diff --git a/scheduler/Scheduler.cpp b/scheduler/Scheduler.cpp
index 35709f8f6205134e17e1747a2e84584c42fcb2ad..9b120b926c942d4c1d316cb8fe747a38b3c741f7 100644
--- a/scheduler/Scheduler.cpp
+++ b/scheduler/Scheduler.cpp
@@ -61,6 +61,18 @@ void cta::Scheduler::authorizeAdmin(const cta::common::dataStructures::SecurityI
}
}
+//------------------------------------------------------------------------------
+// authorizeInstance
+//------------------------------------------------------------------------------
+void cta::Scheduler::authorizeInstance(const cta::common::dataStructures::SecurityIdentity &cliIdentity){
+// if(!(m_catalogue.isAuthorizedInstance(cliIdentity.username))) {
+ if(!true) {
+ std::stringstream msg;
+ msg << "Instance: " << cliIdentity.username << " on host: " << cliIdentity.host << " is not authorized to execute CTA user commands";
+ throw cta::exception::UserError(msg.str());
+ }
+}
+
//------------------------------------------------------------------------------
// queueArchive
//------------------------------------------------------------------------------
diff --git a/scheduler/Scheduler.hpp b/scheduler/Scheduler.hpp
index 3716c91d1967ab3782f607e25737faf190839edb..bc57329a61137911b97b4efc4eb1601898a481bc 100644
--- a/scheduler/Scheduler.hpp
+++ b/scheduler/Scheduler.hpp
@@ -158,6 +158,8 @@ public:
virtual std::unique_ptr<TapeMount> getNextMount(const std::string &logicalLibraryName, const std::string &driveName);
virtual void authorizeAdmin(const cta::common::dataStructures::SecurityIdentity &cliIdentity);
+
+ virtual void authorizeInstance(const cta::common::dataStructures::SecurityIdentity &cliIdentity);
private:
diff --git a/xroot_plugins/XrdCtaFile.cpp b/xroot_plugins/XrdCtaFile.cpp
index b57fcb47984ec6db1d98f46b6ab30824ef86fe47..dc007d0bc0bac470ea6263d9f24355d6df981b93 100644
--- a/xroot_plugins/XrdCtaFile.cpp
+++ b/xroot_plugins/XrdCtaFile.cpp
@@ -115,14 +115,20 @@ int XrdCtaFile::logRequestAndSetCmdlineResult(const cta::common::dataStructures:
// authorizeAdmin
//------------------------------------------------------------------------------
void XrdCtaFile::authorizeAdmin(){
+ if(m_protocol!="krb5") {
+ throw cta::exception::Exception(std::string("[ERROR] Admin commands are possible only through Kerberos 5 protocol authentication. Protocol used for this connection: ")+m_protocol);
+ }
m_scheduler->authorizeAdmin(m_cliIdentity);
}
//------------------------------------------------------------------------------
// authorizeUser
//------------------------------------------------------------------------------
-void XrdCtaFile::authorizeUser(){
-
+void XrdCtaFile::authorizeInstance(){
+ if(m_protocol!="sss") {
+ throw cta::exception::Exception(std::string("[ERROR] User commands are possible only through Simple Shared Secret protocol authentication. Protocol used for this connection: ")+m_protocol);
+ }
+ m_scheduler->authorizeInstance(m_cliIdentity);
}
//------------------------------------------------------------------------------
@@ -156,13 +162,13 @@ void XrdCtaFile::dispatchCommand() {
else if("lpr" == command || "listpendingretrieves" == command) {authorizeAdmin(); xCom_listpendingretrieves();}
else if("lds" == command || "listdrivestates" == command) {authorizeAdmin(); xCom_listdrivestates();}
- else if("a" == command || "archive" == command) {authorizeUser(); xCom_archive();}
- else if("r" == command || "retrieve" == command) {authorizeUser(); xCom_retrieve();}
- else if("da" == command || "deletearchive" == command) {authorizeUser(); xCom_deletearchive();}
- else if("cr" == command || "cancelretrieve" == command) {authorizeUser(); xCom_cancelretrieve();}
- else if("ufi" == command || "updatefileinfo" == command) {authorizeUser(); xCom_updatefileinfo();}
- else if("ufsc" == command || "updatefilestorageclass" == command) {authorizeUser(); xCom_updatefilestorageclass();}
- else if("lsc" == command || "liststorageclass" == command) {authorizeUser(); xCom_liststorageclass();}
+ else if("a" == command || "archive" == command) {authorizeInstance(); xCom_archive();}
+ else if("r" == command || "retrieve" == command) {authorizeInstance(); xCom_retrieve();}
+ else if("da" == command || "deletearchive" == command) {authorizeInstance(); xCom_deletearchive();}
+ else if("cr" == command || "cancelretrieve" == command) {authorizeInstance(); xCom_cancelretrieve();}
+ else if("ufi" == command || "updatefileinfo" == command) {authorizeInstance(); xCom_updatefileinfo();}
+ else if("ufsc" == command || "updatefilestorageclass" == command) {authorizeInstance(); xCom_updatefilestorageclass();}
+ else if("lsc" == command || "liststorageclass" == command) {authorizeInstance(); xCom_liststorageclass();}
else {
throw cta::exception::UserError(getGenericHelp(m_requestTokens.at(0)));
@@ -184,7 +190,6 @@ std::string XrdCtaFile::decode(const std::string msg) const {
int XrdCtaFile::open(const char *fileName, XrdSfsFileOpenMode openMode, mode_t createMode, const XrdSecEntity *client, const char *opaque) {
try {
checkClient(client);
- authorizeUser();
if(!strlen(fileName)) { //this should never happen
throw cta::exception::UserError(getGenericHelp(""));
}
diff --git a/xroot_plugins/XrdCtaFile.hpp b/xroot_plugins/XrdCtaFile.hpp
index 6503361921155dd6d838f298737e40e30de771bc..0302fbb5ff991bb8403d531e0efdd4f8aa0a9393 100644
--- a/xroot_plugins/XrdCtaFile.hpp
+++ b/xroot_plugins/XrdCtaFile.hpp
@@ -219,14 +219,14 @@ protected:
void xCom_liststorageclass();
/**
- * Checks whether the user that issued the admin command is an authorized admin (throws a UserError if it's not).
+ * Checks whether the user that issued the admin command is an authorized admin (throws an exception if it's not).
*/
void authorizeAdmin();
/**
- * Checks whether the user that issued the user command is an authorized user (throws a UserError if it's not).
+ * Checks whether the instance that issued the user command is an authorized instance (throws an exception if it's not).
*/
- void authorizeUser();
+ void authorizeInstance();
/**
* Returns the response string properly formatted in a table