diff --git a/dali/server/daldap.cpp b/dali/server/daldap.cpp index c5c6a8f9584..90e97132297 100644 --- a/dali/server/daldap.cpp +++ b/dali/server/daldap.cpp @@ -57,23 +57,6 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface unsigned ldapflags; IDigitalSignatureManager * pDSM = nullptr; - void createDefaultScopes() - { - try { - Owned user = ldapsecurity->createUser(nullptr); - StringBuffer userTempFileScope(queryDfsXmlBranchName(DXB_Internal)); - if (ldapsecurity->addResourceEx(RT_FILE_SCOPE, *user, userTempFileScope.str(),PT_ADMINISTRATORS_ONLY, NULL)) - PROGLOG("LDAP: Created default '%s' scope", userTempFileScope.str()); - else - throw MakeStringException(-1, "Error adding LDAP resource '%s'",userTempFileScope.str()); - } - catch (IException *e) { - EXCLOG(e,"LDAP createDefaultScopes"); - throw; - } - } - - public: IMPLEMENT_IINTERFACE; @@ -113,7 +96,6 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface EXCLOG(e,"LDAP server"); throw; } - createDefaultScopes(); } } } diff --git a/system/security/LdapSecurity/ldapconnection.cpp b/system/security/LdapSecurity/ldapconnection.cpp index 7f86c374cbd..6533dc6451b 100644 --- a/system/security/LdapSecurity/ldapconnection.cpp +++ b/system/security/LdapSecurity/ldapconnection.cpp @@ -4258,12 +4258,6 @@ class CLdapClient : implements ILdapClient, public CInterface continue; changeUserGroup("delete", username, grp); } - - //Remove tempfile scope for this user - StringBuffer resName(queryDfsXmlBranchName(DXB_Internal)); - resName.append("::").append(username); - deleteResource(RT_FILE_SCOPE, resName.str(), m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE)); - return true; } @@ -6281,30 +6275,9 @@ class CLdapClient : implements ILdapClient, public CInterface throw; } } - - //Add tempfile scope for this user (spill, paused and checkpoint - //will be created under this user specific scope) - StringBuffer resName(queryDfsXmlBranchName(DXB_Internal)); - resName.append("::").append(username); - Owned resource = new CLdapSecResource(resName.str()); - if (!addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE))) - { - throw MakeStringException(-1, "Error adding temp file scope %s",resName.str()); - } - return true; } - bool createUserScope(ISecUser& user) - { - //Add tempfile scope for given user (spill, paused and checkpoint - //files will be created under this user specific scope) - StringBuffer resName(queryDfsXmlBranchName(DXB_Internal)); - resName.append("::").append(user.getName()); - Owned resource = new CLdapSecResource(resName.str()); - return addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE)); - } - virtual aindex_t getManagedScopeTree(LDAP* ld, SecResourceType rtype, const char * basedn, IArrayOf& scopes) { Owned lconn; diff --git a/system/security/LdapSecurity/ldapconnection.hpp b/system/security/LdapSecurity/ldapconnection.hpp index ceb179a53ca..51d148e763d 100644 --- a/system/security/LdapSecurity/ldapconnection.hpp +++ b/system/security/LdapSecurity/ldapconnection.hpp @@ -318,7 +318,6 @@ interface ILdapClient : extends IInterface virtual int countResources(const char* basedn, const char* searchstr, int limit) = 0; virtual ILdapConfig* queryConfig() = 0; virtual const char* getPasswordStorageScheme() = 0; - virtual bool createUserScope(ISecUser& user) = 0; virtual aindex_t getManagedScopeTree(LDAP* ld, SecResourceType rtype, const char * basedn, IArrayOf& scopes) = 0; virtual SecAccessFlags queryDefaultPermission(ISecUser& user) = 0; diff --git a/system/security/LdapSecurity/ldapsecurity.cpp b/system/security/LdapSecurity/ldapsecurity.cpp index 96130a9b623..1827c6adc9d 100644 --- a/system/security/LdapSecurity/ldapsecurity.cpp +++ b/system/security/LdapSecurity/ldapsecurity.cpp @@ -22,6 +22,7 @@ #include "authmap.ipp" #include "digisign.hpp" #include "caching.hpp" +#include "dautils.hpp" using namespace cryptohelper; @@ -631,6 +632,7 @@ void CLdapSecManager::init(const char *serviceName, IPropertyTree* cfg) m_permissionsCache->setSecManager(this); m_passwordExpirationWarningDays = cfg->getPropInt(".//@passwordExpirationWarningDays", 10); //Default to 10 days m_checkViewPermissions = cfg->getPropBool(".//@checkViewPermissions", false); + m_hpccInternalScope.set(queryDfsXmlBranchName(DXB_Internal)).append("::");//HpccInternal:: }; @@ -1014,6 +1016,19 @@ SecAccessFlags CLdapSecManager::authorizeFileScope(ISecUser & user, const char * if(filescope == 0 || filescope[0] == '\0') return SecAccess_Full; + //Preprocess "HpccInternal::" scopes, since they are not managed by LDAP + //Grant user access to their own hpccinternal:: scope, deny if anything else + if(startsWithIgnoreCase(filescope, m_hpccInternalScope.str())) + { + StringBuffer userName; + for (const char * p = &filescope[m_hpccInternalScope.length()]; *p && *p != ':'; p++)//extract scope username + userName.append(*p); + if(strieq(userName.str(), user.getName())) + return SecAccess_Full; + PROGLOG("Access denied to scope %s for user %s", filescope, user.getName()); + return SecAccess_None; + } + StringBuffer managedFilescope; if(m_permissionsCache->isCacheEnabled() && !m_usercache_off) { @@ -1510,25 +1525,6 @@ bool CLdapSecManager::getUserInfo(ISecUser& user, const char* infotype) return m_ldap_client->getUserInfo(user, infotype); } -bool CLdapSecManager::createUserScopes(IEspSecureContext* secureContext) -{ - Owned it = getAllUsers(secureContext); - it->first(); - bool rc = true; - while(it->isValid()) - { - ISecUser &user = it->get(); - if (!m_ldap_client->createUserScope(user)) - { - PROGLOG("CLdapSecManager::createUserScopes Error creating user scope for user '%s'", user.getName()); - rc = false; - } - it->next(); - } - return rc; -} - - aindex_t CLdapSecManager::getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf& scopes, IEspSecureContext* secureContext) { return m_ldap_client->getManagedScopeTree(nullptr, rtype, basedn, scopes); diff --git a/system/security/LdapSecurity/ldapsecurity.ipp b/system/security/LdapSecurity/ldapsecurity.ipp index 6ee0bc1e7cd..fb84a7c5488 100644 --- a/system/security/LdapSecurity/ldapsecurity.ipp +++ b/system/security/LdapSecurity/ldapsecurity.ipp @@ -321,6 +321,7 @@ private: bool m_checkViewPermissions; static const SecFeatureSet s_safeFeatures = SMF_ALL_FEATURES; static const SecFeatureSet s_implementedFeatures = s_safeFeatures & ~(SMF_RetrieveUserData | SMF_RemoveResources); + StringBuffer m_hpccInternalScope; public: IMPLEMENT_IINTERFACE @@ -434,7 +435,6 @@ public: return m_checkViewPermissions; } - bool createUserScopes(IEspSecureContext* secureContext = nullptr) override; aindex_t getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf& scopes, IEspSecureContext* secureContext = nullptr) override; SecAccessFlags queryDefaultPermission(ISecUser& user, IEspSecureContext* secureContext = nullptr) override; bool clearPermissionsCache(ISecUser &user, IEspSecureContext* secureContext = nullptr) override; diff --git a/system/security/shared/basesecurity.hpp b/system/security/shared/basesecurity.hpp index 960718fb6e5..caa70397f6d 100644 --- a/system/security/shared/basesecurity.hpp +++ b/system/security/shared/basesecurity.hpp @@ -317,11 +317,6 @@ class CBaseSecurityManager : implements ISecManager, public CInterface throwUnexpected(); } - bool createUserScopes(IEspSecureContext* secureContext = nullptr) override - { - throwUnexpected(); - } - aindex_t getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf& scopes, IEspSecureContext* secureContext = nullptr) override { throwUnexpected(); diff --git a/system/security/shared/seclib.hpp b/system/security/shared/seclib.hpp index ed190dd6bf4..d410f874f3a 100644 --- a/system/security/shared/seclib.hpp +++ b/system/security/shared/seclib.hpp @@ -461,7 +461,7 @@ static const SecFeatureBit SMF_AuthorizeWorkUnitScope_List = 0x0100000000; static const SecFeatureBit SMF_AuthorizeWorkUnitScope_Named = 0x0200000000; static const SecFeatureBit SMF_GetDescription = 0x0400000000; static const SecFeatureBit SMF_GetPasswordExpirationDays = 0x0800000000; -static const SecFeatureBit SMF_CreateUserScopes = 0x1000000000; +//static const SecFeatureBit SMF_CreateUserScopes = 0x1000000000;//feature removed in 9.x static const SecFeatureBit SMF_GetManagedScopeTree = 0x2000000000; static const SecFeatureBit SMF_QueryDefaultPermission = 0x4000000000; static const SecFeatureBit SMF_ClearPermissionsCache = 0x8000000000; @@ -511,7 +511,6 @@ interface ISecManager : extends ISecObject virtual bool authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources, IEspSecureContext* secureContext = nullptr) = 0; virtual const char * getDescription() = 0; virtual unsigned getPasswordExpirationWarningDays(IEspSecureContext* secureContext = nullptr) = 0; - virtual bool createUserScopes(IEspSecureContext* secureContext = nullptr) = 0; virtual aindex_t getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf& scopes, IEspSecureContext* secureContext = nullptr) = 0; virtual SecAccessFlags queryDefaultPermission(ISecUser& user, IEspSecureContext* secureContext = nullptr) = 0; virtual bool clearPermissionsCache(ISecUser & user, IEspSecureContext* secureContext = nullptr) = 0; diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index 71faad2a68e..22cefa9f137 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -19,7 +19,6 @@ HPCC_ADD_SUBDIRECTORY (esdlcmd-xml) HPCC_ADD_SUBDIRECTORY (esdlcmd) HPCC_ADD_SUBDIRECTORY (backupnode "PLATFORM") IF (USE_OPENLDAP) -HPCC_ADD_SUBDIRECTORY (addScopes "PLATFORM") HPCC_ADD_SUBDIRECTORY (initldap "PLATFORM") ENDIF(USE_OPENLDAP) HPCC_ADD_SUBDIRECTORY (combine "PLATFORM") diff --git a/tools/addScopes/CMakeLists.txt b/tools/addScopes/CMakeLists.txt deleted file mode 100644 index 6fb5c8b3d23..00000000000 --- a/tools/addScopes/CMakeLists.txt +++ /dev/null @@ -1,55 +0,0 @@ -################################################################################ -# HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ - -# Component: addScopes - -##################################################### -# Description: -# ------------ -# Cmake Input File for addScopes -##################################################### - - -project( addScopes ) - -set ( SRCS - addScopes.cpp - ./../../system/security/LdapSecurity/ldaputils.cpp - ) - -include_directories ( - ./../../system/security/LdapSecurity - ./../../system/security/shared - ./../../system/jlib - ./../../system/include - ./../../dali/base - ./../../system/mp - ) - -ADD_DEFINITIONS( -D_CONSOLE ) - - -HPCC_ADD_EXECUTABLE ( addScopes ${SRCS} ) -install ( TARGETS addScopes RUNTIME DESTINATION ${EXEC_DIR} ) - - - -target_link_libraries ( addScopes - jlib - LdapSecurity - ) - - diff --git a/tools/addScopes/addScopes.cpp b/tools/addScopes/addScopes.cpp deleted file mode 100644 index bddc099ebbc..00000000000 --- a/tools/addScopes/addScopes.cpp +++ /dev/null @@ -1,108 +0,0 @@ -/*############################################################################## - - HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -############################################################################## */ - -#include "seclib.hpp" -#include "ldapsecurity.hpp" -#include "jliball.hpp" -#include "dasess.hpp" - -#ifndef _WIN32 -#include -#endif - -int main(int argc, char* argv[]) -{ - if(argc < 2 || argc > 3) - { - printf("usage: addScopes daliconf.xml [-c]\n"); - printf("\n\tCreates all user-specific LDAP private file scopes 'hpccinternal::'\n\tand grants users access to their scope. The configuration file\n\tdaliconf.xml is the dali configuration file, typically\n\tfound in /var/lib/HPCCSystems/mydali\n\tSpecify -c to make changes immediately visible by clearing permission caches\n\n"); - return -1; - } - - InitModuleObjects(); - - try - { - Owned cfg = createPTreeFromXMLFile(argv[1]); - Owned seccfg = cfg->getPropTree(".//ldapSecurity"); - if(seccfg == NULL) - { - printf("ldapSecurity not found\n"); - return -1; - } -#ifdef _NO_LDAP - printf("System was built with _NO_LDAP\n"); - return -1; -#else - Owned secmgr = newLdapSecManager("addScopes", *LINK(seccfg)); - if(secmgr == NULL) - { - printf("Security manager can't be created\n"); - releaseAtoms(); - return -1; - } - bool ok = secmgr->createUserScopes(); - printf(ok ? "User scopes added\n" : "Some scopes not added\n"); - - //Clear permission caches? - if (argc == 3 && 0==stricmp(argv[2], "-c")) - { - //Clear ESP Cache - StringBuffer sysuser; - StringBuffer passbuf; - seccfg->getProp(".//@systemUser", sysuser); - seccfg->getProp(".//@systemPassword", passbuf); - - if (0 == sysuser.length()) - { - printf("Error in configuration file %s - systemUser not specified", argv[1]); - releaseAtoms(); - return -1; - } - - if (0 == passbuf.length()) - { - printf("Error in configuration file %s - systemPassword not specified", argv[1]); - releaseAtoms(); - return -1; - } - - StringBuffer decPwd; - decrypt(decPwd, passbuf.str()); - - //Clear Dali cache - Owned userdesc(createUserDescriptor()); - userdesc->set(sysuser, decPwd); - ok = querySessionManager().clearPermissionsCache(userdesc); - printf(ok ? "Dali Cache cleared\n" : "Error clearing Dali Cache\n"); - } -#endif - } - catch(IException* e) - { - StringBuffer errmsg; - e->errorMessage(errmsg); - printf("%s\n", errmsg.str()); - } - catch(...) - { - printf("Unknown exception\n"); - } - - releaseAtoms(); - return 0; -} diff --git a/tools/addScopes/sourcedoc.xml b/tools/addScopes/sourcedoc.xml deleted file mode 100644 index 59994d81c14..00000000000 --- a/tools/addScopes/sourcedoc.xml +++ /dev/null @@ -1,26 +0,0 @@ - - - -
- tools/addScopes - - - The tools/addScopes directory contains the sources for the tools/addScopes tool. - -