perfSONAR User Q&A and Other Discussion

[Andrew Lake <>]

Hi,

First of all, thanks for the nice detailed report Jim.  Looks like there are a couple issues to cover here:

- The user migration issue is something we previously fixed…and then inadvertently reverted yesterday when we did the POODLE SSLv3 update. Expect a new RPM later today that re-applies the fix.

- The issue where both "SSH" and "web interface" are selected and gets added to wheel is not the desired behavior. I wrote the doc page and didn't catch that it did that, and after some internal discussion we decided it should not do that. It's an artifact of the old version of the script where the wording was different and you were asked if you wanted to be an administrator. The script will be corrected to match the docs in the forthcoming RPM.

- As Philip helpfully pointed out (and as others pointed out prior to us fixing this the first time) adding a user to the psadmin group will give them access to the web interface. It is not expected you should have to do this per my first bullet, but will circumvent the issue.

Thanks,

Andy

On Oct 16, 2014, at 12:11 PM, Philip Papadopoulos <> wrote:

Yes.  I think you need to add the users to the psadmin group.

I had the same problem.

I believe that the psadmin is new group for 3.4 (I'm not a perfSONAR developer, so somebody can correct me if I'm wrong)

-P

On Thu, Oct 16, 2014 at 9:05 AM, Jim Nauer CWRU <> wrote:

Yesterday, I did the upgrade to pS 3.4 (from a 3.3.x NetInstall that had been done in July, and was fully up-to-date before pS 3.4 was released).

Today, I was unable to log in to the web interface with any user--not root, not the non-root user I had created specifically to address this issue.

I created new user account, and was able to log in...but then I dug in to the documentation on the "Manager Users" page.  According to that page, under 3.4, SSH users should not automatically get "sudoer" privileges--but in my testing, if both SSH login & web interface options are selected, the new user account _is_ added to the "wheel" group (and thus gets 'sudo' privs but also should trigger the new web-access-not-allowed restriction).

To be clear, here is exactly what is happening:

1) create user 'foo', select ONLY "Should this user be able to login via SSH? [yes] "

  result: user 'foo' is created, and is a member of only the group "foo".  

  SSH login works, 'sudo' fails, web login fails (as expected)

2) create user "bar", select ONLY "Should this user be able to login to the web interface? [yes] "

  result: user "bar" is created, and is a member of the groups "bar" and "psadmin".  

  SSH login fails, web login succeeds (as expected)

3) create user "baz", select BOTH "Should this user be able to login via SSH? [yes] " and "Should this user be able to login to the web interface? [yes] "
 result: user "baz" is created, and is a member of the groups "baz", "psadmin", AND "wheel". 

 SSH login works, and 'sudo' works (as expected, since %wheel is allowed by the sudoers file).

 web login works (NOT as expected, if "wheel" members are supposed to be denied access).

Any clues as to what's going on here? Is nptoolkit-configure.py mis-behaving, and/or the web server, and/or am I mis-understanding of how things are supposed to work?

-- 

James A. Nauer                   | "I shall not yield one whit of  maturity,
Engineer III, ITS Build          | not grace, not respectability, to  the
Information Technology Services  | passing of time. I declare that I  shall
Case Western Reserve University  | forever be, if not a child,  certainly
(216) 368-MACS  (368-6227)       | childish"  --Kennet Shardik
USPA D-25604

--
Philip Papadopoulos, PhD
University of California, San Diego
858-822-3628 (Ofc)
619-331-2990 (Fax)