You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by ar...@apache.org on 2017/06/13 17:55:36 UTC
svn commit: r1798620 - in /vcl/trunk/managementnode/lib/VCL:
DataStructure.pm Module/OS/Linux.pm utils.pm
Author: arkurth
Date: Tue Jun 13 17:55:35 2017
New Revision: 1798620
URL: http://svn.apache.org/viewvc?rev=1798620&view=rev
Log:
VCL-887
Updated utils.pm::get_user_info to set a {FEDERATED_LINUX_AUTHENTICATION} key rather than the poorly named {STANDALONE} key. Updated Linux.pm::should_set_user_password to check $user_info->{FEDERATED_LINUX_AUTHENTICATION}.
Removed hard-coded condition in utils.pm::get_user_info which would have set {FEDERATED_LINUX_AUTHENTICATION} = 0 if the user.uid value is greater than 1 million. This was a legacy NCSU-only detail that should have never been committed to Apache.
Removed all references to the user info 'STANDALONE' key. Removed unused 'user_standalone' and 'management_node_not_standalone' keys from DataStructure.pm.
Cleaned up utils.pm::getpw to align with the rest of the modern code style and naming practices. It was using variables such as $a and $b.
Modified:
vcl/trunk/managementnode/lib/VCL/DataStructure.pm
vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
vcl/trunk/managementnode/lib/VCL/utils.pm
Modified: vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=1798620&r1=1798619&r2=1798620&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/DataStructure.pm Tue Jun 13 17:55:35 2017
@@ -469,7 +469,6 @@ $SUBROUTINE_MAPPINGS{user_mapprinters} =
$SUBROUTINE_MAPPINGS{user_mapserial} = '$self->request_data->{user}{mapserial}';
$SUBROUTINE_MAPPINGS{user_preferred_name} = '$self->request_data->{user}{preferredname}';
$SUBROUTINE_MAPPINGS{user_showallgroups} = '$self->request_data->{user}{showallgroups}';
-$SUBROUTINE_MAPPINGS{user_standalone} = '$self->request_data->{user}{STANDALONE}';
$SUBROUTINE_MAPPINGS{user_uid} = '$self->request_data->{user}{uid}';
#$SUBROUTINE_MAPPINGS{user_unityid} = '$self->request_data->{user}{unityid}';
$SUBROUTINE_MAPPINGS{user_login_id} = '$self->request_data->{user}{unityid}';
@@ -510,7 +509,6 @@ $SUBROUTINE_MAPPINGS{management_node_pub
$SUBROUTINE_MAPPINGS{management_node_sysadmin_email} = '$ENV{management_node_info}{SYSADMIN_EMAIL}';
$SUBROUTINE_MAPPINGS{management_node_shared_email_box} = '$ENV{management_node_info}{SHARED_EMAIL_BOX}';
-$SUBROUTINE_MAPPINGS{management_node_not_standalone} = '$ENV{management_node_info}{NOT_STANDALONE}';
$SUBROUTINE_MAPPINGS{management_node_predictive_module_name} = '$ENV{management_node_info}{predictive_name}';
$SUBROUTINE_MAPPINGS{management_node_predictive_module_pretty_name} = '$ENV{management_node_info}{predictive_prettyname}';
Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm?rev=1798620&r1=1798619&r2=1798620&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm Tue Jun 13 17:55:35 2017
@@ -5348,11 +5348,26 @@ sub enable_ip_forwarding {
=head2 should_set_user_password
- Parameters : $user_id
+ Parameters : $user_id, $no_cache (optional)
Returns : boolean
- Description : Determines whether or not a user account's password should be set
- on the computer being loaded. The "STANDALONE" flag is used to
- determine this.
+ Description : Determines whether or not a random password should be generated
+ and used for the user account created on the computer being
+ loaded. A random password WILL be used if any of the following
+ are true:
+ * The user.uid value is NOT set in the database for the user
+ * The managementnode.NOT_STANDALONE value is empty
+ * The managementnode.NOT_STANDALONE value is populated but does
+ NOT match the user's affiliation.name value
+
+ A federated authentication method such as Kerberos WILL be used
+ and a random password will NOT be generated if:
+ * The user.uid value SI set in the database for the user
+ * The managementnode.NOT_STANDALONE value is populated and
+ matches the user's affiliation.name value
+
+ Note: managementnode.NOT_STANDALONE corresponds to the management
+ node's 'Affiliations Using Federated Authentication for Linux
+ Images' setting on the VCL website
=cut
@@ -5363,27 +5378,42 @@ sub should_set_user_password {
return;
}
- my ($user_id) = shift;
+ my ($user_id, $no_cache) = @_;
if (!$user_id) {
notify($ERRORS{'WARNING'}, 0, "user ID argument was not supplied");
return;
}
-
- my $user_info = get_user_info($user_id);
- if (!$user_info) {
- notify($ERRORS{'WARNING'}, 0, "unable to determine if user password should be set, user info could not be retrieved for user ID $user_id");
+ elsif ($user_id !~ /^\d+$/) {
+ notify($ERRORS{'WARNING'}, 0, "invalid user ID argument was supplied, it is not an integer: '$user_id'");
return;
}
- my $user_standalone = $user_info->{STANDALONE};
+ if (!$no_cache && defined($self->{set_user_password}) && defined($self->{set_user_password}{$user_id})) {
+ return $self->{set_user_password}{$user_id};
+ }
+
- # Generate a reservation password if "standalone" (not using Kerberos authentication)
- if ($user_standalone) {
- return 1;
+ my $user_info = get_user_info($user_id, undef, $no_cache);
+ if ($user_info) {
+ my $user_login_id = $user_info->{unityid} || '<undefined>';
+ my $user_affiliation_name = $user_info->{affiliation}{name} || '<undefined>';
+ my $federated_linux_authentication = $user_info->{FEDERATED_LINUX_AUTHENTICATION};
+
+ # Generate a reservation password if "standalone" (not using Kerberos authentication)
+ if ($federated_linux_authentication) {
+ notify($ERRORS{'DEBUG'}, 0, "random password should NOT be set for user ID $user_id ($user_login_id\@$user_affiliation_name), federated Linux authentication: $federated_linux_authentication");
+ $self->{set_user_password}{$user_id} = 0;
+ }
+ else {
+ notify($ERRORS{'DEBUG'}, 0, "random password SHOULD be set for user ID $user_id ($user_login_id\@$user_affiliation_name), federated Linux authentication: $federated_linux_authentication");
+ $self->{set_user_password}{$user_id} = 1;
+ }
}
else {
- return 0;
+ notify($ERRORS{'WARNING'}, 0, "unable to definitively determine if random password should be set for user ID $user_id, user info could not be retrieved, assuming random password SHOULD be set, returning 1");
+ $self->{set_user_password}{$user_id} = 1;
}
+ return $self->{set_user_password}{$user_id};
}
#//////////////////////////////////////////////////////////////////////////////
Modified: vcl/trunk/managementnode/lib/VCL/utils.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/utils.pm?rev=1798620&r1=1798619&r2=1798620&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/utils.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/utils.pm Tue Jun 13 17:55:35 2017
@@ -2312,43 +2312,61 @@ sub notify_via_oascript {
=head2 getpw
- Parameters : length(optional) - if not defined sets to 6
- Returns : randomized password
- Description : called for standalone accounts and used in randomizing
- privileged account passwords
+ Parameters : $password_length (optional), $include_special_characters (optional)
+ Returns : string
+ Description : Generates a random password.
=cut
sub getpw {
-
- my $length = $_[0];
+ my ($password_length, $include_special_characters) = @_;
- if (!(defined($length))) {
- $length = $ENV{management_node_info}{USER_PASSWORD_LENGTH};
+ if (!$password_length) {
+ $password_length = $ENV{management_node_info}{USER_PASSWORD_LENGTH} || 8;
}
-
- #If for some reason the global USER_PASSWORD_LENGTH did not get set, then force it here
- $length = 6 if (!(defined($length)));
-
+ if (!defined($include_special_characters)) {
+ $include_special_characters = $ENV{management_node_info}{INCLUDE_SPECIAL_CHARS};
+ }
+
#Skip certain confusing chars like: iI1lL,0Oo Zz2
- my @a = ("A" .. "H", "J" .. "N", "P" .. "Y", "a" .. "h", "j" .."n","p" .. "y", "3" .. "9");
- my @spchars = ("-","_","\!","\%","\#","\$","\@","+","=","{","}","\?");
-
- my $include_special_chars = $ENV{management_node_info}{INCLUDE_SPECIAL_CHARS};
-
- my $b;
- srand;
- for (1 .. $length) {
- $b .= $a[rand @a ];
+ my @character_set = (
+ 'A' .. 'H',
+ 'J' .. 'N',
+ 'P' .. 'Y',
+ 'a' .. 'h',
+ 'j' .. 'n',
+ 'p' .. 'y',
+ '3' .. '9',
+ );
+
+ if ($include_special_characters) {
+ my @special_characters = (
+ '-',
+ '_',
+ '!',
+ '%',
+ '#',
+ '$',
+ '@',
+ '+',
+ '=',
+ '{',
+ '}',
+ '?',
+ );
+ push @character_set, @special_characters;
}
-
- if ($include_special_chars) {
- $b .= $spchars[rand @spchars];
+ my $character_set_size = (scalar(@character_set));
+
+ my $password;
+ srand;
+ for (1 .. $password_length) {
+ my $random_index = int(rand($character_set_size));
+ $password .= $character_set[$random_index];
}
- return $b;
-
-} ## end sub getpw
+ return $password;
+}
#//////////////////////////////////////////////////////////////////////////////
@@ -2679,6 +2697,12 @@ sub database_execute {
}
}
+ #my $sql_warning_count = $statement_handle->{'mysql_warning_count'};
+ #if ($sql_warning_count) {
+ # my $warnings = $dbh->selectall_arrayref('SHOW WARNINGS');
+ # notify($ERRORS{'WARNING'}, 0, "warning generated from SQL statement:\n$sql_statement\nwarnings:\n" . format_data($warnings));
+ #}
+
# Get the id of the last inserted record if this is an INSERT statement
if ($sql_statement =~ /^\s*insert/i) {
my $sql_insertid = $statement_handle->{'mysql_insertid'};
@@ -4722,9 +4746,6 @@ AND managementnode.id != $management_nod
$management_node_info->{SYSADMIN_EMAIL} = $management_node_info->{sysadminEmailAddress};
$management_node_info->{SHARED_EMAIL_BOX} = $management_node_info->{sharedMailBox};
- # Add affiliations that are not to use the standalone passwords
- $management_node_info->{NOT_STANDALONE} = $management_node_info->{NOT_STANDALONE} || '';
-
# Store the info in $ENV{management_node_info}
# Add keys for all of the unique identifiers that may be passed as an argument to this subroutine
$ENV{management_node_info}{$management_node_identifier} = $management_node_info;
@@ -6623,6 +6644,7 @@ EOF
my $user_id = $user_info->{id};
my $user_login_id = $user_info->{unityid};
+ my $user_affiliation_name = $user_info->{affiliation}{name};
# Set the user's preferred name to the first name if it isn't defined
if (!defined($user_info->{preferredname}) || $user_info->{preferredname} eq '') {
@@ -6633,37 +6655,30 @@ EOF
if (!defined($user_info->{IMid})) {
$user_info->{IMid} = '';
}
-
- # Affiliation specific changes
- # Check if the user's affiliation is listed in the management node's NOT_STANDALONE parameter
- $user_info->{STANDALONE} = 1;
-
- # Set the user's UID to the VCL user ID if it's not configured in the database, set STANDALONE = 1
+ $user_info->{FEDERATED_LINUX_AUTHENTICATION} = 0;
if (!$user_info->{uid}) {
+ # Set the user's UID to 500 + user.id if it's not configured in the database
$user_info->{uid} = ($user_info->{id} + 500);
- $user_info->{STANDALONE} = 1;
- notify($ERRORS{'DEBUG'}, 0, "UID value is not configured for user '$user_login_id', setting UID: $user_info->{uid}, standalone: 1");
- }
-
- # Fix the unityid if the user's UID is >= 1,000,000
- # Remove the domain section if the user's unityid contains @...
- elsif ($user_info->{uid} >= 1000000) {
- $user_info->{STANDALONE} = 1;
- notify($ERRORS{'DEBUG'}, 0, "UID value for user $user_login_id is >= 1000000, standalone: 1");
+ notify($ERRORS{'DEBUG'}, 0, "UID value is not configured for $user_login_id\@$user_affiliation_name, setting UID=$user_info->{uid}, setting FEDERATED_LINUX_AUTHENTICATION=$user_info->{FEDERATED_LINUX_AUTHENTICATION}");
}
-
- # Check if the user's affiliation is listed in the management node's NOT_STANDALONE list
else {
- my $management_node_info = get_management_node_info();
- if ($management_node_info) {
- my $user_affiliation_name = $user_info->{affiliation}{name};
- my $not_standalone_list = $management_node_info->{NOT_STANDALONE};
- if (grep(/^$user_affiliation_name$/i, split(/[,;]/, $not_standalone_list))) {
- notify($ERRORS{'DEBUG'}, 0, "non-standalone affiliation found for user $user_login_id:\nuser affiliation: $user_affiliation_name\nnot standalone list: $not_standalone_list");
- $user_info->{STANDALONE} = 0;
+ # Check if the user's affiliation is listed in the management node's NOT_STANDALONE list
+ my $management_node_info = get_management_node_info() || return;
+ my $not_standalone_list = $management_node_info->{NOT_STANDALONE} || '';
+ my @standalone_affiliations = split(/[,;\s]+/, $not_standalone_list);
+ if (@standalone_affiliations) {
+ if (grep(/^\s*$user_affiliation_name\s*$/i, @standalone_affiliations)) {
+ $user_info->{FEDERATED_LINUX_AUTHENTICATION} = 1;
+ notify($ERRORS{'DEBUG'}, 0, "affiliation of $user_login_id\@$user_affiliation_name is in management node's 'Affiliations Using Federated Authentication for Linux Images' list: '$management_node_info->{NOT_STANDALONE}', setting FEDERATED_LINUX_AUTHENTICATION=$user_info->{FEDERATED_LINUX_AUTHENTICATION}");
+ }
+ else {
+ notify($ERRORS{'DEBUG'}, 0, "affiliation of $user_login_id\@$user_affiliation_name is NOT in management node's 'Affiliations Using Federated Authentication for Linux Images' list: '$management_node_info->{NOT_STANDALONE}', setting FEDERATED_LINUX_AUTHENTICATION=$user_info->{FEDERATED_LINUX_AUTHENTICATION}");
}
}
+ else {
+ notify($ERRORS{'DEBUG'}, 0, "management node's 'Affiliations Using Federated Authentication for Linux Images' list is empty, setting FEDERATED_LINUX_AUTHENTICATION=$user_info->{FEDERATED_LINUX_AUTHENTICATION}");
+ }
}
# If user's unityid is an email address, use only the first part
@@ -6678,11 +6693,6 @@ EOF
$user_info->{sshpublickeys} = 0;
}
- # For test account only
- if ($user_login_id =~ /vcladmin/) {
- $user_info->{STANDALONE} = 1;
- }
-
#notify($ERRORS{'DEBUG'}, 0, "retrieved info for user '$user_identifier', affiliation: '$affiliation_identifier':\n" . format_data($user_info));
$ENV{user_info}{$user_identifier} = $user_info;
$ENV{user_info}{$user_identifier}{RETRIEVAL_TIME} = time;