Bug #4989: [Deployment] Switchyard should behave correctly when one SSH key has access to multiple VMs using different usernames. - Arvados

Actions

Copy link

Bug #4989

closed

[Deployment] Switchyard should behave correctly when one SSH key has access to multiple VMs using different usernames.

Added by Tim Pierce over 9 years ago. Updated over 4 years ago.

Status:

Resolved

Priority:

Normal

Assigned To:

Ward Vandewege

Category:

Deployment

Target version:

Story points:

0.5

Description

There's a lack of coordination between switchyard and the API server's authorized_keys table that can lead to a situation like this:

If a user has been given login permission to different hosts with the same SSH key, but with different usernames, e.g. if alice logs in as alice to some VMs but bob to others:

  tail_uuid: qr1hi-tpzed-alice
  head_uuid: qr1hi-2x53u-shellvmalpha
  link_class: permission
  name: can_login
  properties: {'username': 'alice'}

  tail_uuid: qr1hi-tpzed-alice
  head_uuid: qr1hi-2x53u-shellvmbeta
  link_class: permission
  name: can_login
  properties: {'username': 'bob'}

... switchyard may not choose the correct username for the VM in question, and may e.g. attempt to authenticate alice to 'shellvmalpha' as bob rather than alice.

We should decide on which policy we want:

Users must use the same username for each host that shares a single SSH key
Users may log in to different VMs with different usernames, even if reusing the SSH key

and make sure the policy is implemented properly in software.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Arvados

Custom queries

Bug #4989

[Deployment] Switchyard should behave correctly when one SSH key has access to multiple VMs using different usernames.

Updated by Tom Clegg over 9 years ago

Updated by Brett Smith over 9 years ago

Updated by Tom Clegg over 9 years ago

Updated by Tom Clegg over 9 years ago

Updated by Ward Vandewege almost 5 years ago

Updated by Tom Morris over 4 years ago