Bug #4989

[Deployment] Switchyard should behave correctly when one SSH key has access to multiple VMs using different usernames.

Added by Tim Pierce over 4 years ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Deployment
Target version:
Start date:
01/15/2015
Due date:
% Done:

0%

Estimated time:
Story points:
0.5

Description

There's a lack of coordination between switchyard and the API server's authorized_keys table that can lead to a situation like this:

If a user has been given login permission to different hosts with the same SSH key, but with different usernames, e.g. if alice logs in as alice to some VMs but bob to others:

  tail_uuid: qr1hi-tpzed-alice
  head_uuid: qr1hi-2x53u-shellvmalpha
  link_class: permission
  name: can_login
  properties: {'username': 'alice'}

  tail_uuid: qr1hi-tpzed-alice
  head_uuid: qr1hi-2x53u-shellvmbeta
  link_class: permission
  name: can_login
  properties: {'username': 'bob'}

... switchyard may not choose the correct username for the VM in question, and may e.g. attempt to authenticate alice to 'shellvmalpha' as bob rather than alice.

We should decide on which policy we want:
  1. Users must use the same username for each host that shares a single SSH key
  2. Users may log in to different VMs with different usernames, even if reusing the SSH key

and make sure the policy is implemented properly in software.

History

#1 Updated by Tom Clegg over 4 years ago

  • Subject changed from [API] enforce username restrictions on ssh keys to [Deployment] Switchyard should behave correctly when one SSH key has access to multiple VMs using different usernames.
  • Category changed from API to Deployment
  • Assigned To set to Ward Vandewege

#2 Updated by Brett Smith over 4 years ago

  • Target version changed from Bug Triage to 2015-02-18 sprint

#3 Updated by Tom Clegg over 4 years ago

  • Story points set to 0.5

#4 Updated by Tom Clegg over 4 years ago

  • Target version changed from 2015-02-18 sprint to Arvados Future Sprints

#5 Updated by Ward Vandewege 3 months ago

  • Status changed from New to Resolved

Also available in: Atom PDF