You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by ar...@apache.org on 2017/06/13 17:55:36 UTC

svn commit: r1798620 - in /vcl/trunk/managementnode/lib/VCL: DataStructure.pm Module/OS/Linux.pm utils.pm

Author: arkurth
Date: Tue Jun 13 17:55:35 2017
New Revision: 1798620

URL: http://svn.apache.org/viewvc?rev=1798620&view=rev
Log:
VCL-887
Updated utils.pm::get_user_info to set a {FEDERATED_LINUX_AUTHENTICATION} key rather than the poorly named {STANDALONE} key. Updated Linux.pm::should_set_user_password to check $user_info->{FEDERATED_LINUX_AUTHENTICATION}.

Removed hard-coded condition in utils.pm::get_user_info which would have set {FEDERATED_LINUX_AUTHENTICATION} = 0 if the user.uid value is greater than 1 million. This was a legacy NCSU-only detail that should have never been committed to Apache.

Removed all references to the user info 'STANDALONE' key.  Removed unused 'user_standalone' and 'management_node_not_standalone' keys from DataStructure.pm.

Cleaned up utils.pm::getpw to align with the rest of the modern code style and naming practices. It was using variables such as $a and $b.

Modified:
    vcl/trunk/managementnode/lib/VCL/DataStructure.pm
    vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
    vcl/trunk/managementnode/lib/VCL/utils.pm

Modified: vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=1798620&r1=1798619&r2=1798620&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/DataStructure.pm Tue Jun 13 17:55:35 2017
@@ -469,7 +469,6 @@ $SUBROUTINE_MAPPINGS{user_mapprinters} =
 $SUBROUTINE_MAPPINGS{user_mapserial} = '$self->request_data->{user}{mapserial}';
 $SUBROUTINE_MAPPINGS{user_preferred_name} = '$self->request_data->{user}{preferredname}';
 $SUBROUTINE_MAPPINGS{user_showallgroups} = '$self->request_data->{user}{showallgroups}';
-$SUBROUTINE_MAPPINGS{user_standalone} = '$self->request_data->{user}{STANDALONE}';
 $SUBROUTINE_MAPPINGS{user_uid} = '$self->request_data->{user}{uid}';
 #$SUBROUTINE_MAPPINGS{user_unityid} = '$self->request_data->{user}{unityid}';
 $SUBROUTINE_MAPPINGS{user_login_id} = '$self->request_data->{user}{unityid}';
@@ -510,7 +509,6 @@ $SUBROUTINE_MAPPINGS{management_node_pub
 
 $SUBROUTINE_MAPPINGS{management_node_sysadmin_email}	= '$ENV{management_node_info}{SYSADMIN_EMAIL}';
 $SUBROUTINE_MAPPINGS{management_node_shared_email_box} = '$ENV{management_node_info}{SHARED_EMAIL_BOX}';
-$SUBROUTINE_MAPPINGS{management_node_not_standalone} = '$ENV{management_node_info}{NOT_STANDALONE}';
 
 $SUBROUTINE_MAPPINGS{management_node_predictive_module_name} = '$ENV{management_node_info}{predictive_name}';
 $SUBROUTINE_MAPPINGS{management_node_predictive_module_pretty_name} = '$ENV{management_node_info}{predictive_prettyname}';

Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm?rev=1798620&r1=1798619&r2=1798620&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm Tue Jun 13 17:55:35 2017
@@ -5348,11 +5348,26 @@ sub enable_ip_forwarding {
 
 =head2 should_set_user_password
 
- Parameters  : $user_id
+ Parameters  : $user_id, $no_cache (optional)
  Returns     : boolean
- Description : Determines whether or not a user account's password should be set
-               on the computer being loaded. The "STANDALONE" flag is used to
-               determine this.
+ Description : Determines whether or not a random password should be generated
+					and used for the user account created on the computer being
+					loaded. A random password WILL be used if any of the following
+					are true:
+					* The user.uid value is NOT set in the database for the user
+					* The managementnode.NOT_STANDALONE value is empty
+					* The managementnode.NOT_STANDALONE value is populated but does
+					  NOT match the user's affiliation.name value
+					
+					A federated authentication method such as Kerberos WILL be used
+					and a random password will NOT be generated if:
+					* The user.uid value SI set in the database for the user
+					* The managementnode.NOT_STANDALONE value is populated and
+					  matches the user's affiliation.name value
+					
+					Note: managementnode.NOT_STANDALONE corresponds to the management
+					node's 'Affiliations Using Federated Authentication for Linux
+					Images' setting on the VCL website
 
 =cut
 
@@ -5363,27 +5378,42 @@ sub should_set_user_password {
 		return;
 	}
 	
-	my ($user_id) = shift;
+	my ($user_id, $no_cache) = @_;
 	if (!$user_id) {
 		notify($ERRORS{'WARNING'}, 0, "user ID argument was not supplied");
 		return;
 	}
-	
-	my $user_info = get_user_info($user_id);
-	if (!$user_info) {
-		notify($ERRORS{'WARNING'}, 0, "unable to determine if user password should be set, user info could not be retrieved for user ID $user_id");
+	elsif ($user_id !~ /^\d+$/) {
+		notify($ERRORS{'WARNING'}, 0, "invalid user ID argument was supplied, it is not an integer: '$user_id'");
 		return;
 	}
 	
-	my $user_standalone = $user_info->{STANDALONE};
+	if (!$no_cache && defined($self->{set_user_password}) && defined($self->{set_user_password}{$user_id})) {
+		return $self->{set_user_password}{$user_id};
+	}
+	
 	
-	# Generate a reservation password if "standalone" (not using Kerberos authentication)
-	if ($user_standalone) {
-		return 1;
+	my $user_info = get_user_info($user_id, undef, $no_cache);
+	if ($user_info) {
+		my $user_login_id = $user_info->{unityid} || '<undefined>';
+		my $user_affiliation_name = $user_info->{affiliation}{name} || '<undefined>';
+		my $federated_linux_authentication = $user_info->{FEDERATED_LINUX_AUTHENTICATION};
+		
+		# Generate a reservation password if "standalone" (not using Kerberos authentication)
+		if ($federated_linux_authentication) {
+			notify($ERRORS{'DEBUG'}, 0, "random password should NOT be set for user ID $user_id ($user_login_id\@$user_affiliation_name), federated Linux authentication: $federated_linux_authentication");
+			$self->{set_user_password}{$user_id} = 0;
+		}
+		else {
+			notify($ERRORS{'DEBUG'}, 0, "random password SHOULD be set for user ID $user_id ($user_login_id\@$user_affiliation_name), federated Linux authentication: $federated_linux_authentication");
+			$self->{set_user_password}{$user_id} = 1;
+		}
 	}
 	else {
-		return 0;
+		notify($ERRORS{'WARNING'}, 0, "unable to definitively determine if random password should be set for user ID $user_id, user info could not be retrieved, assuming random password SHOULD be set, returning 1");
+		$self->{set_user_password}{$user_id} = 1;
 	}
+	return $self->{set_user_password}{$user_id};
 }
 
 #//////////////////////////////////////////////////////////////////////////////

Modified: vcl/trunk/managementnode/lib/VCL/utils.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/utils.pm?rev=1798620&r1=1798619&r2=1798620&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/utils.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/utils.pm Tue Jun 13 17:55:35 2017
@@ -2312,43 +2312,61 @@ sub notify_via_oascript {
 
 =head2 getpw
 
- Parameters  : length(optional) - if not defined sets to 6
- Returns     : randomized password
- Description : called for standalone accounts and used in randomizing
-               privileged account passwords
+ Parameters  : $password_length (optional), $include_special_characters (optional)
+ Returns     : string 
+ Description : Generates a random password.
 
 =cut
 
 sub getpw {
-
-	my $length = $_[0];
+	my ($password_length, $include_special_characters) = @_;
 	
-	if (!(defined($length))) {
-		$length = $ENV{management_node_info}{USER_PASSWORD_LENGTH};
+	if (!$password_length) {
+		$password_length = $ENV{management_node_info}{USER_PASSWORD_LENGTH} || 8;
 	}
-
-	#If for some reason the global USER_PASSWORD_LENGTH did not get set, then force it here
-	$length = 6 if (!(defined($length)));
-
+	if (!defined($include_special_characters)) {
+		$include_special_characters = $ENV{management_node_info}{INCLUDE_SPECIAL_CHARS};
+	}
+	
 	#Skip certain confusing chars like: iI1lL,0Oo Zz2
-	my @a = ("A" .. "H", "J" .. "N", "P" .. "Y", "a" .. "h", "j" .."n","p" .. "y", "3" .. "9");
-	my @spchars = ("-","_","\!","\%","\#","\$","\@","+","=","{","}","\?");
-
-	my $include_special_chars = $ENV{management_node_info}{INCLUDE_SPECIAL_CHARS};
-
-	my $b;
-	srand;
-	for (1 .. $length) {
-		$b .= $a[rand @a ];
+	my @character_set = (
+		'A' .. 'H',
+		'J' .. 'N',
+		'P' .. 'Y',
+		'a' .. 'h',
+		'j' .. 'n',
+		'p' .. 'y',
+		'3' .. '9',
+	);
+	
+	if ($include_special_characters) {
+		my @special_characters = (
+			'-',
+			'_',
+			'!',
+			'%',
+			'#',
+			'$',
+			'@',
+			'+',
+			'=',
+			'{',
+			'}',
+			'?',
+		);
+		push @character_set, @special_characters;
 	}
-
-	if ($include_special_chars) {
-		$b .= $spchars[rand @spchars];
+	my $character_set_size = (scalar(@character_set));
+	
+	my $password;
+	srand;
+	for (1 .. $password_length) {
+		my $random_index = int(rand($character_set_size));
+		$password .= $character_set[$random_index];
 	}
 
-	return $b;
-
-} ## end sub getpw
+	return $password;
+}
 
 #//////////////////////////////////////////////////////////////////////////////
 
@@ -2679,6 +2697,12 @@ sub database_execute {
 		}
 	}
 	
+	#my $sql_warning_count = $statement_handle->{'mysql_warning_count'};
+	#if ($sql_warning_count) {
+	#	my $warnings = $dbh->selectall_arrayref('SHOW WARNINGS');
+	#	notify($ERRORS{'WARNING'}, 0, "warning generated from SQL statement:\n$sql_statement\nwarnings:\n" . format_data($warnings));
+	#}
+	
 	# Get the id of the last inserted record if this is an INSERT statement
 	if ($sql_statement =~ /^\s*insert/i) {
 		my $sql_insertid = $statement_handle->{'mysql_insertid'};
@@ -4722,9 +4746,6 @@ AND managementnode.id != $management_nod
 	$management_node_info->{SYSADMIN_EMAIL} = $management_node_info->{sysadminEmailAddress};
 	$management_node_info->{SHARED_EMAIL_BOX} = $management_node_info->{sharedMailBox};
 	
-	# Add affiliations that are not to use the standalone passwords
-	$management_node_info->{NOT_STANDALONE} = $management_node_info->{NOT_STANDALONE} || '';
-	
 	# Store the info in $ENV{management_node_info}
 	# Add keys for all of the unique identifiers that may be passed as an argument to this subroutine
 	$ENV{management_node_info}{$management_node_identifier} = $management_node_info;
@@ -6623,6 +6644,7 @@ EOF
 	
 	my $user_id = $user_info->{id};
 	my $user_login_id = $user_info->{unityid};
+	my $user_affiliation_name = $user_info->{affiliation}{name};
 	
 	# Set the user's preferred name to the first name if it isn't defined
 	if (!defined($user_info->{preferredname}) || $user_info->{preferredname} eq '') {
@@ -6633,37 +6655,30 @@ EOF
 	if (!defined($user_info->{IMid})) {
 		$user_info->{IMid} = '';
 	}
-
 	
