diff --git a/xroot_plugins/XrdSsiCtaRequestMessage.cpp b/xroot_plugins/XrdSsiCtaRequestMessage.cpp
index 58abfd49094bc2e60b5757d3a30ffc0ffc93bafb..3bf5260e110044e5dcae466664824c23eef7b2e8 100644
--- a/xroot_plugins/XrdSsiCtaRequestMessage.cpp
+++ b/xroot_plugins/XrdSsiCtaRequestMessage.cpp
@@ -76,6 +76,12 @@ void RequestMessage::process(const cta::xrd::Request &request, cta::xrd::Respons
using namespace cta::xrd;
case Request::kAdmincmd:
+ // Validate that the Kerberos user is an authorized CTA Admin user
+ if(m_protocol != Protocol::KRB5) {
+ throw cta::exception::Exception("[ERROR] Admin commands must be authenticated using the Kerberos 5 protocol.");
+ }
+ m_scheduler.authorizeAdmin(m_cliIdentity, m_lc);
+
// Validate the Protocol Buffer and import options into maps
importOptions(request.admincmd());
diff --git a/xroot_plugins/XrdSsiCtaRequestMessage.hpp b/xroot_plugins/XrdSsiCtaRequestMessage.hpp
index ea60a66030ea2412822539c092929e2d6b8325e3..d005b0e573f0efc41f96a0d107af534ed4e260af 100644
--- a/xroot_plugins/XrdSsiCtaRequestMessage.hpp
+++ b/xroot_plugins/XrdSsiCtaRequestMessage.hpp
@@ -39,6 +39,10 @@ public:
m_lc (service->getLogContext()) {
m_cliIdentity.username = client.name;
m_cliIdentity.host = client.host;
+
+ // Map the client protcol string to an enum value
+ auto proto_it = m_protomap.find(client.prot);
+ m_protocol = proto_it != m_protomap.end() ? proto_it->second : Protocol::OTHER;
}
/*!
@@ -257,12 +261,22 @@ private:
return opt_it != m_option_bool.end() && opt_it->second;
}
+ // Security protocol used to connect
+
+ enum class Protocol { SSS, KRB5, OTHER };
+
+ const std::map<std::string, Protocol> m_protomap = {
+ { "sss", Protocol::SSS },
+ { "krb5", Protocol::KRB5 },
+ };
+
// Member variables
+ Protocol m_protocol; //!< The protocol the client used to connect
+ cta::common::dataStructures::SecurityIdentity m_cliIdentity; //!< Client identity: username/host
cta::catalogue::Catalogue &m_catalogue; //!< Reference to CTA Catalogue
cta::Scheduler &m_scheduler; //!< Reference to CTA Scheduler
cta::log::LogContext m_lc; //!< CTA Log Context
- cta::common::dataStructures::SecurityIdentity m_cliIdentity; //!< The client identity info: username and host
std::map<cta::admin::OptionBoolean::Key, bool> m_option_bool; //!< Boolean options
std::map<cta::admin::OptionUInt64::Key, uint64_t> m_option_uint64; //!< UInt64 options
std::map<cta::admin::OptionString::Key, std::string> m_option_str; //!< String options
diff --git a/xroot_plugins/XrdSsiCtaServiceProvider.cpp b/xroot_plugins/XrdSsiCtaServiceProvider.cpp
index 3558e198b61f7eabdf4100b9b1c3d76ebfc55253..aeed04b59dde0179ca471c345f6944a2ded06ffb 100644
--- a/xroot_plugins/XrdSsiCtaServiceProvider.cpp
+++ b/xroot_plugins/XrdSsiCtaServiceProvider.cpp
@@ -61,6 +61,13 @@ namespace XrdSsiPb {
template<>
bool Service<cta::xrd::Request, cta::xrd::Response, cta::xrd::Alert>::Prepare(XrdSsiErrInfo &eInfo, const XrdSsiResource &resource)
{
+ if(resource.client == nullptr || resource.client->name == nullptr)
+ {
+ eInfo.Set("Service::Prepare(): XRootD client name is not set. "
+ "Possible misconfiguration of the KRB5 or SSS keyfile.", EACCES);
+ return false;
+ }
+
#ifdef XRDSSI_DEBUG
std::cerr << "[DEBUG] Service::Prepare():" << std::endl;
std::cerr << "[DEBUG] Resource name: " << resource.rName << std::endl
@@ -82,14 +89,8 @@ bool Service<cta::xrd::Request, cta::xrd::Response, cta::xrd::Alert>::Prepare(Xr
<< (resource.rOpts & XrdSsiResource::Reusable ? "Resuable " : "")
<< (resource.rOpts & XrdSsiResource::Discard ? "Discard" : "")
<< std::endl;
-#endif
- if(resource.client == nullptr || resource.client->name == nullptr)
- {
- eInfo.Set("Service::Prepare(): XRootD client name is not set. "
- "Possible misconfiguration of the KRB5 or SSS keyfile.", EACCES);
- return false;
- }
-#ifdef XRDSSI_DEBUG
+
+ std::cerr << "[DEBUG] Resource client protocol: " << resource.client->prot << std::endl;
std::cerr << "[DEBUG] Resource client name: " << resource.client->name << std::endl;
#endif