/* * ! \brief authenticate against HPSS with a kerberos or unix keytab */ int authenticate(char *UserName, char *PathToKeytab, char *AuthMech) { int rc; hpss_authn_mech_t hpss_authn_mech = -1; if (UserName && PathToKeytab && AuthMech) { if( access( PathToKeytab, F_OK ) != -1 ) { if ( strcmp(AuthMech, "unix") == 0 ) { hpss_authn_mech = hpss_authn_mech_unix; } else if ( strcmp(AuthMech, "krb5") == 0 ) { hpss_authn_mech = hpss_authn_mech_krb5; } if ( hpss_authn_mech == -1 ) { fprintf(stderr, "Unknown authentication Mech : %s. Valid options are \"krb5\" and \"unix\".\n", AuthMech); exit(1); } rc = hpss_SetLoginCred(UserName, hpss_authn_mech, hpss_rpc_cred_client, hpss_rpc_auth_type_keytab, PathToKeytab); if (rc != 0) { fprintf(serverInfo.LogFile, "hpss_SetLoginCred(): %s\n", strerror(-rc)); exit(-rc); } } else { fprintf(serverInfo.LogFile, "Cannot read keytab: %s\n", PathToKeytab); exit(2); } } else { fprintf(serverInfo.LogFile, "All of username (-u <username> ), path to keytab (-t "\ "<path to keytab>) and -m <authentication mechnism> "\ "required.\n"); exit(2); } return 0; }
static int readHPSSconf() { int i, j, cos, code = ENOENT; afs_uint64 value; struct stat64 tstat; char tbuffer[256]; char minstr[128]; char maxstr[128]; char tmpstr[128]; static time_t lastVersion = 0; if (!initialized) { MUTEX_INIT(&rxosd_hpss_mutex, "rxosd hpss lock", 0, 0); memset(&info, 0, sizeof(info)); initialized = 1; } sprintf(tbuffer, "%s/HPSS.conf", AFSDIR_SERVER_BIN_DIRPATH); if (stat64(tbuffer, &tstat) == 0) { code = 0; #ifdef AFS_AIX53_ENV if (tstat.st_mtime > lastVersion) { #else if (tstat.st_mtim.tv_sec > lastVersion) { #endif bufio_p bp = BufioOpen(tbuffer, O_RDONLY, 0); if (bp) { while (1) { j = BufioGets(bp, tbuffer, sizeof(tbuffer)); if (j < 0) break; j = sscanf(tbuffer, "COS %u min %s max %s", &cos, &minstr, &maxstr); if (j == 3) { for (i=0; i<MAXCOS; i++) { if (cos == info[i].cosId) break; if (info[i].cosId == 0) break; } if (i<MAXCOS) code = fillInfo(&info[i], cos, minstr, maxstr); } else { j = sscanf(tbuffer, "PRINCIPAL %s", &tmpstr); if (j == 1) { strncpy(ourPrincipal, tmpstr, sizeof(ourPrincipal)); ourPrincipal[sizeof(ourPrincipal) -1] = 0; /*just in case */ continue; } j = sscanf(tbuffer, "KEYTAB %s", &tmpstr); if (j == 1) { strncpy(ourKeytab, tmpstr, sizeof(ourKeytab)); ourKeytab[sizeof(ourKeytab) -1] = 0; /*just in case */ continue; } j = sscanf(tbuffer, "PATH %s", &tmpstr); if (j == 1) { strncpy(ourPath, tmpstr, sizeof(ourPath)); ourPath[sizeof(ourPath) -1] = 0; /*just in case */ continue; } j = sscanf(tbuffer, "LIB %s", &tmpstr); if (j == 1) { int k; for (k=0; k<MAX_HPSS_LIBS; k++) { if (parms.ourLibs[k] == NULL) break; if (strcmp(parms.ourLibs[k], tmpstr) == 0) goto found; } for (k=0; k<MAX_HPSS_LIBS; k++) { if (parms.ourLibs[k] == NULL) { parms.ourLibs[k] = malloc(strlen(tmpstr) + 1); sprintf(parms.ourLibs[k], "%s", tmpstr); break; } } found: continue; } } } BufioClose(bp); } if (!code) #ifdef AFS_AIX53_ENV lastVersion = tstat.st_mtime; #else lastVersion = tstat.st_mtim.tv_sec; #endif } } return code; } static void checkCode(afs_int32 code) { /* * If we get a code of -13 back from HPSS something is wrong with our * authentication. Try to force e new authentication. */ if (code == -13) /* permission */ *(rxosd_var->lastAuth) = 0; } /* * This routine is called by the FiveMinuteCcheck */ afs_int32 authenticate_for_hpss(void) { afs_int32 code = 0, i; time_t now = time(0); static int authenticated = 0; char *principal; char *keytab; code = readHPSSconf(); if (code) return code; if (now - *(rxosd_var->lastAuth) > TWENTYDAYS) { if (authenticated) { waiting = 1; while (HPSStransactions > 0) { CV_WAIT(&auth_cond, &rxosd_hpss_mutex); } hpss_ClientAPIReset(); hpss_PurgeLoginCred(); authenticated = 0; } principal = &ourPrincipal; keytab = &ourKeytab; code = hpss_SetLoginCred(principal, hpss_authn_mech_krb5, hpss_rpc_cred_client, hpss_rpc_auth_type_keytab, keytab); if (!code) { authenticated = 1; *(rxosd_var->lastAuth) = now; } waiting = 0; if (waiters) assert(pthread_cond_broadcast(&auth_cond) == 0); } return code; }
/* * Authenticate to HPSS. */ static globus_result_t session_auth_to_hpss(session_handle_t * SessionHandle) { int uid = -1; int retval = 0; char * login_name = NULL; char * authn_mech = NULL; char * config_authenticator_str = NULL; char * actual_authenticator_val = NULL; globus_result_t result = GLOBUS_SUCCESS; hpss_rpc_auth_type_t auth_type; api_config_t api_config; mode_t old_mask; GlobusGFSName(__func__); GlobusGFSHpssDebugEnter(); /* Get the login name of the priviledged user. */ login_name = config_get_login_name(SessionHandle->ConfigHandle); if (login_name == NULL) { result = GlobusGFSErrorGeneric("LoginName missing from config file"); goto cleanup; } /* Get the authentication mechanism (unix, krb5, etc) */ authn_mech = config_get_authentication_mech(SessionHandle->ConfigHandle); if (!authn_mech) { result = GlobusGFSErrorGeneric("AuthenticationMech missing from config file"); goto cleanup; } /* Get the authenticator. */ config_authenticator_str = config_get_authenticator(SessionHandle->ConfigHandle); if (!config_authenticator_str) { result = GlobusGFSErrorGeneric("Authenticator missing from config file"); goto cleanup; } /* * Get the current HPSS client configuration. */ retval = hpss_GetConfiguration(&api_config); if (retval != 0) { result = GlobusGFSErrorSystemError("hpss_GetConfiguration", -retval); goto cleanup; } /* Translate the authentication mechanism. */ retval = hpss_AuthnMechTypeFromString(authn_mech, &api_config.AuthnMech); if (retval != HPSS_E_NOERROR) { result = GlobusGFSErrorGeneric("Bad value for config value AuthenticationMech"); goto cleanup; } /* Parse the authenticator. */ retval = hpss_ParseAuthString(config_authenticator_str, &api_config.AuthnMech, &auth_type, (void **)&actual_authenticator_val); if (retval != HPSS_E_NOERROR) { actual_authenticator_val = NULL; result = GlobusGFSErrorGeneric("Bad value for config value Authenticator"); goto cleanup; } /* Now set the current HPSS client configuration. */ api_config.Flags = API_USE_CONFIG; retval = hpss_SetConfiguration(&api_config); if (retval != 0) { result = GlobusGFSErrorSystemError("hpss_SetConfiguration", -retval); goto cleanup; } /* Now log into HPSS using our configured 'super user' */ retval = hpss_SetLoginCred(login_name, api_config.AuthnMech, hpss_rpc_cred_client, auth_type, actual_authenticator_val); if (retval != 0) { result = GlobusGFSErrorSystemError("hpss_SetLoginCred", -retval); goto cleanup; } /* * Now we need to masquerade as this user on our HPSS connection. */ /* Get the user's UID. */ result = misc_username_to_uid(SessionHandle->SessionInfo.username, &uid); if (result != GLOBUS_SUCCESS) goto cleanup; /* * Deterine the current umask. */ old_mask = hpss_Umask(0); hpss_Umask(old_mask); /* * Now masquerade as this user. This will lookup uid in our realm and * set our credential to that user. The lookup is determined by the * /var/hpss/etc/auth.conf, authz.conf files. */ retval = hpss_LoadDefaultThreadState(uid, old_mask, NULL); if(retval != 0) { result = GlobusGFSErrorSystemError("hpss_LoadDefaultThreadState", -retval); goto cleanup; } cleanup: if (actual_authenticator_val) free(actual_authenticator_val); if (result != GLOBUS_SUCCESS) { GlobusGFSHpssDebugExitWithError(); return result; } GlobusGFSHpssDebugExit(); return GLOBUS_SUCCESS; }