dCache
ban file configuration verificationm
Dear all,
As discussed in our dCache dev tier 1 meeting, I have followed https://www.dcache.org/manuals/Book-9.2/config-gplazma.shtml to enable the ban.conf file
The current configuration is
vi /etc/dcache/gplazma.conf
auth optional x509
auth optional voms
auth optional oidc
map optional gridmap
map optional vorolemap
map sufficient authzdb
map sufficient multimap gplazma.multimap.file=/etc/dcache/multimap.conf
session requisite authzdb
account requisite banfile
And for the ban.conf file
cat /etc/dcache/ban.conf
alias username=org.dcache.auth.UserNamePrincipal
ban username:cgamboa
ban username:hherde
The configuration works if I only use one username to ban for example
cat /etc/dcache/ban.conf
alias username=org.dcache.auth.UserNamePrincipal
ban username:cgamboa
Please see below
[cgamboa@spool0105 ~]$ gfal-ls davs://dcint-door001.sdcc.bnl.gov:/pnfs/usatlas.bnl.gov/
gfal-ls error: 13 (Permission denied) - Result HTTP 401 : Authentication Error after 1 attempts
[dcint-core001] (local) admin > \s gPlazma@* explain login username:cgamboa
gPlazma@dcint-frontend001Domain:
LOGIN FAIL
| in: UserNamePrincipal[cgamboa]
|
+--AUTH OK
| |
| +--x509 OPTIONAL:FAIL (no X.509 certificate chain) => OK
| |
| +--voms OPTIONAL:FAIL (no X509 certificate chain) => OK
| |
| +--oidc OPTIONAL:FAIL (No bearer token in the credentials) => OK
|
+--MAP OK
| | added: GidPrincipal[31152,primary]
| | UidPrincipal[9102]
| |
| +--vorolemap OPTIONAL:FAIL (no record) => OK
| |
| +--gridmap OPTIONAL:OK => OK
| |
| +--authzdb SUFFICIENT:OK => OK (ends the phase)
| added: GidPrincipal[31152,primary]
| UidPrincipal[9102]
|
+--ACCOUNT FAIL
| |
| +--banfile REQUISITE:FAIL (user banned) => FAIL (ends the phase)
|
+--(SESSION) skipped
|
+--(VALIDATION) skipped
gPlazma@dcint-frontend002Domain:
LOGIN FAIL
| in: UserNamePrincipal[cgamboa]
|
+--AUTH OK
| |
| +--x509 OPTIONAL:FAIL (no X.509 certificate chain) => OK
| |
| +--voms OPTIONAL:FAIL (no X509 certificate chain) => OK
| |
| +--oidc OPTIONAL:FAIL (No bearer token in the credentials) => OK
|
+--MAP OK
| | added: GidPrincipal[31152,primary]
| | UidPrincipal[9102]
| |
| +--gridmap OPTIONAL:OK => OK
| |
| +--vorolemap OPTIONAL:FAIL (no record) => OK
| |
| +--authzdb SUFFICIENT:OK => OK (ends the phase)
| added: GidPrincipal[31152,primary]
| UidPrincipal[9102]
|
+--ACCOUNT FAIL
| |
| +--banfile REQUISITE:FAIL (user banned) => FAIL (ends the phase)
|
+--(SESSION) skipped
|
+--(VALIDATION) skipped
From door's cache
[dcint-core001] (local) admin > \s WebDAV-dcint-door001-internalipv6 login dump cache
Max Cache size: 1024
Max Cache time: 10 minutes
Login:
{proxy-chain:"/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=cgamboa/CN=658196/CN=Carlos Fernando Gamboa", origin:2620:0:210:9019::147} => CacheException(rc=10018;msg=login failed)
Map:
ReverseMap:
Now if I add another user to be ban (thanks @DmitryLitvintsev) for posting out this conf
cat /etc/dcache/ban.conf
alias username=org.dcache.auth.UserNamePrincipal
ban username:cgamboa
ban username:hherde
Clear the cache
[dcint-core001] (local) admin > \s WebDAV-dcint-door001-internalipv6 login clear cache
[dcint-core001] (local) admin > \s WebDAV-dcint-door001-internalipv6 login dump cache
Max Cache size: 1024
Max Cache time: 10 minutes
Login:
Map:
ReverseMap:
And
[dcint-core001] (local) admin > \s gPlazma@* explain login username:cgamboa gPlazma@dcint-frontend001Domain: LOGIN OK | in: UserNamePrincipal[cgamboa] | out: GidPrincipal[31152,primary] | UserNamePrincipal[cgamboa] | UidPrincipal[9102] | +--AUTH OK | | | +--x509 OPTIONAL:FAIL (no X.509 certificate chain) => OK | | | +--voms OPTIONAL:FAIL (no X509 certificate chain) => OK | | | +--oidc OPTIONAL:FAIL (No bearer token in the credentials) => OK | +--MAP OK | | added: GidPrincipal[31152,primary] | | UidPrincipal[9102] | | | +--vorolemap OPTIONAL:FAIL (no record) => OK | | | +--gridmap OPTIONAL:OK => OK | | | +--authzdb SUFFICIENT:OK => OK (ends the phase) | added: GidPrincipal[31152,primary] | UidPrincipal[9102] | +--ACCOUNT OK | | | +--banfile REQUISITE:OK => OK | +--SESSION OK | | | +--authzdb REQUISITE:OK => OK | +--VALIDATION OK gPlazma@dcint-frontend002Domain: LOGIN OK | in: UserNamePrincipal[cgamboa] | out: GidPrincipal[31152,primary] | UserNamePrincipal[cgamboa] | UidPrincipal[9102] | +--AUTH OK | | | +--x509 OPTIONAL:FAIL (no X.509 certificate chain) => OK | | | +--voms OPTIONAL:FAIL (no X509 certificate chain) => OK | | | +--oidc OPTIONAL:FAIL (No bearer token in the credentials) => OK | +--MAP OK | | added: GidPrincipal[31152,primary] | | UidPrincipal[9102] | | | +--gridmap OPTIONAL:OK => OK | | | +--vorolemap OPTIONAL:FAIL (no record) => OK | | | +--authzdb SUFFICIENT:OK => OK (ends the phase) | added: GidPrincipal[31152,primary] | UidPrincipal[9102] | +--ACCOUNT OK | | | +--banfile REQUISITE:OK => OK | +--SESSION OK | | | +--authzdb REQUISITE:OK => OK | +--VALIDATION OK
at the end I am able list again even though the userid is part of the ban.conf file
[cgamboa@spool0105 ~]$ gfal-ls davs://dcint-door001.sdcc.bnl.gov:/pnfs/usatlas.bnl.gov/
atlasdatadisk
BNLT0D1
cgamboa
data
datadisk
qostape
SRR
testtape
wlcg
I could reproduce this in other instance.
Thank you, Carlos
I think the issue is this:
if ban file contains more than one entry it fails to work!
Example:
# cat /etc/dcache/ban.conf
alias username=org.dcache.auth.UserNamePrincipal
ban username:dunepro
[fndcaitb3] (gPlazma@gPlazma-fndcaitb3Domain) enstore > \s gPlazma explain login username:dunepro
LOGIN OK
| in: UserNamePrincipal[dunepro]
....
+--ACCOUNT FAIL
| |
| +--banfile REQUISITE:FAIL (user banned) => FAIL (ends the phase)
but if I add another entry:
# cat /etc/dcache/ban.conf
alias username=org.dcache.auth.UserNamePrincipal
ban username:dunepro
ban username:foo
it fails to work:
[fndcaitb3] (gPlazma@gPlazma-fndcaitb3Domain) enstore > \s gPlazma explain login username:dunepro
LOGIN OK
| in: UserNamePrincipal[dunepro]
...
+--ACCOUNT OK
| |
| +--banfile REQUISITE:OK => OK
|
Interestingly:
[fndcaitb3] (gPlazma@gPlazma-fndcaitb3Domain) enstore > \s gPlazma explain login username:foo
LOGIN FAIL
| in: UserNamePrincipal[foo]
...
+--ACCOUNT FAIL
| |
| +--banfile REQUISITE:FAIL (user banned) => FAIL (ends the phase)
|
(so only last line takes effect)
I have applied 9.2.44 where the bug fix is introduced. It seems that this addressed the issue reported here.
There is more that one entry to be banned
# cat /etc/dcache/ban.conf
alias username=org.dcache.auth.UserNamePrincipal
ban username:hherde
ban username:cgamboa
And the seems to be working
gPlazma@dcint-frontend001Domain:
LOGIN FAIL
| in: UserNamePrincipal[cgamboa]
|
+--AUTH OK
| |
| +--x509 OPTIONAL:FAIL (no X.509 certificate chain) => OK
| |
| +--voms OPTIONAL:FAIL (no X509 certificate chain) => OK
| |
| +--oidc OPTIONAL:FAIL (No bearer token in the credentials) => OK
|
+--MAP OK
| | added: GidPrincipal[31152,primary]
| | UidPrincipal[9102]
| |
| +--gridmap OPTIONAL:OK => OK
| |
| +--vorolemap OPTIONAL:FAIL (no record) => OK
| |
| +--authzdb SUFFICIENT:OK => OK (ends the phase)
| added: GidPrincipal[31152,primary]
| UidPrincipal[9102]
|
+--ACCOUNT FAIL
| |
| +--banfile REQUISITE:FAIL (user banned) => FAIL (ends the phase)
|
+--(SESSION) skipped
|
+--(VALIDATION) skipped
gPlazma@dcint-frontend002Domain:
LOGIN FAIL
| in: UserNamePrincipal[cgamboa]
|
+--AUTH OK
| |
| +--x509 OPTIONAL:FAIL (no X.509 certificate chain) => OK
| |
| +--voms OPTIONAL:FAIL (no X509 certificate chain) => OK
| |
| +--oidc OPTIONAL:FAIL (No bearer token in the credentials) => OK
|
+--MAP OK
| | added: GidPrincipal[31152,primary]
| | UidPrincipal[9102]
| |
| +--gridmap OPTIONAL:OK => OK
| |
| +--vorolemap OPTIONAL:FAIL (no record) => OK
| |
| +--authzdb SUFFICIENT:OK => OK (ends the phase)
| added: GidPrincipal[31152,primary]
| UidPrincipal[9102]
|
+--ACCOUNT FAIL
| |
| +--banfile REQUISITE:FAIL (user banned) => FAIL (ends the phase)
|
+--(SESSION) skipped
|
+--(VALIDATION) skipped
[cgamboa@dcint-mon01 ~]$ cp /etc/services /pnfs/usatlas.bnl.gov/cgamboa/
cp: cannot create regular file '/pnfs/usatlas.bnl.gov/cgamboa/services': Operation not permitted
thank you very much