-	# Affiliation specific changes
-	# Check if the user's affiliation is listed in the management node's NOT_STANDALONE parameter
-	$user_info->{STANDALONE} = 1;
-	
-	# Set the user's UID to the VCL user ID if it's not configured in the database, set STANDALONE = 1
+	$user_info->{FEDERATED_LINUX_AUTHENTICATION} = 0;
 	if (!$user_info->{uid}) {
+		# Set the user's UID to 500 + user.id if it's not configured in the database
 		$user_info->{uid} = ($user_info->{id} + 500);
-		$user_info->{STANDALONE} = 1;
-		notify($ERRORS{'DEBUG'}, 0, "UID value is not configured for user '$user_login_id', setting UID: $user_info->{uid}, standalone: 1");
-	}
-	
-	# Fix the unityid if the user's UID is >= 1,000,000
-	# Remove the domain section if the user's unityid contains @...
-	elsif ($user_info->{uid} >= 1000000) {
-		$user_info->{STANDALONE} = 1;
-		notify($ERRORS{'DEBUG'}, 0, "UID value for user $user_login_id is >= 1000000, standalone: 1");
+		notify($ERRORS{'DEBUG'}, 0, "UID value is not configured for $user_login_id\@$user_affiliation_name, setting UID=$user_info->{uid}, setting FEDERATED_LINUX_AUTHENTICATION=$user_info->{FEDERATED_LINUX_AUTHENTICATION}");
 	}
-	
-	# Check if the user's affiliation is listed in the management node's NOT_STANDALONE list
 	else {
-		my $management_node_info = get_management_node_info();
-		if ($management_node_info) {
-			my $user_affiliation_name = $user_info->{affiliation}{name};
-			my $not_standalone_list = $management_node_info->{NOT_STANDALONE};
-			if (grep(/^$user_affiliation_name$/i, split(/[,;]/, $not_standalone_list))) {
-				notify($ERRORS{'DEBUG'}, 0, "non-standalone affiliation found for user $user_login_id:\nuser affiliation: $user_affiliation_name\nnot standalone list: $not_standalone_list");
-				$user_info->{STANDALONE} = 0;
+		# Check if the user's affiliation is listed in the management node's NOT_STANDALONE list
+		my $management_node_info = get_management_node_info() || return;
+		my $not_standalone_list = $management_node_info->{NOT_STANDALONE} || '';
+		my @standalone_affiliations = split(/[,;\s]+/, $not_standalone_list);
+		if (@standalone_affiliations) {
+			if (grep(/^\s*$user_affiliation_name\s*$/i, @standalone_affiliations)) {
+				$user_info->{FEDERATED_LINUX_AUTHENTICATION} = 1;
+				notify($ERRORS{'DEBUG'}, 0, "affiliation of $user_login_id\@$user_affiliation_name is in management node's 'Affiliations Using Federated Authentication for Linux Images' list: '$management_node_info->{NOT_STANDALONE}', setting FEDERATED_LINUX_AUTHENTICATION=$user_info->{FEDERATED_LINUX_AUTHENTICATION}");
+			}
+			else {
+				notify($ERRORS{'DEBUG'}, 0, "affiliation of $user_login_id\@$user_affiliation_name is NOT in management node's 'Affiliations Using Federated Authentication for Linux Images' list: '$management_node_info->{NOT_STANDALONE}', setting FEDERATED_LINUX_AUTHENTICATION=$user_info->{FEDERATED_LINUX_AUTHENTICATION}");
 			}
 		}
+		else {
+			notify($ERRORS{'DEBUG'}, 0, "management node's 'Affiliations Using Federated Authentication for Linux Images' list is empty, setting FEDERATED_LINUX_AUTHENTICATION=$user_info->{FEDERATED_LINUX_AUTHENTICATION}");
+		}
 	}
 	
 	# If user's unityid is an email address, use only the first part
@@ -6678,11 +6693,6 @@ EOF
 		$user_info->{sshpublickeys} = 0;
 	}
 	
-	# For test account only
-	if ($user_login_id =~ /vcladmin/) {
-		$user_info->{STANDALONE} = 1;
-	}
-	
 	#notify($ERRORS{'DEBUG'}, 0, "retrieved info for user '$user_identifier', affiliation: '$affiliation_identifier':\n" . format_data($user_info));
 	$ENV{user_info}{$user_identifier} = $user_info;
 	$ENV{user_info}{$user_identifier}{RETRIEVAL_TIME} = time;