sshpiper icon indicating copy to clipboard operation
sshpiper copied to clipboard
verified publisher icon tg123

WIP: Add user group membership check to decide upstream host - yaml plugin

Open eesaanatluri opened this issue 1 year ago • 3 comments

We are using the sshpiper yaml plugin for our use case, where we are trying to upgrade our parallel filesystem and migrate users from the older version to the newer version. We want to control which login nodes in the cluster the user can SSH to, based on their data migration status. Doing this for each user is not feasible.

A user-facing proxy VM installed with sshpiper is dedicated to deciding the user's target host to log in.

Our idea was to assign users special Unix groups, (for example group_A and group_B based on their migration status), and route their SSH connections to different login nodes according to their group membership. If they are in group_A they are routed to the login_node_A and if they are in group_B they are routed to the login_node_B

To achieve this, we added functionality to the sshpiper yaml plugin so that there is also an option to route users based on group membership.

This PR lets us define a groupname in place of a username in the config file (sshpiperd.yaml) for the yaml plugin to route users based on a Unix group membeship

If the username is not defined in the config file, it checks for groupname and decides their target host upstream. If the username is defined it goes with the target host upstream, defined for the user. So the original functionality is still intact and we have an additional feature to add groupname in place of username to the config file, if we are dealing with large number of users.

Example sshpiperd.yaml

version: "1.0"
pipes:
# username-based routing 
- from:
    - username: "alice"
      authorized_keys: /home/alice/.ssh/authorized_keys
  to:
    host: login002
    username: "alice"
    private_key: /home/alice/.ssh/id_ecdsa
    ignore_hostkey: true

# groupname-based routing
# key auth
- from:
    - groupname: "group_A" # catch all
      authorized_keys: /home/$DOWNSTREAM_USER/.ssh/authorized_keys
  to:
    host: login001
    ignore_hostkey: true
    private_key: /home/$DOWNSTREAM_USER/.ssh/id_ecdsa
- from:
    - groupname: "group_B" # catch all
      authorized_keys: /home/$DOWNSTREAM_USER/.ssh/authorized_keys
  to:
    host: login002
    ignore_hostkey: true
    private_key: /home/$DOWNSTREAM_USER/.ssh/id_ecdsa

# Password auth when no key is defined.
- from:
    - groupname: "group_A"
  to:
    host: login001
    ignore_hostkey: true
- from:
    - groupname: "group_B"
  to:
    host: login002
    ignore_hostkey: true

eesaanatluri avatar Aug 12 '24 19:08 eesaanatluri

Hi @tg123 Looking for some feedback.

eesaanatluri avatar Aug 12 '24 19:08 eesaanatluri

rebase plz

tg123 avatar Aug 15 '24 07:08 tg123

I will rebase. I will also fix test cases so they pass the checks for unit tests and E2E.

eesaanatluri avatar Aug 17 '24 22:08 eesaanatluri

reopen if needed

tg123 avatar Feb 10 '25 10:02 tg123