MGM: add support to define ACLs by sss-access keys which are transported via the…

MGM: add support to define ACLs by sss-access keys which are transported via the secentity->endorsements field e.g.
sys.acl=k:8541b727-5c9a-45a5-9717-d8c6f51d7857:rwx grants rwx access to the specified key if sss authenticated
parent 98ebe802
Pipeline #412960 failed with stages
in 47 minutes and 10 seconds
......@@ -181,6 +181,9 @@ Mapping::IdMap(const XrdSecEntity* client, const char* env, const char* tident,
vid.name = client->name;
vid.tident = tident;
vid.sudoer = false;
if (vid.prot == "sss") {
vid.key = (client->endorsements?client->endorsements:"");
}
// first map by alias
XrdOucString useralias = client->prot;
useralias += ":";
......
......@@ -145,6 +145,7 @@ public:
std::string dn;
std::string geolocation;
std::string app;
std::string key;
bool sudoer;
//--------------------------------------------------------------------------
......
......@@ -126,6 +126,7 @@ AclHelper::CheckId(const std::string& id)
if ((id.length() > 2) &&
((id.at(0) == 'u' && id.at(1) == ':') ||
(id.at(0) == 'k' && id.at(1) == ':') ||
(id.at(0) == 'g' && id.at(1) == ':'))) {
return (id.find_first_not_of(allowed_chars, 2) == std::string::npos);
}
......
......@@ -166,6 +166,10 @@ Acl::Set(std::string sysacl, std::string useracl,
grp_name_tag += groupname;
grp_name_tag += ":";
std::string ztag = "z:";
std::string keytag = "k:";
keytag += vid.key;
eos_static_debug("%s %s %s %s", usertag.c_str(), grouptag.c_str(),
usr_name_tag.c_str(), grp_name_tag.c_str());
......@@ -192,6 +196,7 @@ Acl::Set(std::string sysacl, std::string useracl,
(!it->compare(0, grouptag.length(), grouptag)) ||
(!it->compare(0, ztag.length(), ztag)) ||
(egroupmatch) ||
(!it->compare(0,keytag.length(), keytag)) ||
(!it->compare(0, usr_name_tag.length(), usr_name_tag)) ||
(!it->compare(0, grp_name_tag.length(), grp_name_tag))) {
std::vector<std::string> entry;
......
......@@ -44,10 +44,10 @@ class Acl
{
public:
static constexpr auto sRegexUsrGenericAcl =
"^(((((u|g):(([0-9]+)|([\\.[:alnum:]_-]+)))|(egroup:([\\.[:alnum:]-]+))):"
"^(((((u|g|k):(([0-9]+)|([\\.[:alnum:]_-]+)))|(egroup:([\\.[:alnum:]-]+))):"
"(a|r|w|wo|x|i|m|!m|!d|[+]d|!u|[+]u|q|c)+)[,]?)*$";
static constexpr auto sRegexSysGenericAcl =
"^(((((u|g):(([0-9]+)|([\\.[:alnum:]_-]+)))|(egroup:([\\.[:alnum:]-]+))|(z)):"
"^(((((u|g|k):(([0-9]+)|([\\.[:alnum:]_-]+)))|(egroup:([\\.[:alnum:]-]+))|(z)):"
"(a|r|w|wo|x|i|m|!m|!d|[+]d|!u|[+]u|q|c|p)+)[,]?)*$";
static constexpr auto sRegexUsrNumericAcl =
"^(((((u|g):(([0-9]+)))|(egroup:([\\.[:alnum:]-]+))):"
......
......@@ -493,6 +493,7 @@ AclCmd::CheckCorrectId(const std::string& id) const
"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-";
if ((id.at(0) == 'u' && id.at(1) == ':') ||
(id.at(0) == 'k' && id.at(1) == ':') ||
(id.at(0) == 'g' && id.at(1) == ':')) {
return id.find_first_not_of(allowed_chars, 2) == std::string::npos;
}
......
......@@ -109,6 +109,11 @@ ProcCommand::Whoami()
stdOut += " geo-location=";
stdOut += pVid->geolocation.c_str();
}
if (pVid->key.length()) {
stdOut += " key=";
stdOut += pVid->key.c_str();
}
}
return SFS_OK;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment