2
* Copyright (c) Members of the EGEE Collaboration. 2004-2010.
3
* See http://www.eu-egee.org/partners/ for details on the copyright
6
* Licensed under the Apache License, Version 2.0 (the "License");
7
* you may not use this file except in compliance with the License.
8
* You may obtain a copy of the License at
10
* http://www.apache.org/licenses/LICENSE-2.0
12
* Unless required by applicable law or agreed to in writing, software
13
* distributed under the License is distributed on an "AS IS" BASIS,
14
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
* See the License for the specific language governing permissions and
16
* limitations under the License.
21
* Oscar Koeroo <okoeroo@nikhef.nl>
22
* Mischa Sall\'e <msalle@nikhef.nl>
23
* David Groep <davidg@nikhef.nl>
24
* NIKHEF Amsterdam, the Netherlands
25
* <grid-mw-security@nikhef.nl>
28
* Oscar Koeroo <okoeroo@nikhef.nl>
29
* David Groep <davidg@nikhef.nl>
30
* NIKHEF Amsterdam, the Netherlands
33
* Martijn Steenbakkers <martijn@nikhef.nl>
34
* Gerben Venekamp <venekamp@nikhef.nl>
35
* Oscar Koeroo <okoeroo@nikhef.nl>
36
* David Groep <davidg@nikhef.nl>
37
* NIKHEF Amsterdam, the Netherlands
43
\page lcmaps_voms_localaccount.mod voms local account plugin
45
\section vomslocalaccountsyn SYNOPSIS
46
\b lcmaps_voms_localaccount.mod
47
[-gridmapfile|-GRIDMAPFILE|-gridmap|-GRIDMAP \<location gridmapfile\>]
50
\section vomslocalaccountdesc DESCRIPTION
52
This localaccount acquisition plugin is a 'VOMS-aware' modification of the 'localaccount' plugin.
53
The plugin tries to find a local account (more specifically a UID) based on the VOMS information
54
that has been retrieved by the plugin \ref lcmaps_voms.mod "lcmaps_voms.mod"
55
from the user's grid credential.
56
It will try to match a VO-GROUP-ROLE combination from the user's grid credential with an entry
57
in a gridmapfile (most likely the traditional gridmapfile, used by the localaccount and
59
In this file VO-GROUP-ROLE combinations are listed next to the name of an existing account,
60
as shown in the following example.
64
\c "/VO=wilma/GROUP=management" \c wilmamgr
66
\c "/VO=fred/GROUP=*" \c fredmgr
68
If the first matching VO-GROUP-ROLE combination is \c "/VO=wilma/GROUP=management" the plugin
69
will map the user to the account wilmamgr.
70
If the first matching VO-GROUP-ROLE combination is
71
\c "/VO=fred/GROUP=*" the plugin will map the user to the account fredmgr.
73
\section vomslocalaccountnote1 NOTE 1
74
This plugin should only be used in combination with the \e 'voms_localgroup'
75
and/or \e 'voms_poolgroup' plugins.
77
\section vomslocalaccountoptions OPTIONS
78
\subsection vomslocalaccountoptie1 -GRIDMAPFILE \<gridmapfile\>
79
See \ref vomslocalaccountoptie4 "-gridmap"
81
\subsection vomslocalaccountoptie2 -gridmapfile \<gridmapfile\>
82
See \ref vomslocalaccountoptie4 "-gridmap"
84
\subsection vomslocalaccountoptie3 -GRIDMAP \<gridmapfile\>
85
See \ref vomslocalaccountoptie4 "-gridmap"
87
\subsection vomslocalaccountoptie4 -gridmap \<gridmapfile\>
88
When this option is set it will override the default path to the gridmapfile.
89
It is advised to use an absolute path to the gridmapfile to avoid usage of the wrong file(path).
91
\subsection vomslocalaccountoptie5 -use_voms_gid
92
When this option is set the LCMAPS system relies on other VOMS plugins such as
93
\ref lcmaps_voms_localgroup.mod "lcmaps_voms_localgroup.mod" and \ref lcmaps_voms_poolgroup.mod
94
"lcmaps_voms_poolgroup.mod" to assign a primary GID based on the VOMS attributes contained in the
95
user proxy instead of taking the default primary GID that comes with the local account.
97
\section vomslocalaccountReturnvalue RETURN VALUES
98
\li LCMAPS_MOD_SUCCESS : Success
99
\li LCMAPS_MOD_FAIL : Failure
102
\section vomslocalaccountErrors ERRORS
103
See bugzilla for known errors (http://marianne.in2p3.fr/datagrid/bugzilla/)
105
\section vomslocalaccountSeeAlso SEE ALSO
106
\ref lcmaps_voms.mod "lcmaps_voms.mod",
107
\ref lcmaps_voms_poolaccount.mod "lcmaps_voms_localgroup.mod",
108
\ref lcmaps_voms_localgroup.mod "lcmaps_voms_localgroup.mod",
109
\ref lcmaps_voms_poolgroup.mod "lcmaps_voms_poolgroup.mod",
110
\ref lcmaps_localaccount.mod "lcmaps_localaccount.mod",
111
\ref lcmaps_poolaccount.mod "lcmaps_poolaccount.mod",
112
\ref lcmaps_posix_enf.mod "lcmaps_posix_enf.mod",
113
\ref lcmaps_ldap_enf.mod "lcmaps_ldap_enf.mod",
117
\file lcmaps_voms_localaccount.c
118
\brief Interface to the LCMAPS plugins
119
\author Martijn Steenbakkers for the EU DataGrid.
121
This file contains the code of the voms_localaccount plugin
122
-# plugin_initialize()
124
-# plugin_terminate()
125
-# plugin_introspect()
128
/*****************************************************************************
130
******************************************************************************/
135
#include <sys/stat.h>
137
#include "lcmaps_voms_config.h"
138
#include <lcmaps/lcmaps_modules.h>
139
#include <lcmaps/lcmaps_arguments.h>
140
#include <lcmaps/lcmaps_cred_data.h>
141
#include "lcmaps_gridlist.h"
143
/******************************************************************************
145
******************************************************************************/
146
#define LCMAPS_MAXGIDBUFFER 256
148
#define PLUGIN_VERIFY 1
150
/******************************************************************************
151
Module specific prototypes
152
******************************************************************************/
153
static int plugin_run_or_verify(int, lcmaps_argument_t *, int);
155
/******************************************************************************
156
Define module specific variables
157
******************************************************************************/
159
static char *gridmapfile = NULL;
160
static int use_voms_gid = 0;
161
static int do_not_map_primary_gid = 0;
162
static int add_primary_gid_from_mapped_account = 0;
163
static int add_primary_gid_as_secondary_gid_from_mapped_account = 0;
164
static int add_secondary_gids_from_mapped_account = 0;
166
/******************************************************************************
167
Function: plugin_initialize
172
argv[0]: the name of the plugin
174
LCMAPS_MOD_SUCCESS : succes
175
LCMAPS_MOD_FAIL : failure
176
LCMAPS_MOD_NOFILE : db file not found (will halt LCMAPS initialization)
177
******************************************************************************/
178
int plugin_initialize(
183
char * logstr = "lcmaps_plugin_voms_localaccount-plugin_initialize()";
187
lcmaps_log_debug(5,"%s: passed arguments:\n", logstr);
188
for (i=0; i < argc; i++)
190
lcmaps_log_debug(5,"%s: arg %d is %s\n", logstr, i, argv[i]);
194
* the first will be the thing to edit/select (gridmap(file))
195
* the second will be the path && filename of the gridmapfile
199
* Parse arguments, argv[0] = name of plugin, so start with i = 1
201
for (i = 1; i < argc; i++)
203
if ( ((strcmp(argv[i], "-gridmap") == 0) ||
204
(strcmp(argv[i], "-GRIDMAP") == 0) ||
205
(strcmp(argv[i], "-gridmapfile") == 0) ||
206
(strcmp(argv[i], "-GRIDMAPFILE") == 0))
209
if ((argv[i + 1] != NULL) && (strlen(argv[i + 1]) > 0))
211
/* check if the setting exists */
212
if (stat (argv[i + 1], &s) < 0)
214
lcmaps_log(LOG_ERR, "%s: Error: grid-mapfile not accessible at \"%s\"\n", logstr, argv[i + 1]);
215
return LCMAPS_MOD_FAIL;
218
gridmapfile = strdup(argv[i + 1]);
222
else if (strcmp(argv[i], "--do-not-add-primary-gid-from-mapped-account") == 0)
224
do_not_map_primary_gid = 1;
226
else if (strcmp(argv[i], "--add-primary-gid-from-mapped-account") == 0)
228
add_primary_gid_from_mapped_account = 1;
230
else if (strcmp(argv[i], "--add-primary-gid-as-secondary-gid-from-mapped-account") == 0)
232
add_primary_gid_as_secondary_gid_from_mapped_account = 1;
234
else if (strcmp(argv[i], "--add-secondary-gids-from-mapped-account") == 0)
236
add_secondary_gids_from_mapped_account = 1;
238
else if ((strcmp(argv[i], "--use-voms-gid") == 0) ||
239
(strcmp(argv[i], "--use_voms_gid") == 0) ||
240
(strcmp(argv[i], "-use_voms_gid") == 0))
246
lcmaps_log(LOG_ERR,"%s: Error in initialization parameter: %s (failure)\n", logstr, argv[i]);
247
return LCMAPS_MOD_FAIL;
251
/* Post mortum check */
252
if (do_not_map_primary_gid && add_primary_gid_from_mapped_account)
254
lcmaps_log(LOG_ERR,"%s: Error: can't set both --do-not-add-primary-gid-from-mapped-account and --add-primary-gid-from-mapped-account\n", logstr);
255
return LCMAPS_MOD_FAIL;
257
if (use_voms_gid && do_not_map_primary_gid)
259
lcmaps_log(LOG_ERR,"%s: Error: can't set both --use-voms-gid and --do-not-add-primary-gid-from-mapped-account\n", logstr);
260
return LCMAPS_MOD_FAIL;
262
if (use_voms_gid && add_primary_gid_from_mapped_account)
264
lcmaps_log(LOG_ERR,"%s: Error: can't set both --use-voms-gid and --add-primary-gid-from-mapped-account\n", logstr);
265
return LCMAPS_MOD_FAIL;
267
if (use_voms_gid && add_secondary_gids_from_mapped_account)
269
lcmaps_log(LOG_ERR,"%s: Error: can't set both --use-voms-gid and --add-secondary-gids-from-mapped-account\n", logstr);
270
return LCMAPS_MOD_FAIL;
275
return LCMAPS_MOD_SUCCESS;
278
/******************************************************************************
279
Function: plugin_introspect
281
return list of required arguments
285
LCMAPS_MOD_SUCCESS : succes
286
LCMAPS_MOD_FAIL : failure
287
******************************************************************************/
288
int plugin_introspect(
290
lcmaps_argument_t ** argv
293
char * logstr = "lcmaps_plugin_voms_localaccount-plugin_introspect()";
294
static lcmaps_argument_t argList[] = {
295
{"user_dn" , "char *" , 0, NULL},
296
{"fqan_list" , "char **" , 0, NULL},
297
{"nfqan" , "int" , 0, NULL},
298
{NULL , NULL , -1, NULL}
301
lcmaps_log_debug(4,"%s: introspecting\n", logstr);
304
*argc = lcmaps_cntArgs(argList);
305
lcmaps_log_debug(5,"%s: address first argument: 0x%x\n", logstr, argList);
307
return LCMAPS_MOD_SUCCESS;
311
/******************************************************************************
314
Gather credentials for LCMAPS
316
argc: number of arguments
317
argv: list of arguments
319
LCMAPS_MOD_SUCCESS: authorization succeeded
320
LCMAPS_MOD_FAIL : authorization failed
321
******************************************************************************/
324
lcmaps_argument_t * argv
327
return plugin_run_or_verify(argc, argv, PLUGIN_RUN);
330
/******************************************************************************
331
Function: plugin_verify
333
Verify if user is entitled to use local credentials based on his grid
334
credentials. This means that the site should already have been set up
335
by, e.g., LCMAPS in a previous run. This method will not try to setup
336
account leases, modify (distributed) passwd/group files, etc. etc.
337
The outcome should be identical to that of plugin_run().
338
In this particular case "plugin_verify()" is identical to "plugin_run()"
341
argc: number of arguments
342
argv: list of arguments
344
LCMAPS_MOD_SUCCESS: authorization succeeded
345
LCMAPS_MOD_FAIL : authorization failed
346
******************************************************************************/
349
lcmaps_argument_t * argv
352
return plugin_run_or_verify(argc, argv, PLUGIN_VERIFY);
355
static int plugin_run_or_verify(
357
lcmaps_argument_t * argv,
361
char * logstr = "lcmaps_plugin_voms_localaccount-plugin_run()";
364
char * username = NULL;
365
struct passwd *user_info = NULL;
368
gid_t * sec_gid = NULL;
369
char ** vo_cred_string_list = NULL;
370
int cnt_vo_cred_string = 0;
372
unsigned short matching_type = ((unsigned short)0x0000);
374
char ** fqan_list = NULL;
380
if (lcmaps_mode == PLUGIN_RUN)
381
logstr = "lcmaps_plugin_voms_localaccount-plugin_run()";
382
else if (lcmaps_mode == PLUGIN_VERIFY)
383
logstr = "lcmaps_plugin_voms_localaccount-plugin_verify()";
386
lcmaps_log(LOG_ERR, "lcmaps_plugin_voms_localaccount-plugin_run_or_verify(): attempt to run plugin in invalid mode: %d\n", lcmaps_mode);
387
goto fail_voms_localaccount;
389
lcmaps_log_debug(5,"%s:\n", logstr);
392
* Try to get the ordered values:
394
if ( ( dn = *(char **) lcmaps_getArgValue("user_dn", "char *", argc, argv) ) )
396
lcmaps_log_debug(5,"%s: found dn: %s\n", logstr, dn);
398
/* Check if we don't have a DN already registered, if not, add it to the internal registry */
399
getCredentialData (DN, &dn_cnt);
402
lcmaps_log_debug (5, "%s: Adding DN: %s\n", logstr, dn);
403
addCredentialData(DN, &dn);
407
lcmaps_log_debug(1,"%s: could not get value of dn !\n", logstr);
411
* Check the gridmapfile
414
if ((gridmapfile != NULL) && (strlen(gridmapfile) > 0))
415
lcmaps_log_debug(3,"%s: gridmapfile is: %s\n", logstr, gridmapfile);
418
if (gridmapfile) free(gridmapfile);
420
lcmaps_log_debug(1,"%s: No gridmapfile assigned, so function must find out for it self\n", logstr);
424
* Get the VO user information.
425
* We can either order it by lcmaps_argument_t or use the getCredentialData() function.
426
* The latter case requires the voms parsing plugin (lcmaps_voms.mod) to have run beforehand.
427
* Unfortunately the formats of the VOMS strings (from getCredentialData()) and
428
* FQANs (from lcmaps_argument_t) are not the same. We may have to introduce
429
* two-way conversion functions.
430
* The VOMS info has to matched against the info in the gridmapfile
432
lcmaps_log_debug(5,"%s: First try to get the FQAN list from input credential repository ...\n", logstr);
433
if ( ( nfqan = *(int *) lcmaps_getArgValue("nfqan", "int", argc, argv) ) )
435
lcmaps_log_debug(5,"%s: the list of FQANs should contain %d elements\n", logstr, nfqan);
436
if ( ( fqan_list = *(char ***) lcmaps_getArgValue("fqan_list", "char **", argc, argv) ) )
437
lcmaps_log_debug(5, "%s: found list of FQANs\n", logstr);
440
lcmaps_log_debug(1, "%s: could not retrieve list of FQANs!\n", logstr);
441
goto fail_voms_localaccount;
443
for (i = 0; i < nfqan; i++)
445
lcmaps_log_debug(3, "%s: FQAN %d: %s\n", logstr, i, fqan_list[i]);
447
vo_cred_string_list = fqan_list;
448
cnt_vo_cred_string = nfqan;
452
lcmaps_log_debug(1,"%s: ... did not find input credentials in input credential repository...\n", logstr);
453
lcmaps_log_debug(1,"%s: ... trying the internal credential repository ...\n", logstr);
455
vo_cred_string_list = getCredentialData(LCMAPS_VO_CRED_STRING, &cnt_vo_cred_string);
458
if (cnt_vo_cred_string == 0)
460
lcmaps_log(LOG_NOTICE,"%s: no VOMS group info --> no mapping\n", logstr);
461
goto fail_voms_localaccount;
463
else if (cnt_vo_cred_string < 0)
465
lcmaps_log(LOG_ERR,"%s: negative number of VOMS groups found ! (failure)\n", logstr);
466
goto fail_voms_localaccount;
471
* Try to match the VO strings with the gridmapfile info
472
* normally the first available VO string should match
476
matching_type = MATCH_EXCLUDE|MATCH_WILD_CHARS;
478
for (i = 0; i < cnt_vo_cred_string; i++)
480
/* clean username before each call to lcmaps_gridlist */
481
if (username) free(username);
483
if ( (rc = lcmaps_gridlist(vo_cred_string_list[i], &username, gridmapfile, matching_type, ".", NULL)) == 0)
486
lcmaps_log_debug(3,"%s: found username: %s\n", logstr, username);
489
else if (rc == LCMAPS_MOD_NOFILE)
491
lcmaps_log(LOG_ERR, "%s: Could not find the gridmapfile %s\n", logstr, gridmapfile);
492
goto fail_voms_localaccount;
496
lcmaps_log_debug(1, "%s: no localaccount available for group (%s) in %s\n", logstr, vo_cred_string_list[i], gridmapfile);
501
lcmaps_log(LOG_WARNING, "%s: Could not find a VOMS localaccount in %s (failure)\n", logstr, gridmapfile);
502
goto fail_voms_localaccount;
506
* Get userid to pwd_t structure
508
if (username && (strlen(username) > 0))
510
if ( ( user_info = getpwnam(username) ) )
512
lcmaps_log_debug(5,"%s: address user_info: %p\n", logstr, user_info);
513
lcmaps_log_debug(3,"%s: username : %s, char ptr: %p, address char ptr: %p\n", logstr, user_info->pw_name, user_info->pw_name, &(user_info->pw_name));
514
lcmaps_log_debug(3,"%s: password : %s\n", logstr, user_info->pw_passwd);
515
lcmaps_log_debug(3,"%s: user_id : %d, address uid: %p\n", logstr, user_info->pw_uid, &(user_info->pw_uid));
516
lcmaps_log_debug(3,"%s: group_id : %d\n", logstr, user_info->pw_gid);
517
lcmaps_log_debug(3,"%s: realname : %s\n", logstr, user_info->pw_gecos);
518
lcmaps_log_debug(3,"%s: home dir : %s\n", logstr, user_info->pw_dir);
519
lcmaps_log_debug(3,"%s: shellprg : %s\n", logstr, user_info->pw_shell);
521
/* Add this credential data to the credential data repository in the plugin manager */
522
addCredentialData(UID, &(user_info->pw_uid));
524
/* Map primary Unix GID from the account info */
525
if ((!do_not_map_primary_gid) &&
526
(add_primary_gid_from_mapped_account))
528
lcmaps_log_debug(4,"%s: adding primary GID (%d) from local account to CredentialData\n", logstr, user_info->pw_gid);
529
addCredentialData(PRI_GID, &(user_info->pw_gid));
532
/* Add the primary GID from the mapped account as an secondary GID to the result */
533
if (add_primary_gid_as_secondary_gid_from_mapped_account)
535
lcmaps_log_debug(4,"%s: adding primary GID (%d) from local account as a secondary GID to CredentialData\n", logstr, user_info->pw_gid);
536
addCredentialData(SEC_GID, &(user_info->pw_gid));
539
/* Add secondary Unix group IDs from the mapped local account */
540
if (add_secondary_gids_from_mapped_account)
542
/* Retrieve secondary group id's */
543
if (lcmaps_get_gidlist(username, &cnt_sec_gid, &sec_gid)==0)
545
lcmaps_log_debug(4,"%s: adding secondary GIDs (%d) from local account to CredentialData\n", logstr, user_info->pw_gid);
546
for (i = 0; i < cnt_sec_gid; i++)
548
addCredentialData(SEC_GID, &(sec_gid[i]));
554
/* Old and error tolerant setting to set primary and secondary Unix
555
* IDs from the /etc/{passwd,groups} info */
556
if (use_voms_gid == 0)
558
lcmaps_log_debug(4,"%s: adding primary GID (%d) from local account to CredentialData\n", logstr, user_info->pw_gid);
559
addCredentialData(PRI_GID, &(user_info->pw_gid));
561
/* Retrieve secondary group id's */
562
if (lcmaps_get_gidlist(username, &cnt_sec_gid, &sec_gid)==0)
564
for (i = 0; i < cnt_sec_gid; i++)
566
addCredentialData(SEC_GID, &(sec_gid[i]));
574
lcmaps_log(LOG_ERR,"%s: no user account found named \"%s\"\n", logstr, username);
575
goto fail_voms_localaccount;
579
{ // error (msg is already given)
580
goto fail_voms_localaccount;
584
success_voms_localaccount:
585
if (username) free(username);
586
lcmaps_log(LOG_INFO,"%s: voms_localaccount plugin succeeded\n", logstr);
587
return LCMAPS_MOD_SUCCESS;
589
fail_voms_localaccount:
590
if (username) free(username);
591
lcmaps_log(LOG_INFO,"%s: voms_localaccount plugin failed\n", logstr);
592
return LCMAPS_MOD_FAIL;
595
/******************************************************************************
596
Function: plugin_terminate
602
LCMAPS_MOD_SUCCESS : succes
603
LCMAPS_MOD_FAIL : failure
604
******************************************************************************/
605
int plugin_terminate()
607
char * logstr = "lcmaps_plugin_voms_localaccount-plugin_terminate()";
609
lcmaps_log_debug(4,"%s: terminating\n", logstr);
611
if (gridmapfile) free(gridmapfile);
613
return LCMAPS_MOD_SUCCESS;
616
/******************************************************************************
618
$Source: /srv/home/dennisvd/svn/mw-security/lcmaps-plugins-voms/src/voms/lcmaps_voms_localaccount.c,v $
619
$Date: 2010-02-19 06:01:37 $
622
******************************************************************************/