Commit ef7a419d authored by Maiken's avatar Maiken

Merge branch 'bug_3752' into 'master'

More strict [mapping] configuration block

See merge request nordugrid/arc!353
parents 1ef5653f 9a2c82a4
......@@ -291,6 +291,7 @@ MCC_Status MCC_HTTP_Service::process(Message& inmsg,Message& outmsg) {
};
// Call next MCC
MCCInterface* next = Next(nextpayload.Method());
if(!next) next = Next(); // try default target
if(!next) {
logger.msg(WARNING, "No next element in the chain");
// Here selection is on method name. So failure result is "not supported"
......
......@@ -240,8 +240,13 @@ prepare() {
GLOBUS_TCP_PORT_RANGE=`readconfigvar "$ARC_RUNTIME_CONFIG" globus_tcp_port_range arex/data-staging`
GLOBUS_UDP_PORT_RANGE=`readconfigvar "$ARC_RUNTIME_CONFIG" globus_udp_port_range arex/data-staging`
VOMS_PROCESSING=`readconfigvar "$ARC_RUNTIME_CONFIG" voms_processing common`
GRIDMAP=`readconfigvar "$ARC_RUNTIME_CONFIG" gridmap mapping`
USERMAP_BLOCK='mapping'
mapping_present=`testconfigblock "$ARC_RUNTIME_CONFIG" mapping`
GRIDMAP=''
USERMAP_BLOCK=''
if [ "$mapping_present" = 'true' ] ; then
USERMAP_BLOCK='mapping'
GRIDMAP=`readconfigvar "$ARC_RUNTIME_CONFIG" gridmap mapping`
fi
HOSTNAME=`readconfigvar "$ARC_RUNTIME_CONFIG" hostname common`
SERVICEMAIL=`readconfigvar "$ARC_RUNTIME_CONFIG" mail arex`
# It is easier to handle root user through empty value.
......@@ -272,13 +277,11 @@ prepare() {
arex_service_plexer=""
ws_present=`testconfigblock "$ARC_RUNTIME_CONFIG" arex/ws`
arex_present=`testconfigblock "$ARC_RUNTIME_CONFIG" arex/ws/emies`
gridmapmatch=""
if [ "$ws_present" = 'true' ] ; then
WSLOGFILE=`readconfigvar "$ARC_RUNTIME_CONFIG" logfile arex/ws`
MAX_JOB_CONTROL_REQUESTS=`readconfigvar "$ARC_RUNTIME_CONFIG" max_job_control_requests arex/ws`
MAX_INFOSYS_REQUESTS=`readconfigvar "$ARC_RUNTIME_CONFIG" max_infosys_requests arex/ws`
MAX_DATA_TRANSFER_REQUESTS=`readconfigvar "$ARC_RUNTIME_CONFIG" max_data_transfer_requests arex/ws`
REQUIREGRIDMAP=`readconfigvar "$ARC_RUNTIME_CONFIG" require_gridmapfile arex/ws/emies`
USERAUTH_BLOCK='arex/ws/emies'
arex_mount_point=`readconfigvar "$ARC_RUNTIME_CONFIG" wsurl arex/ws`
arex_proto=`echo "$arex_mount_point" | sed 's/^\([^:]*\):\/\/.*/\1/;t;s/.*//'`
......@@ -303,21 +306,16 @@ prepare() {
if [ ! -d `dirname $WSLOGFILE` ]; then
mkdir -p `dirname $WSLOGFILE`
fi
if [ "$REQUIREGRIDMAP" = "yes" ] ; then
gridmapmatch="
<!-- Do initial user filtering by gridmap file -->
<SecHandler name=\"arc.authz\" event=\"incoming\">
<PDP name=\"simplelist.pdp\" location=\"$GRIDMAP\">
</PDP>
</SecHandler>
"
fi
fi
if [ "$arex_present" = 'true' ] ; then
if [ "$ws_present" != 'true' ] ; then
log_failure_msg "WS interface must be turned on to use A-REX/EMIES WS service"
exit 1
else
if [ "$mapping_present" != 'true' ] ; then
log_failure_msg "For A-REX/EMIES WS interface to work mapping must be enabled"
exit 1
fi
fi
arex_service_plexer="<next id=\"a-rex\">^$arex_path</next>"
fi
......@@ -339,6 +337,12 @@ prepare() {
if [ -z "$arguspep_usermap" ]; then arguspep_usermap="false"; fi
if [ "$arguspep_usermap" = "yes" ]; then arguspep_usermap="true"; fi
if [ "$arguspep_usermap" = "no" ]; then arguspep_usermap="false"; fi
if [ "$mapping_present" != 'true' ]; then
if [ "$arguspep_usermap" = 'true' ]; then
log_failure_msg "Can't map user identity through Argus PEP because mapping is disabled for the service."
exit 1
fi
fi
argus_shc="${argus_shc}
<!-- Perform client authorization and mapping according to Argus through PEP service -->
<SecHandler name=\"arguspepclient.map\" id=\"arguspep\" event=\"incoming\">
......@@ -365,6 +369,12 @@ prepare() {
if [ -z "$arguspdp_usermap" ]; then arguspdp_usermap="false"; fi
if [ "$arguspdp_usermap" = "yes" ]; then arguspdp_usermap="true"; fi
if [ "$arguspdp_usermap" = "no" ]; then arguspdp_usermap="false"; fi
if [ "$mapping_present" != 'true' ]; then
if [ "$arguspdp_usermap" = 'true' ]; then
log_failure_msg "Can't map user identity through Argus PDP because mapping is disabled for the service."
exit 1
fi
fi
arguspdp_acceptnotapplicable=`readconfigvar "$ARC_RUNTIME_CONFIG" arguspdp_acceptnotapplicable arex/ws/argus`
if [ -z "$arguspdp_acceptnotapplicable" ]; then arguspdp_acceptnotapplicable="false"; fi
if [ "$arguspdp_acceptnotapplicable" = "yes" ]; then arguspdp_acceptnotapplicable="true"; fi
......@@ -392,8 +402,7 @@ prepare() {
exit 1
fi
candypond_plexer="<next id=\"candypond\">^$arex_path/candypond</next>"
candypond="
<Service name=\"candypond\" id=\"candypond\">
candypond_shc="
<!-- Beware of hardcoded block name -->
<SecHandler name=\"arc.authz\" event=\"incoming\">
<PDP name=\"arclegacy.pdp\">
......@@ -403,6 +412,9 @@ prepare() {
</ConfigBlock>
</PDP>
</SecHandler>
"
if [ "$mapping_present" = 'true' ]; then
candypond_shc="$candypond_shc
<!-- Perform client mapping -->
<SecHandler name=\"arclegacy.map\" event=\"incoming\">
<ConfigBlock>
......@@ -414,6 +426,11 @@ prepare() {
<candypond:config>$ARC_RUNTIME_CONFIG</candypond:config>
<candypond:witharex>true</candypond:witharex>
</candypond:service>
"
fi
candypond="
<Service name=\"candypond\" id=\"candypond\">
$candypond_shc
</Service>"
fi
......@@ -468,6 +485,9 @@ prepare() {
</ConfigBlock>
</PDP>
</SecHandler>
"
if [ "$mapping_present" = 'true' ]; then
emies_legacy_shc="$emies_legacy_shc
<!-- Perform client mapping according to rules of gridftpd -->
<SecHandler name=\"arclegacy.map\" event=\"incoming\">
<ConfigBlock>
......@@ -475,6 +495,7 @@ prepare() {
<BlockName>$USERMAP_BLOCK</BlockName>
</ConfigBlock>
</SecHandler>"
fi
# A-Rex without WS interface
AREXCFG="\
......@@ -539,9 +560,7 @@ prepare() {
</Component>
<Component name=\"http.service\" id=\"http\">
<next id=\"soap\">POST</next>
<next id=\"plexer\">GET</next>
<next id=\"plexer\">PUT</next>
<next id=\"plexer\">HEAD</next>
<next id=\"plexer\"/>
</Component>
<Component name=\"soap.service\" id=\"soap\">
<next id=\"plexer\"/>
......@@ -566,6 +585,17 @@ prepare() {
"
# A-Rex with WS interface over HTTPS
gridmap_mapping=''
if [ "$mapping_present" = 'true' ]; then
if [ ! -z "$GRIDMAP" ]; then
gridmap_mapping="
<!-- Do initial identity mappping by gridmap file -->
<SecHandler name=\"identity.map\" id=\"map\" event=\"incoming\">
<PDP name=\"allow.pdp\"><LocalList>$GRIDMAP</LocalList></PDP>
</SecHandler>
"
fi
fi
AREXCFGWSS="\
<?xml version=\"1.0\"?>
<ArcConfig
......@@ -608,15 +638,8 @@ prepare() {
</Component>
<Component name=\"http.service\" id=\"http\">
<next id=\"soap\">POST</next>
<next id=\"plexer\">GET</next>
<next id=\"plexer\">PUT</next>
<next id=\"plexer\">HEAD</next>
$gridmapmatch
<!-- Do initial identity mappping by gridmap file -->
<SecHandler name=\"identity.map\" id=\"map\" event=\"incoming\">
<PDP name=\"allow.pdp\"><LocalList>$GRIDMAP</LocalList></PDP>
<PDP name=\"allow.pdp\"><LocalName>nobody</LocalName></PDP>
</SecHandler>
<next id=\"plexer\"/>
$gridmap_mapping
<!-- Match client to legacy authorization groups -->
<SecHandler name=\"arclegacy.handler\" event=\"incoming\">
<ConfigFile>$ARC_RUNTIME_CONFIG</ConfigFile>
......
......@@ -280,22 +280,6 @@ int FileRoot::config(Arc::ConfigIni &cf,std::string &pluginpath) {
logger.msg(Arc::ERROR, "improper attribute for allowencryption command: %s", value);
return 1;
};
} else if(command == "require_gridmapfile") {
/* should user be present in grid-mapfile ? */
std::string value=Arc::ConfigIni::NextArg(rest);
if(value == "no") {
user.gridmap=true;
} else if(value == "yes") {
if(!user.gridmap) {
logger.msg(Arc::ERROR, "unknown (non-gridmap) user is not allowed");
return 1;
};
} else {
user.user.clear_groups();
nodes.clear();
logger.msg(Arc::ERROR, "improper attribute for require_gridmapfile command: %s", value);
return 1;
};
} else if(command == "port") {
port=rest;
} else if(command == "allowactivedata") {
......
......@@ -22,7 +22,6 @@ void userspec_t::free(void) const {
// Keep authentication info to preserve proxy (just in case)
}
//userspec_t::userspec_t(void):user(),map(user),default_map(user),name(NULL),group(NULL),home(NULL),gridmap(false) {
userspec_t::userspec_t(void):user(),uid(-1),gid(-1),port(0),map(user),default_map(user),gridmap(false) {
host[0] = 0;
}
......@@ -38,36 +37,34 @@ bool check_gridmap(const char* dn,char** user,const char* mapfile) {
}
else {
char* tmp=getenv("GRIDMAP");
if((tmp == NULL) || (tmp[0] == 0)) {
globus_gridmap="/etc/grid-security/grid-mapfile";
}
else { globus_gridmap=tmp; };
globus_gridmap=tmp?tmp:"";
};
std::ifstream f(globus_gridmap.c_str());
if(!f.is_open() ) {
logger.msg(Arc::ERROR, "Mapfile is missing at %s", globus_gridmap);
return false;
};
for(;f.good();) {
std::string buf;//char buf[512]; // must be enough for DN + name
getline(f,buf);
//buf[511]=0;
char* p = &buf[0];
for(;*p;p++) if(((*p) != ' ') && ((*p) != '\t')) break;
if((*p) == '#') continue;
if((*p) == 0) continue;
std::string val;
int n = Arc::ConfigIni::NextArg(p,val,' ','"');
if(strcmp(val.c_str(),dn) != 0) continue;
p+=n;
if(user) {
n=Arc::ConfigIni::NextArg(p,val,' ','"');
*user=strdup(val.c_str());
if(!globus_gridmap.empty()) {
std::ifstream f(globus_gridmap.c_str());
if(!f.is_open() ) {
logger.msg(Arc::ERROR, "Mapfile is missing at %s", globus_gridmap);
return false;
};
for(;f.good();) {
std::string buf;
getline(f,buf);
char* p = &buf[0];
for(;*p;p++) if(((*p) != ' ') && ((*p) != '\t')) break;
if((*p) == '#') continue;
if((*p) == 0) continue;
std::string val;
int n = Arc::ConfigIni::NextArg(p,val,' ','"');
if(strcmp(val.c_str(),dn) != 0) continue;
p+=n;
if(user) {
n=Arc::ConfigIni::NextArg(p,val,' ','"');
*user=strdup(val.c_str());
};
f.close();
return true;
};
f.close();
return true;
};
f.close();
return false;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment