hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-1354: Add user account types to REST API

Browse Source 
The user accounts can now be created with a specific account type. This
allows read-only users to be created for the REST API.
This commit is contained in:
Markus Mäkelä
2017-08-16 06:29:46 +03:00
parent ec045b7ab6
commit 9d24a63c10
9 changed files with 108 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
include/maxscale/adminusers.h.in
View File

@ -18,6 +18,7 @@
#include <maxscale/cdefs.h> #include <maxscale/cdefs.h>
#include <maxscale/dcb.h> #include <maxscale/dcb.h>
#include <maxscale/users.h>
MXS_BEGIN_DECLS MXS_BEGIN_DECLS
@ -73,13 +74,11 @@ typedef struct admin_session
void admin_users_init(); void admin_users_init();
const char* admin_enable_linux_account(const char *uname); const char* admin_enable_linux_account(const char *uname, enum account_type type);
const char *admin_enable_linux_admin_account(const char *uname);
const char* admin_disable_linux_account(const char *uname); const char* admin_disable_linux_account(const char *uname);
bool admin_linux_account_enabled(const char *uname); bool admin_linux_account_enabled(const char *uname);
const char* admin_add_inet_user(const char *uname, const char *password); const char* admin_add_inet_user(const char *uname, const char *password, enum account_type type);
const char *admin_add_inet_admin_user(const char *uname, const char* password);
const char* admin_remove_inet_user(const char* uname); const char* admin_remove_inet_user(const char* uname);
bool admin_inet_user_exists(const char *uname); bool admin_inet_user_exists(const char *uname);
bool admin_verify_inet_user(const char *uname, const char *password); bool admin_verify_inet_user(const char *uname, const char *password);

4
include/maxscale/config.h
View File

@ -65,8 +65,9 @@ MXS_BEGIN_DECLS
#define MXS_JSON_PTR_PARAM_SSL_CERT_VERIFY_DEPTH MXS_JSON_PTR_PARAMETERS "/ssl_cert_verify_depth" #define MXS_JSON_PTR_PARAM_SSL_CERT_VERIFY_DEPTH MXS_JSON_PTR_PARAMETERS "/ssl_cert_verify_depth"
/** Non-parameter JSON pointers */ /** Non-parameter JSON pointers */
#define MXS_JSON_PTR_MODULE "/data/attributes/module" #define MXS_JSON_PTR_MODULE "/data/attributes/module"
#define MXS_JSON_PTR_PASSWORD "/data/attributes/password" #define MXS_JSON_PTR_PASSWORD "/data/attributes/password"
#define MXS_JSON_PTR_ACCOUNT "/data/attributes/account"
/** /**
* Common configuration parameters names * Common configuration parameters names
@ -75,6 +76,7 @@ MXS_BEGIN_DECLS
* For example CN_PASSWORD resolves to the static string "password". This means * For example CN_PASSWORD resolves to the static string "password". This means
* that the sizeof(CN_<name>) returns the actual size of that string. * that the sizeof(CN_<name>) returns the actual size of that string.
*/ */
extern const char CN_ACCOUNT[];
extern const char CN_ADDRESS[]; extern const char CN_ADDRESS[];
extern const char CN_ARG_MAX[]; extern const char CN_ARG_MAX[];
extern const char CN_ARG_MIN[]; extern const char CN_ARG_MIN[];

18
include/maxscale/users.h
View File

@ -179,4 +179,22 @@ void users_diagnostic(DCB* dcb, USERS* users);
*/ */
json_t* users_diagnostic_json(USERS* users); json_t* users_diagnostic_json(USERS* users);
/**
* Convert account_type to a string
*
* @param type Enum value
*
* @return String representation of @c type
*/
const char* account_type_to_str(enum account_type type);
/**
* Convert JSON value to account_type value
*
* @param json JSON value to convert
*
* @return Enum value of @c json
*/
enum account_type json_to_account_type(json_t* json);
MXS_END_DECLS MXS_END_DECLS

