|
The following methods are available in the myproxy-server to ban or block a user. ContentsDisallow Credentials to be StoredThe myproxy-server.config accepted_credentials setting controls whether clients can store credentials on the server, but it is difficult to use this parameter to block a specific user while continuing to allow other users with similar DNs. To block a specific user, you can define an accepted_credentials_mapapp in myproxy-server.config. An example is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp. For example, if /etc/myproxy-server.config contains: accepted_credentials_mapapp /usr/local/bin/myproxy-accepted-credentials-mapapp and /usr/local/bin/myproxy-accepted-credentials-mapapp contains: #!/bin/sh subjectdn=$1 username=$2 blacklistfile="/etc/myproxy-server-blacklist" if [ -r $blacklistfile ]; then grep "${subjectdn}" $blacklistfile >/dev/null 2>&1 if [ $? -eq 0 ]; then logger -t myproxy-server denied blacklisted user: "${subjectdn}" exit 1; fi fi exit 0 and /etc/myproxy-server-blacklist contains: /C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney then this user will not be allowed to store credentials, as seen in syslog: Apr 27 09:38:17 localhost myproxy-server[69695]: Connection from 127.0.0.1 Apr 27 09:38:19 localhost myproxy-server[69695]: Authenticated client /C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney Apr 27 09:38:22 localhost myproxy-server[69695]: Received PUT request for username jbasney Apr 27 09:38:22 localhost myproxy-server[69700]: denied blacklisted user: /C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney Apr 27 09:38:22 localhost myproxy-server[69695]: authorization failed Apr 27 09:38:22 localhost myproxy-server[69695]: Exiting: consult_mapapp call-out returned failure Accepted credentials failure for DN/Username via call-out Since the myproxy-accepted-credentials-mapapp script performs a simple grep against the myproxy-server-blacklist file, the blacklist can contain substrings of the DN, so adding "Jim Basney" to the blacklist file will block all certificates with "Jim Basney" in the subject. Remove Stored CredentialsIn addition to blocking a user from storing credentials, we may also want to block a user from accessing stored credentials. The myproxy-admin-query command provides the ability to find, lock, and delete stored credentials as needed. For example: The myproxy-admin-query -o option was added in MyProxy v4.7. # myproxy-admin-query -o "/C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney" owner: /C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney username: jbasney timeleft: 168:54:02 (7.0 days) # myproxy-admin-query -o "/C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney" \ -L "Please contacthelp@ncsa.uiuc.edu." Credential for user jbasney (name: default) locked. The user now sees the credential as locked: $ myproxy-logon Enter MyProxy pass phrase: Failed to receive credentials. ERROR from myproxy-server: credential locked Please contact help@ncsa.uiuc.edu. Alternatively, you can remove the credential(s) from the repository: # myproxy-admin-query -o "/C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney" -r Credential for user jbasney (name: default) removed. So the user sees: $ myproxy-logon Enter MyProxy pass phrase: Failed to receive credentials. ERROR from myproxy-server: No credentials exist for username "jbasney". If you prefer, rather than using myproxy-admin-query, you can find and remove the credentials manually: # (for f in `ls /var/myproxy/*.creds`; do printf "%s: " $f; grid-cert-info -subject -file $f; done) > /tmp/myproxy-creds.txt # grep "Jim Basney" /tmp/myproxy-creds.txt /var/myproxy/jbasney.creds: /C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney/CN=1854512388/CN=161383373 # rm /var/myproxy/jbasney.* Denying Access to the MyProxy CAThe following options are available to deny a user access to the MyProxy CA:
Last modified
04/27/09. |