diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a428e0c9..de409063f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,18 +8,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [unreleased] ### Added -- conf: Add gateway `bind_password_file` configuration parameter. Contribution - from @Cornelicorn. - gateway: Support loading LDAP bind password from separate file (#585). Contribution from @Cornelicorn. - ldap-check: Support loading LDAP bind password from separate file. Contribution from @Cornelicorn. +- conf: + - Add gateway `[ldap]`>`bind_password_file` configuration parameter. + Contribution from @Cornelicorn. + - Add gateway `[ldap]`>`lookup_as_user` configuration parameter. Contribution + from @Cornelicorn. ### Changed - gateway: - Check agent version is greater or equal to the minimal supported version specified in gateway configuration settings. - Send asynchronous HTTP requests to discover agents (#438). + - After successful user authentication, when service bind dn and password + are defined in configuration, Slurm-web now retrieves user information + and user groups in LDAP with these credentials by default. Previous behavior + can be restored by setting `lookup_as_user = yes` under the `[ldap]` section + in gateway configuration file (#587). Contribution from @Cornelicorn. - agent: - Change route to information endpoint from `/v{version}/info` to `/info`. - Return version of agent in information endpoint. @@ -27,7 +35,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 responding HTTP/500. - conf: Update description of `agent` > `version` gateway parameter to describe its new semantic. -- pkgs: Set Python _requests_ external library dependency on agent only. +- pkgs: + - Set Python _requests_ external library dependency on agent only. + - Bump minimal version of `RFL.authentication` to v1.5.0. - docs: Update configuration reference documentation. ### Fixed diff --git a/conf/vendor/gateway.yml b/conf/vendor/gateway.yml index b06e3b4d9..b53cb8b4b 100644 --- a/conf/vendor/gateway.yml +++ b/conf/vendor/gateway.yml @@ -217,6 +217,17 @@ ldap: read bind DN password from. When this parameter is defined, the `bind_password` parameter is ignored. ex: /etc/slurm-web/ldap_password + lookup_as_user: + type: bool + doc: | + After successful user authentication, when this parameter is set to _yes_, + Slurm-web retrieves user information and groups from LDAP directory with + authenticated user permissions. When this parameter is set to _no_ + Slurm-web searches this information with service `bind_dn` and + `bind_password` when defined or performs the operation anonymously. When + this parameter is omitted in configuration (default), Slurm-web uses + service `bind_dn` and `bind_password` when defined or authenticated user + permissions as a fallback. restricted_groups: type: list content: str diff --git a/docs/modules/conf/examples/gateway.ini b/docs/modules/conf/examples/gateway.ini index 7c11596da..543a807aa 100644 --- a/docs/modules/conf/examples/gateway.ini +++ b/docs/modules/conf/examples/gateway.ini @@ -226,6 +226,16 @@ bind_password=SECR3T # `bind_password` parameter is ignored. bind_password_file=/etc/slurm-web/ldap_password +# After successful user authentication, when this parameter is set to _yes_, +# Slurm-web retrieves user information and groups from LDAP directory with +# authenticated user permissions. When this parameter is set to _no_ +# Slurm-web searches this information with service `bind_dn` and +# `bind_password` when defined or performs the operation anonymously. When +# this parameter is omitted in configuration (default), Slurm-web uses +# service `bind_dn` and `bind_password` when defined or authenticated user +# permissions as a fallback. +lookup_as_user=no + # List of users groups allowed to connect. When this parameter is not # defined, all users in LDAP directory are authorized to sign in. restricted_groups= diff --git a/docs/modules/conf/partials/conf-gateway.adoc b/docs/modules/conf/partials/conf-gateway.adoc index 1595801d8..e9b7e8b05 100644 --- a/docs/modules/conf/partials/conf-gateway.adoc +++ b/docs/modules/conf/partials/conf-gateway.adoc @@ -536,6 +536,24 @@ read bind DN password from. When this parameter is defined, the *Example:* `/etc/slurm-web/ldap_password` +_No default value_ + +|- + +|lookup_as_user +|bool +|After successful user authentication, when this parameter is set to _yes_, +Slurm-web retrieves user information and groups from LDAP directory with +authenticated user permissions. When this parameter is set to _no_ +Slurm-web searches this information with service `bind_dn` and +`bind_password` when defined or performs the operation anonymously. When +this parameter is omitted in configuration (default), Slurm-web uses +service `bind_dn` and `bind_password` when defined or authenticated user +permissions as a fallback. + + + + _No default value_ |- diff --git a/pyproject.toml b/pyproject.toml index 625b71abf..04f2a1da0 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ authors = [ ] dependencies = [ "Flask", - "RFL.authentication >= 1.4.0", + "RFL.authentication >= 1.5.0", "RFL.core >= 1.1.0", "RFL.log >= 1.4.0", "RFL.settings >= 1.4.0", diff --git a/slurmweb/apps/gateway.py b/slurmweb/apps/gateway.py index be3f72fd5..42cedf224 100644 --- a/slurmweb/apps/gateway.py +++ b/slurmweb/apps/gateway.py @@ -230,6 +230,7 @@ def __init__(self, seed): bind_password=bind_password, restricted_groups=self.settings.ldap.restricted_groups, lookup_user_dn=self.settings.ldap.lookup_user_dn, + lookup_as_user=self.settings.ldap.lookup_as_user, ) else: raise SlurmwebConfigurationError( diff --git a/slurmweb/apps/ldap.py b/slurmweb/apps/ldap.py index 4f364f3bf..8ff051247 100644 --- a/slurmweb/apps/ldap.py +++ b/slurmweb/apps/ldap.py @@ -45,6 +45,7 @@ def run(self): bind_dn=self.settings.ldap.bind_dn, bind_password=bind_password, restricted_groups=self.settings.ldap.restricted_groups, + lookup_as_user=self.settings.ldap.lookup_as_user, ) try: users = self.authentifier.users(with_groups=True)