-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move pam_password configuration to R_GRID_CONFIGURATION
#7274
Comments
This change adds a new namespace to the R_GRID_CONFIGURATION table in the database for pam_password. The configuration values which were set in the server_config plugin_configuration/authentication/pam_password stanza are now to be set here. These can be configured with the iadmin set_pam_password_config subcommand and queried using iadmin get_pam_password_config.
Authentication configurations in the database now use grid configurations instead of server_config. These are stored in the database and so incur an additional query whenever they are needed. If the values are invalid, an error is returned, which renders all pam_password and native authentication which uses TTL to be unusable. The values are updated on each invocation of the database operations to update the temporary passwords.
This change adds a new namespace to the R_GRID_CONFIGURATION table in the database for pam_password. The configuration values which were set in the server_config plugin_configuration/authentication/pam_password stanza are now to be set here. These can be configured with the iadmin set_pam_password_config subcommand and queried using iadmin get_pam_password_config.
Authentication configurations in the database now use grid configurations instead of server_config. These are stored in the database and so incur an additional query whenever they are needed. If the values are invalid, an error is returned, which renders all pam_password and native authentication which uses TTL to be unusable. The values are updated on each invocation of the database operations to update the temporary passwords.
This change adds a new namespace to the R_GRID_CONFIGURATION table in the database for pam_password. The configuration values which were set in the server_config plugin_configuration/authentication/pam_password stanza are now to be set here. These can be configured with the iadmin set_pam_password_config subcommand and queried using iadmin get_pam_password_config.
Authentication configurations in the database now use grid configurations instead of server_config. These are stored in the database and so incur an additional query whenever they are needed. If the values are invalid, an error is returned, which renders all pam_password and native authentication which uses TTL to be unusable. The values are updated on each invocation of the database operations to update the temporary passwords.
This change adds a new namespace to the R_GRID_CONFIGURATION table in the database for pam_password. The configuration values which were set in the server_config plugin_configuration/authentication/pam_password stanza are now to be set here. These can be configured with the iadmin set_pam_password_config subcommand and queried using iadmin get_pam_password_config.
Authentication configurations in the database now use grid configurations instead of server_config. These are stored in the database and so incur an additional query whenever they are needed. If the values are invalid, an error is returned, which renders all pam_password and native authentication which uses TTL to be unusable. The values are updated on each invocation of the database operations to update the temporary passwords.
Adding tests for various invalid configurations. Automated testing is not feasible at the moment because all the settings have to do with password lifetimes, which are currently only measured in hours. |
Fix erroneous attempted deletion of password from the catalog when not a temporary password. Also, invalid configurations do not return errors now because the system becomes unusable when we do this. Warnings are logged and we fall back to the default values whenever an invalid configuration is encountered.
Fix erroneous attempted deletion of password from the catalog when not a temporary password. Also, invalid configurations do not return errors now because the system becomes unusable when we do this. Warnings are logged and we fall back to the default values whenever an invalid configuration is encountered.
Fix erroneous attempted deletion of password from the catalog when not a temporary password. Also, invalid configurations do not return errors now because the system becomes unusable when we do this. Warnings are logged and we fall back to the default values whenever an invalid configuration is encountered.
Fix erroneous attempted deletion of password from the catalog when not a temporary password. Also, invalid configurations do not return errors now because the system becomes unusable when we do this. Warnings are logged and we fall back to the default values whenever an invalid configuration is encountered.
Discovered a major issue with the current approach... native and pam_password authentication cannot be distinguished in the auth check database operation because pam_password literally performs native authentication with the randomly generated password. We had some discussion and agreed that the best/least destructive path forward would be to keep the options combined as they have been historically, but make the auth configuration more generic. Instead of namespacing In the future we may introduce plugin-specific configurations which could be used to override relevant settings in the generic namespace. |
These tests are based entirely off of the pam_password equivalents because they should behave in the same way. Tests for password_extend_lifetime have been written but are skipped because that configuration is not supported for native authentication. Tests for password expiration are also being skipped because the minimum TTL we can specify is 1 hour which is not feasible for automated testing.
TTL needs to be converted to seconds before comparing against the min/max password time configurations. clientLogin needs to return a better error message when a failure occurs in rcGetLimitedPassword.
The plugin-specific auth configurations (authentication::pam_password and authentication::native) have been replaced by a general config for all auth schemes. The string in R_GRID_CONFIGURATION is now just "authentication".
These tests are based entirely off of the pam_password equivalents because they should behave in the same way. Tests for password_extend_lifetime have been written but are skipped because that configuration is not supported for native authentication. Tests for password expiration are also being skipped because the minimum TTL we can specify is 1 hour which is not feasible for automated testing.
TTL needs to be converted to seconds before comparing against the min/max password time configurations. clientLogin needs to return a better error message when a failure occurs in rcGetLimitedPassword.
The plugin-specific auth configurations (authentication::pam_password and authentication::native) have been replaced by a general config for all auth schemes. The string in R_GRID_CONFIGURATION is now just "authentication".
These tests are based entirely off of the pam_password equivalents because they should behave in the same way. Tests for password_extend_lifetime have been written but are skipped because that configuration is not supported for native authentication. Tests for password expiration are also being skipped because the minimum TTL we can specify is 1 hour which is not feasible for automated testing.
TTL needs to be converted to seconds before comparing against the min/max password time configurations. clientLogin needs to return a better error message when a failure occurs in rcGetLimitedPassword.
The plugin-specific auth configurations (authentication::pam_password and authentication::native) have been replaced by a general config for all auth schemes. The string in R_GRID_CONFIGURATION is now just "authentication".
These tests are based entirely off of the pam_password equivalents because they should behave in the same way. Tests for password_extend_lifetime have been written but are skipped because that configuration is not supported for native authentication. Tests for password expiration are also being skipped because the minimum TTL we can specify is 1 hour which is not feasible for automated testing.
TTL needs to be converted to seconds before comparing against the min/max password time configurations. clientLogin needs to return a better error message when a failure occurs in rcGetLimitedPassword.
The plugin-specific auth configurations (authentication::pam_password and authentication::native) have been replaced by a general config for all auth schemes. The string in R_GRID_CONFIGURATION is now just "authentication".
Feature
The following
pam_password
configurations are supported in server_config.json:These configurations should be moved out of server_config to new rows in
R_GRID_CONFIGURATION
. This allows for greater support of multiple providers (or HA setups) and will allow authenticating from other servers in a zone in the future.Additionally, no_extend should be renamed to extend_password_lifetime to remove the negative language and prevent confusion. The setting should only affect the lifetime of the randomly generated password for PAM authentication. It's not meant to extend the lifetime by "less", as it does now:
irods/plugins/database/src/db_plugin.cpp
Lines 2020 to 2024 in 34cd4a2
The configuration values should be pulled from server_config.json if available. If not, default values should be used as follows:
This issue is a follow-up to #7098.
The text was updated successfully, but these errors were encountered: