Commit c363234d authored by Leigh B Stoller's avatar Leigh B Stoller

A couple of fixes for guest users:

1. Do not allow guest users to use anything but the APT cluster. We had
   talked about this a while back, and today it caused a problem:

2. Because a guest tried to use the Mothership (cause of a URN in the
   profile), we had GeniUser lookup confusion. We store guest users in the
   geni-sa geni_users table, but because PROTOGENI_LOCALUSER=1, we end up
   creating a nonlocal account on the Geni path, and that conflicts.
   Changed how we do lookups.
parent 996b90e1
......@@ -92,6 +92,7 @@ my $STITCHER = "$TB/gcf/src/stitcher.py";
my $OPENSSL = "/usr/bin/openssl";
my $MANAGEINSTANCE= "$TB/bin/manage_instance";
my $DEFAULT_URN = "urn:publicid:IDN+${OURDOMAIN}+authority+cm";
my $GUEST_URN = "urn:publicid:IDN+apt.emulab.net+authority+cm";
my $default_aggregate_urn = $DEFAULT_URN;
# un-taint path
......@@ -399,9 +400,14 @@ else {
# In Utah, check for alternate SA
#
if (!defined($geniuser) && $MAINSITE) {
foreach my $urn (@aggregate_urns) {
if ($urn ne $GUEST_URN) {
UserError("Guests are not allowed to use cluster: $urn");
}
}
$user_urn = GeniHRN::Generate("aptlab.net", "user", $user_uid);
$user_hrn = "aptlab.${user_uid}";
$geniuser = GeniUser->Lookup($user_urn, 0);
$geniuser = GeniUser->LookupGuestOnly($user_urn);
}
}
if (!defined($geniuser)) {
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2008-2015 University of Utah and the Flux Group.
# Copyright (c) 2008-2016 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -260,6 +260,38 @@ sub Stringify($)
return "[GeniUser: $hrn, IDX: $idx]";
}
#
# This lookup is needed to deal with a design choice mistake; we are using
# the geni-sa DB for both portal guest users and for Geni nonlocal users
# (PROTOGENI_LOCALUSER=1). This causes a conflict, the portal guest users
# should be someplace else.
#
sub LookupGuestOnly($$)
{
my ($class, $urn) = @_;
return undef
if (!GeniHRN::IsValid($urn));
my ($authority, $type, $id) = GeniHRN::Parse($urn);
return undef
if ($type ne "user");
my $safe_urn = DBQuoteSpecial($urn);
my $query_result =
DBQueryWarn("SELECT geni_users.idx FROM ".
" geni_users, geni_certificates " .
"WHERE geni_users.uuid = geni_certificates.uuid AND " .
"geni_certificates.urn = $safe_urn;" );
return undef
if (! ($query_result && $query_result->numrows));
my ($idx) = $query_result->fetchrow_array();
return GeniUser->Lookup($idx);
}
#
# Flush from our little cache.
#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment