ondemand icon indicating copy to clipboard operation
ondemand copied to clipboard

Published 20 hours ago verified publisher icon OSC

Enable staff to switch users in order to "view as" another user

Open ericfranz opened this issue 5 years ago • 6 comments

This would allow a staff member to either start and connect to a PUN running as another user, or connect to that user's PUN.

This would help staff debug issues.

┆Issue is synchronized with this Asana task by Unito

ericfranz avatar Jul 27 '20 17:07 ericfranz

This would be done at the mapping later. You would still authenticate as the staff account.

ericfranz avatar Jul 27 '20 18:07 ericfranz

At YCRC, we use a customized user mapping script which allows us to impersonate any users, among other things needed by the center. To "run as" another user, we only need to add one entry to the file /etc/ood/config/map_file with the format:

"amdin_account" cluster_user_account

where the admin_account will be the admin's NetID since our OOD is configured with CAS.

Our customized mapping script can be found here.

luop0812 avatar Mar 03 '21 20:03 luop0812

If your site is using the default regex user mapping script from OOD, you can simply modify mod_auth_user.regex with the following changes. Then mod_auth_user.regex will try to map a user using /etc/ood/config/map_file first.

diff /opt/ood/ood_auth_map/bin/ood_auth_map.regex.orig
54,56c54
<     if sys_user =  Helpers.parse_mapfile('/etc/ood/config/map_file', auth_user)
<       puts sys_user
<     elsif sys_user = Helpers.parse_string(auth_user, /#{options[:regex]}/)
---
>     if sys_user = Helpers.parse_string(auth_user, /#{options[:regex]}/)

luop0812 avatar Mar 04 '21 16:03 luop0812

@luop0812 Just fair warning, that OnDemand 2.0 removes the ood_auth_map.regex file and replaces it with regex in the Lua Apache module. If you wish to continue using that script once OnDemand 2.0 is released you will just have to maintain your own custom mapping script which will still be supported. The OnDemand 2.0 release is a ways away so not something to worry about just yet, just more of FYI for future reference.

treydock avatar Mar 04 '21 17:03 treydock

@treydock As long as OOD continues supporting user custom mapping script, we can continue using our own mapping script based ood_auth_map.regex and ood_auth_map.mapfile, unless the reason for abandoning ood_auth_map.regex is because of security. Could you tell me why OOD is switching to regex in the Lua Apache module?

luop0812 avatar Mar 04 '21 19:03 luop0812

@luop0812 OnDemand 2.0 will still support a custom script for mapping. We removed ood_auth_map.regex in favor of pure Lua regex processing to improve performance but you can still use an external command if you wish, so it's either regex or custom command.

https://github.com/OSC/ondemand/blob/master/ood-portal-generator/lib/ood_portal_generator/view.rb#L31-L32

https://github.com/OSC/ondemand/blob/master/ood-portal-generator/templates/ood-portal.conf.erb#L145-L149

So with 2.0 you'd just set user_map_cmd in ood_portal.yml like you do now and that would keep using your custom mapping script.

treydock avatar Mar 05 '21 15:03 treydock