55
server/core/adminusers.cc
View File

@ -122,7 +122,7 @@ static const char* admin_remove_user(USERS *users, const char* fname, const char
return ADMIN_SUCCESS; return ADMIN_SUCCESS;
} }
static json_t* admin_user_json_data(const char* host, const char* user, enum user_type user_type) static json_t* admin_user_json_data(const char* host, const char* user, enum user_type user_type, enum account_type account)
{ {
ss_dassert(user_type != USER_TYPE_ALL); ss_dassert(user_type != USER_TYPE_ALL);
const char* type = user_type == USER_TYPE_INET ? CN_INET : CN_UNIX; const char* type = user_type == USER_TYPE_INET ? CN_INET : CN_UNIX;
@ -131,6 +131,10 @@ static json_t* admin_user_json_data(const char* host, const char* user, enum use
json_object_set_new(entry, CN_ID, json_string(user)); json_object_set_new(entry, CN_ID, json_string(user));
json_object_set_new(entry, CN_TYPE, json_string(type)); json_object_set_new(entry, CN_TYPE, json_string(type));
json_t* param = json_object();
json_object_set_new(param, CN_ACCOUNT, json_string(account_type_to_str(account)));
json_object_set_new(entry, CN_ATTRIBUTES, param);
std::string self = MXS_JSON_API_USERS; std::string self = MXS_JSON_API_USERS;
self += type; self += type;
json_object_set_new(entry, CN_RELATIONSHIPS, mxs_json_self_link(host, self.c_str(), user)); json_object_set_new(entry, CN_RELATIONSHIPS, mxs_json_self_link(host, self.c_str(), user));
@ -146,7 +150,9 @@ static void user_types_to_json(USERS* users, json_t* arr, const char* host, enum
json_array_foreach(json, index, value) json_array_foreach(json, index, value)
{ {
json_array_append_new(arr, admin_user_json_data(host, json_string_value(value), type)); const char* user = json_string_value(json_object_get(value, CN_NAME));
enum account_type account = json_to_account_type(json_object_get(value, CN_ACCOUNT));
json_array_append_new(arr, admin_user_json_data(host, user, type, account));
} }
json_decref(json); json_decref(json);
@ -170,11 +176,12 @@ static std::string path_from_type(enum user_type type)
json_t* admin_user_to_json(const char* host, const char* user, enum user_type type) json_t* admin_user_to_json(const char* host, const char* user, enum user_type type)
{ {
account_type account = admin_is_admin_user(user) ? ACCOUNT_ADMIN : ACCOUNT_BASIC;
std::string path = path_from_type(type); std::string path = path_from_type(type);
path += "/"; path += "/";
path += user; path += user;
return mxs_json_resource(host, path.c_str(), admin_user_json_data(host, user, type)); return mxs_json_resource(host, path.c_str(), admin_user_json_data(host, user, type, account));
} }
json_t* admin_all_users_to_json(const char* host, enum user_type type) json_t* admin_all_users_to_json(const char* host, enum user_type type)
@ -333,21 +340,9 @@ static USERS *load_inet_users()
* *
* @return NULL on success or an error string on failure. * @return NULL on success or an error string on failure.
*/ */
const char *admin_enable_linux_account(const char *uname) const char *admin_enable_linux_account(const char *uname, enum account_type type)
{ {
return admin_add_user(&linux_users, LINUX_USERS_FILE_NAME, uname, NULL, ACCOUNT_BASIC); return admin_add_user(&linux_users, LINUX_USERS_FILE_NAME, uname, NULL, type);
}
/**
* Enable Linux account
*
* @param uname Name of Linux user
*
* @return NULL on success or an error string on failure.
*/
const char *admin_enable_linux_admin_account(const char *uname)
{
return admin_add_user(&linux_users, LINUX_USERS_FILE_NAME, uname, NULL, ACCOUNT_ADMIN);
} }
/** /**
@ -403,13 +398,6 @@ void mxs_crypt(const char* password, const char* salt, char* output)
#endif #endif
} }
static const char* add_inet_user(const char *uname, const char* password, account_type type)
{
char cpassword[MXS_CRYPT_SIZE];
mxs_crypt(password, ADMIN_SALT, cpassword);
return admin_add_user(&inet_users, INET_USERS_FILE_NAME, uname, cpassword, type);
}
/** /**
* Add insecure remote (network) basic user. * Add insecure remote (network) basic user.
* *
@ -418,22 +406,11 @@ static const char* add_inet_user(const char *uname, const char* password, accoun
* *
* @return NULL on success or an error string on failure. * @return NULL on success or an error string on failure.
*/ */
const char *admin_add_inet_user(const char *uname, const char* password) const char *admin_add_inet_user(const char *uname, const char* password, enum account_type type)
{ {
return add_inet_user(uname, password, ACCOUNT_BASIC); char cpassword[MXS_CRYPT_SIZE];
} mxs_crypt(password, ADMIN_SALT, cpassword);
return admin_add_user(&inet_users, INET_USERS_FILE_NAME, uname, cpassword, type);
/**
* Add insecure remote (network) admin user.
*
* @param uname Name of the new user.
* @param password Password of the new user.
*
* @return NULL on success or an error string on failure.
*/
const char *admin_add_inet_admin_user(const char *uname, const char* password)
{
return add_inet_user(uname, password, ACCOUNT_ADMIN);
} }
/** /**

1
server/core/config.cc
View File

@ -54,6 +54,7 @@
using std::set; using std::set;
using std::string; using std::string;
const char CN_ACCOUNT[] = "account";
const char CN_ADDRESS[] = "address"; const char CN_ADDRESS[] = "address";
const char CN_ARG_MAX[] = "arg_max"; const char CN_ARG_MAX[] = "arg_max";
const char CN_ARG_MIN[] = "arg_min"; const char CN_ARG_MIN[] = "arg_min";

23
server/core/config_runtime.cc
View File

@ -23,11 +23,12 @@
#include <algorithm> #include <algorithm>
#include <maxscale/atomic.h> #include <maxscale/atomic.h>
#include <maxscale/jansson.hh>
#include <maxscale/json_api.h>
#include <maxscale/paths.h> #include <maxscale/paths.h>
#include <maxscale/platform.h> #include <maxscale/platform.h>
#include <maxscale/spinlock.h> #include <maxscale/spinlock.h>
#include <maxscale/jansson.hh> #include <maxscale/users.h>
#include <maxscale/json_api.h>
#include "maxscale/config.h" #include "maxscale/config.h"
#include "maxscale/monitor.h" #include "maxscale/monitor.h"
@ -1723,6 +1724,7 @@ bool validate_user_json(json_t* json)
json_t* id = mxs_json_pointer(json, MXS_JSON_PTR_ID); json_t* id = mxs_json_pointer(json, MXS_JSON_PTR_ID);
json_t* type = mxs_json_pointer(json, MXS_JSON_PTR_TYPE); json_t* type = mxs_json_pointer(json, MXS_JSON_PTR_TYPE);
json_t* password = mxs_json_pointer(json, MXS_JSON_PTR_PASSWORD); json_t* password = mxs_json_pointer(json, MXS_JSON_PTR_PASSWORD);
json_t* account = mxs_json_pointer(json, MXS_JSON_PTR_ACCOUNT);
if (!id) if (!id)
{ {
@ -1740,6 +1742,18 @@ bool validate_user_json(json_t* json)
{ {
runtime_error("The '%s' field is not a string", MXS_JSON_PTR_TYPE); runtime_error("The '%s' field is not a string", MXS_JSON_PTR_TYPE);
} }
else if (!account)
{
runtime_error("Request body does not define the '%s' field", MXS_JSON_PTR_ACCOUNT);
}
else if (!json_is_string(account))
{
runtime_error("The '%s' field is not a string", MXS_JSON_PTR_ACCOUNT);
}
else if (json_to_account_type(account) == ACCOUNT_UNKNOWN)
{
runtime_error("The '%s' field is not a valid account value", MXS_JSON_PTR_ACCOUNT);
}
else else
{ {
if (strcmp(json_string_value(type), CN_INET) == 0) if (strcmp(json_string_value(type), CN_INET) == 0)
@ -1780,14 +1794,15 @@ bool runtime_create_user_from_json(json_t* json)
const char* user = json_string_value(mxs_json_pointer(json, MXS_JSON_PTR_ID)); const char* user = json_string_value(mxs_json_pointer(json, MXS_JSON_PTR_ID));
const char* password = json_string_value(mxs_json_pointer(json, MXS_JSON_PTR_PASSWORD)); const char* password = json_string_value(mxs_json_pointer(json, MXS_JSON_PTR_PASSWORD));
string strtype = json_string_value(mxs_json_pointer(json, MXS_JSON_PTR_TYPE)); string strtype = json_string_value(mxs_json_pointer(json, MXS_JSON_PTR_TYPE));
account_type type = json_to_account_type(mxs_json_pointer(json, MXS_JSON_PTR_ACCOUNT));
const char* err = NULL; const char* err = NULL;
if (strtype == CN_INET && (err = admin_add_inet_user(user, password)) == ADMIN_SUCCESS) if (strtype == CN_INET && (err = admin_add_inet_user(user, password, type)) == ADMIN_SUCCESS)
{ {
MXS_NOTICE("Create network user '%s'", user); MXS_NOTICE("Create network user '%s'", user);
rval = true; rval = true;
} }
else if (strtype == CN_UNIX && (err = admin_enable_linux_account(user)) == ADMIN_SUCCESS) else if (strtype == CN_UNIX && (err = admin_enable_linux_account(user, type)) == ADMIN_SUCCESS)
{ {
MXS_NOTICE("Enabled account '%s'", user); MXS_NOTICE("Enabled account '%s'", user);
rval = true; rval = true;

34
server/core/test/testadminusers.cc
View File

@ -11,20 +11,7 @@
* Public License. * Public License.
*/ */
/** // To ensure that ss_info_assert asserts also when building in non-debug mode.
*
* @verbatim
* Revision History
*
* Date Who Description
* 20-08-2014 Mark Riddoch Initial implementation
* 23-05-2016 Massimiliano Pinto admin_add_user and admin_remove_user
* no longer accept password parameter
*
* @endverbatim
*/
// To ensure that ss_info_assert asserts also when builing in non-debug mode.
#if !defined(SS_DEBUG) #if !defined(SS_DEBUG)
#define SS_DEBUG #define SS_DEBUG
#endif #endif
@ -38,6 +25,7 @@
#include <maxscale/adminusers.h> #include <maxscale/adminusers.h>
#include <maxscale/alloc.h> #include <maxscale/alloc.h>
#include <maxscale/utils.h> #include <maxscale/utils.h>
#include <maxscale/users.h>
/** /**
* test1 default user * test1 default user
@ -76,13 +64,13 @@ test2()
{ {
const char *err; const char *err;
if ((err = admin_enable_linux_account("user0")) != NULL) if ((err = admin_enable_linux_account("user0", ACCOUNT_ADMIN)) != NULL)
{ {
fprintf(stderr, "admin_add_user: test 2.1 (add user) failed, %s.\n", err); fprintf(stderr, "admin_add_user: test 2.1 (add user) failed, %s.\n", err);
return 1; return 1;
} }
if (admin_enable_linux_account("user0") == NULL) if (admin_enable_linux_account("user0", ACCOUNT_ADMIN) == NULL)
{ {
fprintf(stderr, "admin_add_user: test 2.2 (add user) failed, duplicate.\n"); fprintf(stderr, "admin_add_user: test 2.2 (add user) failed, duplicate.\n");
@ -98,7 +86,7 @@ test2()
} }
/* Add the user back, for test5. */ /* Add the user back, for test5. */
if ((err = admin_enable_linux_account("user0")) != NULL) if ((err = admin_enable_linux_account("user0", ACCOUNT_ADMIN)) != NULL)
{ {
fprintf(stderr, "admin_add_user: test 2.4 (add user) failed, %s.\n", err); fprintf(stderr, "admin_add_user: test 2.4 (add user) failed, %s.\n", err);
@ -122,7 +110,7 @@ test3()
{ {
const char *err; const char *err;
if ((err = admin_enable_linux_account("user1")) != NULL) if ((err = admin_enable_linux_account("user1", ACCOUNT_ADMIN)) != NULL)
{ {
fprintf(stderr, "admin_add_user: test 3.1 (add user) failed, %s.\n", err); fprintf(stderr, "admin_add_user: test 3.1 (add user) failed, %s.\n", err);
@ -180,7 +168,7 @@ test4()
for (i = 1; i < n_users; i++) for (i = 1; i < n_users; i++)
{ {
sprintf(user, "user%d", i); sprintf(user, "user%d", i);
if ((err = admin_enable_linux_account(user)) != NULL) if ((err = admin_enable_linux_account(user, ACCOUNT_ADMIN)) != NULL)
{ {
fprintf(stderr, "admin_add_user: test 4.1 (add user) failed, %s.\n", err); fprintf(stderr, "admin_add_user: test 4.1 (add user) failed, %s.\n", err);
@ -224,7 +212,7 @@ test5()
{ {
const char *err; const char *err;
if ((err = admin_enable_linux_account("user")) != NULL) if ((err = admin_enable_linux_account("user", ACCOUNT_ADMIN)) != NULL)
{ {
fprintf(stderr, "admin_add_user: test 5.1 (add user) failed, %s.\n", err); fprintf(stderr, "admin_add_user: test 5.1 (add user) failed, %s.\n", err);
@ -259,11 +247,7 @@ main(int argc, char **argv)
unlink(buf); unlink(buf);
// admin_verify() should be removed, since the maxadmin authentication has result += test1();
// been changed completely. However, telnetd still uses that admin_verify()
// so I'll leave the function there for now. But telnetd should be dropped,
// since it cannot use the same user file as maxadmin does.
// result += test1();
result += test2(); result += test2();
result += test3(); result += test3();
result += test4(); result += test4();

75
server/core/users.cc
View File

@ -30,41 +30,6 @@ namespace
static const char STR_BASIC[] = "basic"; static const char STR_BASIC[] = "basic";
static const char STR_ADMIN[] = "admin"; static const char STR_ADMIN[] = "admin";
static const char* account_type_to_str(account_type type)
{
switch (type)
{
case ACCOUNT_BASIC:
return STR_BASIC;
case ACCOUNT_ADMIN:
return STR_ADMIN;
default:
MXS_ERROR("Unknown enum account_type value: %d", (int)type);
ss_dassert(!true);
return "unknown";
}
}
static account_type json_to_account_type(json_t* json)
{
std::string str = json_string_value(json);
if (str == STR_BASIC)
{
return ACCOUNT_BASIC;
}
else if (str == STR_ADMIN)
{
return ACCOUNT_ADMIN;
}
MXS_ERROR("Unknown account type string: %s", str.c_str());
ss_dassert(!true);
return ACCOUNT_UNKNOWN;
}
struct UserInfo struct UserInfo
{ {
UserInfo(): UserInfo():
@ -180,7 +145,10 @@ public:
for (UserMap::const_iterator it = m_data.begin(); it != m_data.end(); it++) for (UserMap::const_iterator it = m_data.begin(); it != m_data.end(); it++)
{ {
json_array_append_new(rval, json_string(it->first.c_str())); json_t* obj = json_object();
json_object_set_new(obj, CN_NAME, json_string(it->first.c_str()));
json_object_set_new(obj, CN_ACCOUNT, json_string(account_type_to_str(it->second.permissions)));
json_array_append_new(rval, obj);
} }
return rval; return rval;
@ -217,7 +185,7 @@ public:
{ {
json_t* obj = json_object(); json_t* obj = json_object();
json_object_set_new(obj, CN_NAME, json_string(it->first.c_str())); json_object_set_new(obj, CN_NAME, json_string(it->first.c_str()));
json_object_set_new(obj, CN_TYPE, json_string(account_type_to_str(it->second.permissions))); json_object_set_new(obj, CN_ACCOUNT, json_string(account_type_to_str(it->second.permissions)));
json_object_set_new(obj, CN_PASSWORD, json_string(it->second.password.c_str())); json_object_set_new(obj, CN_PASSWORD, json_string(it->second.password.c_str()));
json_array_append_new(arr, obj); json_array_append_new(arr, obj);
} }
@ -248,7 +216,7 @@ private:
json_array_foreach(json, i, value) json_array_foreach(json, i, value)
{ {
json_t* name = json_object_get(value, CN_NAME); json_t* name = json_object_get(value, CN_NAME);
json_t* type = json_object_get(value, CN_TYPE); json_t* type = json_object_get(value, CN_ACCOUNT);
json_t* password = json_object_get(value, CN_PASSWORD); json_t* password = json_object_get(value, CN_PASSWORD);
if (name && json_is_string(name) && if (name && json_is_string(name) &&
@ -381,3 +349,34 @@ int users_default_loadusers(SERV_LISTENER *port)
port->users = users_alloc(); port->users = users_alloc();
return MXS_AUTH_LOADUSERS_OK; return MXS_AUTH_LOADUSERS_OK;
} }
const char* account_type_to_str(enum account_type type)
{
switch (type)
{
case ACCOUNT_BASIC:
return STR_BASIC;
case ACCOUNT_ADMIN:
return STR_ADMIN;
default:
return "unknown";
}
}
enum account_type json_to_account_type(json_t* json)
{
std::string str = json_string_value(json);
if (str == STR_BASIC)
{
return ACCOUNT_BASIC;
}
else if (str == STR_ADMIN)
{
return ACCOUNT_ADMIN;
}
return ACCOUNT_UNKNOWN;
}

10
server/modules/routing/debugcli/debugcmd.c
View File

@ -2268,10 +2268,7 @@ static void do_inet_add_user(DCB *dcb, char *user, char *password, enum account_
return; return;
} }
const char* (*f)(const char*, const char*) = type == ACCOUNT_ADMIN ? if ((err = admin_add_inet_user(user, password, type)) == NULL)
admin_add_inet_admin_user : admin_add_inet_user;
if ((err = f(user, password)) == NULL)
{ {
dcb_printf(dcb, "Account %s for remote (network) usage has been successfully added.\n", user); dcb_printf(dcb, "Account %s for remote (network) usage has been successfully added.\n", user);
} }
@ -2596,10 +2593,7 @@ static void do_enable_account(DCB *dcb, char *user, enum account_type type)
return; return;
} }
const char* (*f)(const char*) = type == ACCOUNT_ADMIN ? if ((err = admin_enable_linux_account(user, type)) == NULL)
admin_enable_linux_admin_account : admin_enable_linux_account;
if ((err = f(user)) == NULL)
{ {
dcb_printf(dcb, "The Linux user %s has successfully been enabled.\n", user); dcb_printf(dcb, "The Linux user %s has successfully been enabled.\n", user);
} }