the protected service was moderately popular, thousands of users bounced back and forth between the service and cosign, bring both to their knees and causing a campus-wide cosign outage.

The bug wasn't immediately obvious. As I recall, a mis-configuration in a firewall precipitated the problem. One of the three campus cosign servers is located behind on departmental firewall. When the firewall was briefly mis-configured, the cosign protected application that this department runs was able to get to the cosign server, but no users were able to get to the same cosign server's web interface. Also, the other two cosign servers weren't able to send data to the third cosign server, causing their databases to be quite inconsistent.

So, we fixed the bug in the java filter. However, if we had had the loop breaking code in place, 1) the problem would have been more obvious, and 2) we would not have had a campus-wide cosign outage. Campus-wide cosign outages are real downer for me, so we spent some time thinking how we could never, ever have another one. This is how we came up with the loop-breaking code.

:wes

Follow-Ups:
- Re: Cosign Loop Breaking
  - From: Cory Snavely

References:
- Cosign Loop Breaking
  - From: johanna bromberg craig
- Re: Cosign Loop Breaking
  - From: Mark Montague
- Re: Cosign Loop Breaking
  - From: Cory Snavely

Prev by Date: RE: Cosign Loop Breaking
Next by Date: Web App Developer documentation ...
Previous by thread: Re: Web App Developer documentation ...
Next by thread: Re: Cosign Loop Breaking
Index(es):
- Date
- Thread