All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit c363234d authored by Leigh B Stoller's avatar Leigh B Stoller

A couple of fixes for guest users:

1. Do not allow guest users to use anything but the APT cluster. We had
   talked about this a while back, and today it caused a problem:

2. Because a guest tried to use the Mothership (cause of a URN in the
   profile), we had GeniUser lookup confusion. We store guest users in the
   geni-sa geni_users table, but because PROTOGENI_LOCALUSER=1, we end up
   creating a nonlocal account on the Geni path, and that conflicts.
   Changed how we do lookups.
parent 996b90e1
......@@ -92,6 +92,7 @@ my $STITCHER = "$TB/gcf/src/stitcher.py";
my $OPENSSL = "/usr/bin/openssl";
my $MANAGEINSTANCE= "$TB/bin/manage_instance";
my $DEFAULT_URN = "urn:publicid:IDN+${OURDOMAIN}+authority+cm";
my $GUEST_URN = "urn:publicid:IDN+apt.emulab.net+authority+cm";
my $default_aggregate_urn = $DEFAULT_URN;
# un-taint path
......@@ -399,9 +400,14 @@ else {
# In Utah, check for alternate SA
#
if (!defined($geniuser) && $MAINSITE) {
foreach my $urn (@aggregate_urns) {
if ($urn ne $GUEST_URN) {
UserError("Guests are not allowed to use cluster: $urn");
}
}
$user_urn = GeniHRN::Generate("aptlab.net", "user", $user_uid);
$user_hrn = "aptlab.${user_uid}";
$geniuser = GeniUser->Lookup($user_urn, 0);
$geniuser = GeniUser->LookupGuestOnly($user_urn);
}
}
if (!defined($geniuser)) {
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2008-2015 University of Utah and the Flux Group.
# Copyright (c) 2008-2016 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -260,6 +260,38 @@ sub Stringify($)
return "[GeniUser: $hrn, IDX: $idx]";
}
#
# This lookup is needed to deal with a design choice mistake; we are using
# the geni-sa DB for both portal guest users and for Geni nonlocal users
# (PROTOGENI_LOCALUSER=1). This causes a conflict, the portal guest users
# should be someplace else.
#
sub LookupGuestOnly($$)
{
my ($class, $urn) = @_;
return undef
if (!GeniHRN::IsValid($urn));
my ($authority, $type, $id) = GeniHRN::Parse($urn);
return undef
if ($type ne "user");
my $safe_urn = DBQuoteSpecial($urn);
my $query_result =
DBQueryWarn("SELECT geni_users.idx FROM ".
" geni_users, geni_certificates " .
"WHERE geni_users.uuid = geni_certificates.uuid AND " .
"geni_certificates.urn = $safe_urn;" );
return undef
if (! ($query_result && $query_result->numrows));
my ($idx) = $query_result->fetchrow_array();
return GeniUser->Lookup($idx);
}
#
# Flush from our little cache.
#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment