search

OSC / ondemand

Supercomputing. Seamlessly. Open, Interactive HPC Via the Web
https://openondemand.org/
MIT License
280 stars 104 forks source link

Allow UID to be returned by the mapper script. #3795

Closed guruevi closed 4 days ago

guruevi commented 2 weeks ago

In multi-domain situations where the same "username" may be different people in different domains, you need to be able to map a user to a uid number.

This fixes the Ruby and Lua script to be able to handle both strings and user id's.

Ideally, OOD would not rely on usernames as the recommended SSSD 'fix' (full_name_format = %1$s) allows for users returning the same username with a simple getpwnam(str).

johrstrom commented 2 weeks ago

I'll have to think about this for a bit and the ramifications. It seems OK on the surface, but I just need a second to consider what side affects it could have.

Also - the CI is failing, but not because of this change. I'm fixing the CI in another PR.

guruevi commented 2 weeks ago

@johrstrom Thanks: I understand there may be other parts, I have tested it in my environment and so far have not seen any side effects.

As far as the ramifications, in our environment this is a security "hole" basically simply mapping the OIDC natively to a username maps occasionally to the "wrong" user. So let's say we get back johrstom@yourinstitution.edu from Globus, simply chopping off the domain is not enough, because there may be a johrstom@myinstitution.edu. SSSD will resolve johrstom to say 12345 whereas johrstom@yourinstitution.edu should resolve to 54321 thereby launching OOD NGINX sudo'ed with permissions to someone else's home directory. We are in a situation where multiple domains and an LDAP have merged over time, so you have your "LDAP username", your "AD1 username" and "AD2 username". For new accounts those are coordinated, for some people for historical reasons, they are not and jdoe@AD1 is not jdoe@AD2 or jdoe@LDAP and although AD1 and AD2 are in the same forest whichever primary domain you resolve to will return with "an" uid.

I have built a Python script that thus queries both domains for the attributes we get from Globus, but I ran into the issue that just returning a username would occassionally resolve into the "wrong" user (ID).

Oh, and it is completely legal from SSSD's perspective to have id -un uid1 and id -un uid2 resolve to the same username, SSSD keeps track of it with the domain in the background and it's just printing the same user, behind the scenes all the processes uses pure UID.

johrstrom commented 1 week ago

Sorry for the delay on this. This week just got super busy for me, so I'll try to carve out time later in the week.