/*
* ! \brief authenticate against HPSS with a kerberos or unix keytab
*/
int authenticate(char *UserName, char *PathToKeytab, char *AuthMech)
{
int rc;
hpss_authn_mech_t hpss_authn_mech = -1;
if (UserName && PathToKeytab && AuthMech) {
if( access( PathToKeytab, F_OK ) != -1 ) {
if ( strcmp(AuthMech, "unix") == 0 ) {
hpss_authn_mech = hpss_authn_mech_unix;
} else if ( strcmp(AuthMech, "krb5") == 0 ) {
hpss_authn_mech = hpss_authn_mech_krb5;
}
if ( hpss_authn_mech == -1 ) {
fprintf(stderr, "Unknown authentication Mech : %s. Valid options are \"krb5\" and \"unix\".\n", AuthMech);
exit(1);
}
rc = hpss_SetLoginCred(UserName, hpss_authn_mech,
hpss_rpc_cred_client,
hpss_rpc_auth_type_keytab,
PathToKeytab);
if (rc != 0) {
fprintf(serverInfo.LogFile,
"hpss_SetLoginCred(): %s\n",
strerror(-rc));
exit(-rc);
}
} else {
fprintf(serverInfo.LogFile, "Cannot read keytab: %s\n",
PathToKeytab);
exit(2);
}
} else {
fprintf(serverInfo.LogFile,
"All of username (-u <username> ), path to keytab (-t "\
"<path to keytab>) and -m <authentication mechnism> "\
"required.\n");
exit(2);
}
return 0;
}
static int
readHPSSconf()
{
int i, j, cos, code = ENOENT;
afs_uint64 value;
struct stat64 tstat;
char tbuffer[256];
char minstr[128];
char maxstr[128];
char tmpstr[128];
static time_t lastVersion = 0;
if (!initialized) {
MUTEX_INIT(&rxosd_hpss_mutex, "rxosd hpss lock", 0, 0);
memset(&info, 0, sizeof(info));
initialized = 1;
}
sprintf(tbuffer, "%s/HPSS.conf", AFSDIR_SERVER_BIN_DIRPATH);
if (stat64(tbuffer, &tstat) == 0) {
code = 0;
#ifdef AFS_AIX53_ENV
if (tstat.st_mtime > lastVersion) {
#else
if (tstat.st_mtim.tv_sec > lastVersion) {
#endif
bufio_p bp = BufioOpen(tbuffer, O_RDONLY, 0);
if (bp) {
while (1) {
j = BufioGets(bp, tbuffer, sizeof(tbuffer));
if (j < 0)
break;
j = sscanf(tbuffer, "COS %u min %s max %s",
&cos, &minstr, &maxstr);
if (j == 3) {
for (i=0; i<MAXCOS; i++) {
if (cos == info[i].cosId)
break;
if (info[i].cosId == 0)
break;
}
if (i<MAXCOS)
code = fillInfo(&info[i], cos, minstr, maxstr);
} else {
j = sscanf(tbuffer, "PRINCIPAL %s", &tmpstr);
if (j == 1) {
strncpy(ourPrincipal, tmpstr, sizeof(ourPrincipal));
ourPrincipal[sizeof(ourPrincipal) -1] = 0; /*just in case */
continue;
}
j = sscanf(tbuffer, "KEYTAB %s", &tmpstr);
if (j == 1) {
strncpy(ourKeytab, tmpstr, sizeof(ourKeytab));
ourKeytab[sizeof(ourKeytab) -1] = 0; /*just in case */
continue;
}
j = sscanf(tbuffer, "PATH %s", &tmpstr);
if (j == 1) {
strncpy(ourPath, tmpstr, sizeof(ourPath));
ourPath[sizeof(ourPath) -1] = 0; /*just in case */
continue;
}
j = sscanf(tbuffer, "LIB %s", &tmpstr);
if (j == 1) {
int k;
for (k=0; k<MAX_HPSS_LIBS; k++) {
if (parms.ourLibs[k] == NULL)
break;
if (strcmp(parms.ourLibs[k], tmpstr) == 0)
goto found;
}
for (k=0; k<MAX_HPSS_LIBS; k++) {
if (parms.ourLibs[k] == NULL) {
parms.ourLibs[k] = malloc(strlen(tmpstr) + 1);
sprintf(parms.ourLibs[k], "%s", tmpstr);
break;
}
}
found:
continue;
}
}
}
BufioClose(bp);
}
if (!code)
#ifdef AFS_AIX53_ENV
lastVersion = tstat.st_mtime;
#else
lastVersion = tstat.st_mtim.tv_sec;
#endif
}
}
return code;
}
static void checkCode(afs_int32 code)
{
/*
* If we get a code of -13 back from HPSS something is wrong with our
* authentication. Try to force e new authentication.
*/
if (code == -13) /* permission */
*(rxosd_var->lastAuth) = 0;
}
/*
* This routine is called by the FiveMinuteCcheck
*/
afs_int32
authenticate_for_hpss(void)
{
afs_int32 code = 0, i;
time_t now = time(0);
static int authenticated = 0;
char *principal;
char *keytab;
code = readHPSSconf();
if (code)
return code;
if (now - *(rxosd_var->lastAuth) > TWENTYDAYS) {
if (authenticated) {
waiting = 1;
while (HPSStransactions > 0) {
CV_WAIT(&auth_cond, &rxosd_hpss_mutex);
}
hpss_ClientAPIReset();
hpss_PurgeLoginCred();
authenticated = 0;
}
principal = &ourPrincipal;
keytab = &ourKeytab;
code = hpss_SetLoginCred(principal, hpss_authn_mech_krb5,
hpss_rpc_cred_client,
hpss_rpc_auth_type_keytab, keytab);
if (!code) {
authenticated = 1;
*(rxosd_var->lastAuth) = now;
}
waiting = 0;
if (waiters)
assert(pthread_cond_broadcast(&auth_cond) == 0);
}
return code;
}
/*
* Authenticate to HPSS.
*/
static globus_result_t
session_auth_to_hpss(session_handle_t * SessionHandle)
{
int uid = -1;
int retval = 0;
char * login_name = NULL;
char * authn_mech = NULL;
char * config_authenticator_str = NULL;
char * actual_authenticator_val = NULL;
globus_result_t result = GLOBUS_SUCCESS;
hpss_rpc_auth_type_t auth_type;
api_config_t api_config;
mode_t old_mask;
GlobusGFSName(__func__);
GlobusGFSHpssDebugEnter();
/* Get the login name of the priviledged user. */
login_name = config_get_login_name(SessionHandle->ConfigHandle);
if (login_name == NULL)
{
result = GlobusGFSErrorGeneric("LoginName missing from config file");
goto cleanup;
}
/* Get the authentication mechanism (unix, krb5, etc) */
authn_mech = config_get_authentication_mech(SessionHandle->ConfigHandle);
if (!authn_mech)
{
result = GlobusGFSErrorGeneric("AuthenticationMech missing from config file");
goto cleanup;
}
/* Get the authenticator. */
config_authenticator_str = config_get_authenticator(SessionHandle->ConfigHandle);
if (!config_authenticator_str)
{
result = GlobusGFSErrorGeneric("Authenticator missing from config file");
goto cleanup;
}
/*
* Get the current HPSS client configuration.
*/
retval = hpss_GetConfiguration(&api_config);
if (retval != 0)
{
result = GlobusGFSErrorSystemError("hpss_GetConfiguration", -retval);
goto cleanup;
}
/* Translate the authentication mechanism. */
retval = hpss_AuthnMechTypeFromString(authn_mech, &api_config.AuthnMech);
if (retval != HPSS_E_NOERROR)
{
result = GlobusGFSErrorGeneric("Bad value for config value AuthenticationMech");
goto cleanup;
}
/* Parse the authenticator. */
retval = hpss_ParseAuthString(config_authenticator_str,
&api_config.AuthnMech,
&auth_type,
(void **)&actual_authenticator_val);
if (retval != HPSS_E_NOERROR)
{
actual_authenticator_val = NULL;
result = GlobusGFSErrorGeneric("Bad value for config value Authenticator");
goto cleanup;
}
/* Now set the current HPSS client configuration. */
api_config.Flags = API_USE_CONFIG;
retval = hpss_SetConfiguration(&api_config);
if (retval != 0)
{
result = GlobusGFSErrorSystemError("hpss_SetConfiguration", -retval);
goto cleanup;
}
/* Now log into HPSS using our configured 'super user' */
retval = hpss_SetLoginCred(login_name,
api_config.AuthnMech,
hpss_rpc_cred_client,
auth_type,
actual_authenticator_val);
if (retval != 0)
{
result = GlobusGFSErrorSystemError("hpss_SetLoginCred", -retval);
goto cleanup;
}
/*
* Now we need to masquerade as this user on our HPSS connection.
*/
/* Get the user's UID. */
result = misc_username_to_uid(SessionHandle->SessionInfo.username, &uid);
if (result != GLOBUS_SUCCESS)
goto cleanup;
/*
* Deterine the current umask.
*/
old_mask = hpss_Umask(0);
hpss_Umask(old_mask);
/*
* Now masquerade as this user. This will lookup uid in our realm and
* set our credential to that user. The lookup is determined by the
* /var/hpss/etc/auth.conf, authz.conf files.
*/
retval = hpss_LoadDefaultThreadState(uid, old_mask, NULL);
if(retval != 0)
{
result = GlobusGFSErrorSystemError("hpss_LoadDefaultThreadState", -retval);
goto cleanup;
}
cleanup:
if (actual_authenticator_val)
free(actual_authenticator_val);
if (result != GLOBUS_SUCCESS)
{
GlobusGFSHpssDebugExitWithError();
return result;
}
GlobusGFSHpssDebugExit();
return GLOBUS_SUCCESS;
}
