|
|
71541a |
From 00ef3951514889791a11318124c271309d8b4958 Mon Sep 17 00:00:00 2001
|
|
|
71541a |
From: Tomas Jelinek <tojeline@redhat.com>
|
|
|
71541a |
Date: Fri, 4 Sep 2015 16:01:00 +0200
|
|
|
71541a |
Subject: [PATCH] check and refresh user auth info upon each request
|
|
|
71541a |
|
|
|
71541a |
---
|
|
|
71541a |
pcs/cluster.py | 2 ++
|
|
|
71541a |
pcs/utils.py | 2 ++
|
|
|
71541a |
pcsd/auth.rb | 16 ++++++++++++----
|
|
|
71541a |
pcsd/test/test_auth.rb | 1 +
|
|
|
71541a |
4 files changed, 17 insertions(+), 4 deletions(-)
|
|
|
71541a |
|
|
|
71541a |
diff --git a/pcs/cluster.py b/pcs/cluster.py
|
|
|
71541a |
index d2a80a8..5a2128a 100644
|
|
|
71541a |
--- a/pcs/cluster.py
|
|
|
71541a |
+++ b/pcs/cluster.py
|
|
|
71541a |
@@ -235,6 +235,8 @@ def auth_nodes_do(nodes, username, password, force, local):
|
|
|
71541a |
'local': local,
|
|
|
71541a |
}
|
|
|
71541a |
output, retval = utils.run_pcsdcli('auth', pcsd_data)
|
|
|
71541a |
+ if retval == 0 and output['status'] == 'access_denied':
|
|
|
71541a |
+ utils.err('Access denied')
|
|
|
71541a |
if retval == 0 and output['status'] == 'ok' and output['data']:
|
|
|
71541a |
failed = False
|
|
|
71541a |
try:
|
|
|
71541a |
diff --git a/pcs/utils.py b/pcs/utils.py
|
|
|
71541a |
index c91b50e..757c159 100644
|
|
|
71541a |
--- a/pcs/utils.py
|
|
|
71541a |
+++ b/pcs/utils.py
|
|
|
71541a |
@@ -803,6 +803,8 @@ def call_local_pcsd(argv, interactive_auth=False, std_in=None):
|
|
|
71541a |
return [['Unable to communicate with pcsd'], 1, '', '']
|
|
|
71541a |
if output_json['status'] == 'bad_command':
|
|
|
71541a |
return [['Command not allowed'], 1, '', '']
|
|
|
71541a |
+ if output_json['status'] == 'access_denied':
|
|
|
71541a |
+ return [['Access denied'], 1, '', '']
|
|
|
71541a |
if output_json['status'] != "ok" or not output_json["data"]:
|
|
|
71541a |
return [['Unable to communicate with pcsd'], 1, '', '']
|
|
|
71541a |
try:
|
|
|
71541a |
diff --git a/pcsd/auth.rb b/pcsd/auth.rb
|
|
|
71541a |
index 22d7868..53712ed 100644
|
|
|
71541a |
--- a/pcsd/auth.rb
|
|
|
71541a |
+++ b/pcsd/auth.rb
|
|
|
71541a |
@@ -19,7 +19,7 @@ class PCSAuth
|
|
|
71541a |
|
|
|
71541a |
def self.validUser(username, password, generate_token = false)
|
|
|
71541a |
$logger.info("Attempting login by '#{username}'")
|
|
|
71541a |
- if not Rpam.auth(username,password, :service => "pcsd")
|
|
|
71541a |
+ if not Rpam.auth(username, password, :service => "pcsd")
|
|
|
71541a |
$logger.info("Failed login by '#{username}' (bad username or password)")
|
|
|
71541a |
return nil
|
|
|
71541a |
end
|
|
|
71541a |
@@ -59,7 +59,7 @@ class PCSAuth
|
|
|
71541a |
return [true, stdout.join(' ').split(nil)]
|
|
|
71541a |
end
|
|
|
71541a |
|
|
|
71541a |
- def self.isUserAllowedToLogin(username)
|
|
|
71541a |
+ def self.isUserAllowedToLogin(username, log_success=true)
|
|
|
71541a |
success, groups = getUsersGroups(username)
|
|
|
71541a |
if not success
|
|
|
71541a |
$logger.info(
|
|
|
71541a |
@@ -73,7 +73,9 @@ class PCSAuth
|
|
|
71541a |
)
|
|
|
71541a |
return false
|
|
|
71541a |
end
|
|
|
71541a |
- $logger.info("Successful login by '#{username}'")
|
|
|
71541a |
+ if log_success
|
|
|
71541a |
+ $logger.info("Successful login by '#{username}'")
|
|
|
71541a |
+ end
|
|
|
71541a |
return true
|
|
|
71541a |
end
|
|
|
71541a |
|
|
|
71541a |
@@ -131,7 +133,13 @@ class PCSAuth
|
|
|
71541a |
end
|
|
|
71541a |
|
|
|
71541a |
def self.isLoggedIn(session)
|
|
|
71541a |
- return session[:username] != nil
|
|
|
71541a |
+ username = session[:username]
|
|
|
71541a |
+ if (username != nil) and isUserAllowedToLogin(username, false)
|
|
|
71541a |
+ success, groups = getUsersGroups(username)
|
|
|
71541a |
+ session[:usergroups] = success ? groups : []
|
|
|
71541a |
+ return true
|
|
|
71541a |
+ end
|
|
|
71541a |
+ return false
|
|
|
71541a |
end
|
|
|
71541a |
|
|
|
71541a |
def self.getSuperuserSession()
|
|
|
71541a |
--
|
|
|
71541a |
1.9.1
|
|
|
71541a |
|