Skip to content
Snippets Groups Projects
Commit 79fb95fa authored by Nate Rini's avatar Nate Rini Committed by Tim Wickberg
Browse files

slurmrestd - restrict ability of requests to use different authentication plugins.

Enforce the result of calls to rest_auth_context_apply() to ensure that
any calls to slurmrestd can not potentially use a different authentication
plugin. Avoid defaulting to auth/munge unless in local authentication
context.

Clear authentication context in parse_http() instead of calling
rest_auth_context_apply() which will now fail.

Bug 9206.
parent ef1f3cd2
No related branches found
No related tags found
No related merge requests found
......@@ -22,6 +22,8 @@ documents those changes that are of interest to users and administrators.
-- Fix handling of job arrays in sacct when querying specific steps.
-- slurmrestd - avoid fallback to local socket authentication if JWT
authentication is ill-formed.
-- slurmrestd - restrict ability of requests to use different authentication
plugins.
 
* Changes in Slurm 20.02.3
==========================
......
......@@ -629,7 +629,9 @@ extern int parse_http(con_mgr_fd_t *con, void *x)
xassert(request->context == context);
request->context = context;
rest_auth_context_apply(context->auth);
/* make sure there is no auth context inherited */
rest_auth_context_clear();
parser->data = request;
debug("%s: [%s] Accepted HTTP connection", __func__, con->name);
......
......@@ -314,9 +314,7 @@ extern int rest_authenticate_http_request(on_http_request_args_t *args)
_check_magic(context);
rest_auth_context_apply(context);
return SLURM_SUCCESS;
return rest_auth_context_apply(context);
fail:
g_slurm_auth_thread_clear();
......@@ -334,22 +332,24 @@ extern rest_auth_context_t *rest_auth_context_new(void)
return context;
}
extern void rest_auth_context_apply(rest_auth_context_t *context)
extern int rest_auth_context_apply(rest_auth_context_t *context)
{
bool found = false;
int rc = ESLURM_AUTH_CRED_INVALID;
if (context->type == AUTH_TYPE_INVALID) {
return rest_auth_context_clear();
rest_auth_context_clear();
} else if (context->type == AUTH_TYPE_LOCAL) {
found = true;
g_slurm_auth_thread_config(NULL, context->user_name);
/* clear any previous auth */
rest_auth_context_clear();
/* local auth relies on callers authentication already setup */
rc = SLURM_SUCCESS;
} else if (context->type == AUTH_TYPE_USER_PSK) {
found = true;
g_slurm_auth_thread_config(context->token, context->user_name);
}
rc = g_slurm_auth_thread_config(context->token,
context->user_name);
} else
fatal_abort("%s: invalid auth type", __func__);
if (!found)
fatal_abort("%s: invalid auth type to apply", __func__);
return rc;
}
extern void rest_auth_context_clear(void)
......
......@@ -96,9 +96,9 @@ extern int rest_authenticate_http_request(on_http_request_args_t *args);
/*
* Apply current auth context to thread
* IN context - security context to apply
* will fatal on error
* RET SLURM_SUCCESS or error
*/
extern void rest_auth_context_apply(rest_auth_context_t *context);
extern int rest_auth_context_apply(rest_auth_context_t *context);
/*
* Clear current auth context
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment