From 13094904a649b487b3b084c474d69d9e9cc5d469 Mon Sep 17 00:00:00 2001
From: Michael Davis <michael.davis@cern.ch>
Date: Mon, 25 May 2020 14:20:10 +0200
Subject: [PATCH] [frontend] Allow KRB5 authentication for CLOSEW and PREPARE
events
---
xroot_plugins/XrdSsiCtaRequestMessage.cpp | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/xroot_plugins/XrdSsiCtaRequestMessage.cpp b/xroot_plugins/XrdSsiCtaRequestMessage.cpp
index 767b134a92..a78cbafda0 100644
--- a/xroot_plugins/XrdSsiCtaRequestMessage.cpp
+++ b/xroot_plugins/XrdSsiCtaRequestMessage.cpp
@@ -284,10 +284,21 @@ void RequestMessage::process(const cta::xrd::Request &request, cta::xrd::Respons
break;
case Request::kNotification:
- // Validate that instance name in SSS key and instance name in Protocol buffer match
+ // Validate that instance name in key used to authenticate matches instance name in Protocol buffer
if(m_cliIdentity.username != request.notification().wf().instance().name()) {
- throw PbException("Instance name \"" + request.notification().wf().instance().name() +
- "\" does not match key identifier \"" + m_cliIdentity.username + "\"");
+ // Special case: allow KRB5 authentication for CLOSEW and PREPARE events, to allow operators
+ // to use a command line tool to resubmit failed archive or prepare requests. This is NOT
+ // permitted for DELETE events as we don't want files removed from the catalogue to be left
+ // in the EOS namespace.
+ if(m_protocol == Protocol::KRB5 &&
+ (request.notification().wf().event() == cta::eos::Workflow::CLOSEW ||
+ request.notification().wf().event() == cta::eos::Workflow::PREPARE)) {
+ m_scheduler.authorizeAdmin(m_cliIdentity, m_lc);
+ m_cliIdentity.username = request.notification().wf().instance().name();
+ } else {
+ throw PbException("Instance name \"" + request.notification().wf().instance().name() +
+ "\" does not match key identifier \"" + m_cliIdentity.username + "\"");
+ }
}
// Map the Workflow Event to a method
--
GitLab