Polygraph Kerberos patch

Hi

  Here is a patch for the latest polygraph version to perform Kerberos based
performance testing.

 Apply attached patch and rebuild configure and other files with:

aclocal
autoheader
automake -a
autoreconf -f -i

Now run ./configure ...

Four new options are introduced:

1) kerberos_auth = true;
     Selects Kerberos over NTLM in Negotiate requests
2) kerberos_config_path = "krb5_WINDOWS.conf";
     Defines the Kerberos configuration file to use
3) kerberos_clear_cache = true;
     Do not cache credentials but re-authenticate user for every HTTP
request. Creates high amount of Keberos traffic to
     kdc or Active Directory and not recommended
4) kerberos_proxy_spn = "HTTP/<fqdn>" ( and kerberos_server_spn =
"HTTP/<fqdn> for testing web server performance)
     Setting the spn avoids DNS resolution of the proxy or web server
hotsname to IP address and vice versa.

Simple Polygraph configuration

/*
 * A very simple "Hello, World!" workload
 */

// this is just one of the simplest workloads that can produce hits
// never use this workload for benchmarking

// SimpleContent defines properties of content that the server generates;
// if you get no hits, set SimpleContent.obj_life_cycle to cntStatic, which
// is defined in workloads/include/contents.pg
Content SimpleContent = {
        size = exp(13KB); // response sizes distributed exponentially
        cachable = 80%; // 20% of content is uncachable
};

// a primitive server cleverly labeled "S101"
// normally, you would specify more properties,
// but we will mostly rely on defaults for now
Server S = {
        kind = "S101";
        contents = [ SimpleContent ];
        direct_access = contents;

        addresses = [ '192.168.1.12:9090' ]; // where to create these server
agents
};

DnsResolver dr = {
    servers = [ '127.0.0.1:53' ];
    timeout = 5sec;
};

AddrMap M = {
    addresses = [ '192.168.1.10' ,'192.168.1.11', '192.168.1.12' ];
    names = [ 'client.suse.home' , 'proxy.suse.home', 'server.suse.home' ];
};

// a primitive robot
Robot R1 = {
        kind = "R101";
        pop_model = { pop_distr = popUnif(); };
        recurrence = 55% / SimpleContent.cachable; // adjusted to get 55%
DHR

        origins = S.addresses; // where the origin servers are
        addresses = [ '192.168.1.10' ]; // where these robot agents will be
created
// kerberos_clear_cache = true;
        kerberos_auth = true;
        kerberos_config_path = "krb5_SUSE.conf";
        kerberos_proxy_spn = "HTTP/proxy.suse.home";
        credentials = [ "user1:user1" ];
        dns_resolver = dr;
};

// a primitive robot
Robot R2 = {
        kind = "R101";
        pop_model = { pop_distr = popUnif(); };
        recurrence = 55% / SimpleContent.cachable; // adjusted to get 55%
DHR

        origins = S.addresses; // where the origin servers are
        addresses = [ '192.168.1.10' ]; // where these robot agents will be
created
// kerberos_clear_cache = true;
        kerberos_auth = true;
        kerberos_config_path = "krb5_WINDOWS.conf";
// user can be the same as in Robot R1 as the default domain in krb5 will
differentiate them as user1@<WINDOWS-DOMAIN> and user1@<SUSE-DOMAIN>
        kerberos_proxy_spn = "HTTP/proxy.suse.home";
        credentials = [ "user1:user1" ];
        dns_resolver = dr;
};

// commit to using these servers and robots
use(M);
use(S, R1, R2);

Run the client with:

/opt/polygraph-4.0.11/bin/polygraph-client --proxy
192.168.1.11:3128 --config
/home/markus/mysources/polygraph/simple_proxy.pg --verb_lvl 10 --log
client.log

Simple Kerberos configuration file

[libdefaults]
       default_realm = WIN2003R2.HOME
       default_keytab_name = /etc/krb5.keytab
       default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
       default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
       permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

#Heimdal settings
       default_etypes = arcfour-hmac-md5 des3-cbc-sha1 des-cbc-crc
des-cbc-md5
       default_etypes_des = des-cbc-crc des-cbc-md5

# DNS settings to reduce DNS traffic and rely on below settings
       dns_lookup_kdc = no
       dns_lookup_realm = no

[realms]
       WIN2003R2.HOME = {
               kdc = 192.168.1.10
               admin_server = 192.168.1.10
       }
[domain_realm]
       .win2003r2.home = WIN2003R2.HOME
       win2003r2.home = WIN2003R2.HOME

[logging]

Using IP-addresses reduces the load on DNS !!

In the case of a high number of connections you may see errors 1765328228
from krb5_get_init_creds_password. This can happen when more than
FD_SETSIZE file descriptors are open. The only way to avoid this is to
recompile the Kerberos library after setting with sysctl ( on Linux) a file
max file descriptor number and changing the header file define for
FD_SETSIZE in typesizes.h (depending on OS it is defined inother header
files).

Any feedback is appreciated.

Regards
Markus