National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

The following methods are available in the myproxy-server to ban or block a user.

Contents

Disallow Credentials to be Stored

The myproxy-server.config accepted_credentials setting controls whether clients can store credentials on the server, but it is difficult to use this parameter to block a specific user while continuing to allow other users with similar DNs. To block a specific user, you can define an accepted_credentials_mapapp in myproxy-server.config. An example is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp.

For example, if /etc/myproxy-server.config contains:

accepted_credentials_mapapp /usr/local/bin/myproxy-accepted-credentials-mapapp

and /usr/local/bin/myproxy-accepted-credentials-mapapp contains:

#!/bin/sh
subjectdn=$1
username=$2
blacklistfile="/etc/myproxy-server-blacklist"
if [ -r  $blacklistfile ]; then
    grep "${subjectdn}" $blacklistfile >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        logger -t myproxy-server denied blacklisted user: "${subjectdn}"
        exit 1;
    fi
fi
exit 0

and /etc/myproxy-server-blacklist contains:

/C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney

then this user will not be allowed to store credentials, as seen in syslog:

Apr 27 09:38:17 localhost myproxy-server[69695]: Connection from 127.0.0.1
Apr 27 09:38:19 localhost myproxy-server[69695]: Authenticated client /C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney
Apr 27 09:38:22 localhost myproxy-server[69695]: Received PUT request for username jbasney
Apr 27 09:38:22 localhost myproxy-server[69700]: denied blacklisted user: /C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney
Apr 27 09:38:22 localhost myproxy-server[69695]: authorization failed
Apr 27 09:38:22 localhost myproxy-server[69695]: Exiting: consult_mapapp call-out returned failure Accepted credentials failure for DN/Username via call-out 

Since the myproxy-accepted-credentials-mapapp script performs a simple grep against the myproxy-server-blacklist file, the blacklist can contain substrings of the DN, so adding "Jim Basney" to the blacklist file will block all certificates with "Jim Basney" in the subject.

Remove Stored Credentials

In addition to blocking a user from storing credentials, we may also want to block a user from accessing stored credentials. The myproxy-admin-query command provides the ability to find, lock, and delete stored credentials as needed. For example:

The myproxy-admin-query -o option was added in MyProxy v4.7.

# myproxy-admin-query -o "/C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney"
owner: /C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney
username: jbasney
  timeleft: 168:54:02  (7.0 days)
# myproxy-admin-query -o "/C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney" \
  -L "Please contacthelp@ncsa.uiuc.edu."
Credential for user jbasney (name: default) locked.

The user now sees the credential as locked:

$ myproxy-logon
Enter MyProxy pass phrase:
Failed to receive credentials.
ERROR from myproxy-server:
credential locked
Please contact help@ncsa.uiuc.edu.

Alternatively, you can remove the credential(s) from the repository:

# myproxy-admin-query -o "/C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney" -r
Credential for user jbasney (name: default) removed.

So the user sees:

$ myproxy-logon
Enter MyProxy pass phrase:
Failed to receive credentials.
ERROR from myproxy-server:
No credentials exist for username "jbasney".

If you prefer, rather than using myproxy-admin-query, you can find and remove the credentials manually:

# (for f in `ls /var/myproxy/*.creds`; do printf "%s: " $f; grid-cert-info -subject -file $f; done) > /tmp/myproxy-creds.txt
# grep "Jim Basney" /tmp/myproxy-creds.txt 
/var/myproxy/jbasney.creds: /C=US/O=National Center for Supercomputing Applications/OU=People/CN=Jim Basney/CN=1854512388/CN=161383373
# rm /var/myproxy/jbasney.*

Denying Access to the MyProxy CA

The following options are available to deny a user access to the MyProxy CA:

Last modified 04/27/09.
©2000-2019 Board of Trustees of the University of Illinois.