WIP: Add user group membership check to decide upstream host - yaml plugin #425
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…he upstream If a username is not given in the yaml config file it parses the groupname and checks if user is part of that group and routes them accordinly to the associated host defined in the config file for the yaml plugin
eesaanatluri
changed the title
eesaanatluri
changed the title
|
Hi @tg123 Looking for some feedback. |
tg123
reviewed
Aug 13, 2024
| @@ -220,20 +223,30 @@ func (p *plugin) createUpstream(conn libplugin.ConnMetadata, to pipeConfigTo, or | |||
|
|
|||
| func (p *plugin) findAndCreateUpstream(conn libplugin.ConnMetadata, password string, publicKey []byte) (*libplugin.Upstream, error) { | |||
| user := conn.User() | |||
| userGroups, err := getUserGroups(user) | |||
There was a problem hiding this comment.
read group only when from.Groupname is not empty?
so, any group err will not block the original process
|
rebase plz |
|
I will rebase. I will also fix test cases so they pass the checks for unit tests and E2E. |
eesaanatluri
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We are using the sshpiper yaml plugin for our use case, where we are trying to upgrade our parallel filesystem and migrate users from the older version to the newer version. We want to control which login nodes in the cluster the user can SSH to, based on their data migration status. Doing this for each user is not feasible.
A user-facing proxy VM installed with sshpiper is dedicated to deciding the user's target host to log in.
Our idea was to assign users special Unix groups, (for example group_A and group_B based on their migration status), and route their SSH connections to different login nodes according to their group membership. If they are in
group_Athey are routed to thelogin_node_Aand if they are ingroup_Bthey are routed to thelogin_node_BTo achieve this, we added functionality to the sshpiper yaml plugin so that there is also an option to route users based on group membership.
This PR lets us define a groupname in place of a username in the config file (sshpiperd.yaml) for the yaml plugin to route users based on a Unix group membeship
If the username is not defined in the config file, it checks for groupname and decides their target host upstream.
If the username is defined it goes with the target host upstream, defined for the user. So the original functionality is still intact and we have an additional feature to add groupname in place of username to the config file, if we are dealing with large number of users.
Example sshpiperd.yaml