ssh2: Introduction of admin group ID

Christian Bernardt · Christian Bernardt · commit c0a7264796f7 · 2013-01-04T12:37:04.000Z
This patch allows to take into account the group ID of a user defined in the dcache.kpwd file so that not all users can access the dCache ssh2 admin interface who are in the kpwd file. There is a new property that makes the group configurable. It is admin.group in admin.properties and its default value is 0. Patch: http://rb.dcache.org/r/4714/ Acked-by: Karsten Target: trunk Request: 1.9.12 Request: 2.2 Merge-req:7569 RELEASE NOTES: Admin users' group ID has to be 0 in order to administrate dCache when using the gPlazma2 KPWD plugin for authentication. DOC: The users who shall be enabled to administrate dCache have to have the GID 0 associated in the kpwd file.
diff --git a/modules/dcache/src/main/java/org/dcache/services/ssh2/Ssh2Admin.java b/modules/dcache/src/main/java/org/dcache/services/ssh2/Ssh2Admin.java
@@ -27,14 +27,21 @@
 import org.slf4j.LoggerFactory;
 
 import com.google.common.base.Charsets;
+import com.google.common.base.Joiner;
+import com.google.common.collect.Iterators;
 import com.google.common.io.Files;
 
 import diskCacheV111.util.AuthorizedKeyParser;
 import diskCacheV111.util.CacheException;
 import diskCacheV111.util.PermissionDeniedCacheException;
 import dmg.cells.nucleus.CellEndpoint;
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.Set;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.logging.Level;
+import org.antlr.stringtemplate.language.ArrayIterator;
+import org.dcache.auth.*;
 
 import static org.dcache.util.Files.checkFile;
 
@@ -57,6 +64,7 @@ public class Ssh2Admin implements CellCommandListener, CellMessageSender,
     private String _hostKeyPublic;
     private File _authorizedKeyList;
     private int _port;
+    private int _adminGroupId;
     private CommandFactory _commandFactory;
     private File _historyFile;
     private LoginStrategy _loginStrategy;
@@ -92,6 +100,14 @@ public int getPort() {
         return _port;
     }
 
+    public void setAdminGroupId(int groupId) {
+        _adminGroupId = groupId;
+    }
+
+    public int getAdminGroupId() {
+        return _adminGroupId;
+    }
+
     public String getHostKeyPrivate() {
         return _hostKeyPrivate;
     }
@@ -145,10 +161,23 @@ public boolean kpwdLogin(String userName, String passwd) {
             _log.debug("LoginStrategy: {}, {}", _loginStrategy.getClass(),
                     ((UnionLoginStrategy) _loginStrategy).getLoginStrategies());
             LoginReply loginReply = _loginStrategy.login(subject);
-            _log.debug("LoginReply: {}, name is: {}", loginReply,
-                    Subjects.getDisplayName(loginReply.getSubject()));
-            setServerShellFactory(Subjects.getDisplayName(loginReply.getSubject()));
-            return true;
+            Subject authenticatedSubject = loginReply.getSubject();
+            String authenticatedUsername =  Subjects.getDisplayName(authenticatedSubject);
+            _log.debug("All pricipals returned by login: {}", authenticatedSubject.getPrincipals());
+            if (Subjects.hasGid(authenticatedSubject, _adminGroupId)) {
+                setServerShellFactory(authenticatedUsername);
+                return true;
+            } else {
+
+                long[] userGids = Subjects.getGids(authenticatedSubject);
+                _log.warn("User: " + authenticatedUsername
+                        + " has GID(s): " + Arrays.toString(userGids) + "."
+                        + " In order to have login rights this list should"
+                        + " include GID " + _adminGroupId + ". Add GID "
+                        + _adminGroupId + " to the user's GID list to grant"
+                        + " login rights.");
+                return false;
+            }
         } catch (PermissionDeniedCacheException e) {
             _log.warn("Pwd-based login for user: {} was denied.", userName);
         } catch (CacheException e) {
@@ -180,7 +209,7 @@ private void configureKeyFiles() {
             checkFile(_hostKeyPrivate);
             checkFile(_hostKeyPublic);
         } catch (IOException ex) {
-            throw new RuntimeException("Problem with server ssh host keys, "+ex.getMessage());
+            throw new RuntimeException("Problem with server ssh host keys, " + ex.getMessage());
         }
 
         String[] keyFiles = {_hostKeyPrivate, _hostKeyPublic};
diff --git a/modules/dcache/src/main/resources/org/dcache/services/ssh2/ssh2Admin.xml b/modules/dcache/src/main/resources/org/dcache/services/ssh2/ssh2Admin.xml
@@ -34,5 +34,6 @@
     <property name="authorizedKeyList"  value="${authorizedKeyList}"/>
     <property name="historyFile"    value="${historyFilePath}"/>
     <property name="loginStrategy"      ref="login-strategy"/>
+    <property name="adminGroupId"         value="${adminGroupID}"/>
   </bean>
 </beans>
diff --git a/skel/share/defaults/admin.properties b/skel/share/defaults/admin.properties
@@ -29,6 +29,12 @@ admin/port=${adminPort}
 #  ssh2 Admin port
 admin.ssh2AdminPort=22224
 
+#  ---- Admin group
+#
+#   This property defines the GID of the group containing all users
+#   allowed administrate dCache (via ssh2).
+admin.ssh2.gid=0
+
 #  ---- Admin door history file
 #
 #   The admin door can store a command history in a file. This makes
diff --git a/skel/share/services/admin-ssh2.batch b/skel/share/services/admin-ssh2.batch
@@ -5,6 +5,7 @@ check -strong admin.ssh2AdminPort
 check -strong admin.dsaHostKeyPrivate
 check -strong admin.dsaHostKeyPublic
 check -strong gplazma
+check -strong admin.ssh2.gid
 check admin.authorizedKey2
 
 set context knownUsersFile "${knownUsersFile}"
@@ -42,4 +43,5 @@ create org.dcache.cells.UniversalSpringCell ${cell.nameSsh2} \
      -hostKeyPublic=\"${admin.dsaHostKeyPublic}\" \
      -authorizedKeyList=\"${admin.authorizedKey2}\" \
      -historyFilePath=\"${adminHistoryFile}\" \
+     -adminGroupID=\"${admin.ssh2.gid}\" \
      "
