PR-1505: Introduce LibAuth and refactoring in DIS/TPP support routines

Owned by Hiren Vadalia (Deactivated)
Last updated: Feb 17, 2020Version comment
4 min read

How to use LibAuth API Interface to design new auth library

This section explains about how to use LibAuth APIs interface to design new auth library that can be used to authenticate user/connection and encrypt/decrypt data by PBS (or any other application who follows LibAuth API specification)

As per LibAuth API specification, you have to define all API mentioned in specification except two optional API (auth_encrypt_data and auth_decrypt_data), if your auth library support encrypt and decrypt of data then you must have to define auth_encrypt_data and auth_decrypt_data.

The name of the new auth library must be "libauth_<auth method name>.so" where "auth method name" is the name to identify your library, for example "munge" for munge authentication, "gss" for GSS/Kerberos authentication

The new auth library should be installed in PREFIX/lib directory of the application, For PBS it should be installed in PBS_EXEC/lib directory.

If the new auth library has any executable then it should be installed in PREFIX/bin or PREFIX/sbin, For PBS it should be PBS_EXEC/bin or PBS_EXEC/sbin.

Munge + LibAuth = libauth_munge.so

This is the authentication library on top of Munge authentication. It only supports the authentication part. This means no encrypt and/or decrypt data part.

GSS/Kerberos + LibAuth = libauth_gss.so

This is the authentication library on top of GSS/Kerberos authentication. It supports authentication as well as encrypt/decrypt data also.

How PBS uses LibAuth APIs

PBS_AUTH_METHOD in the PBS configuration file (or as an environment variable) is used to specify which authentication method PBS should use. Possible value as of now in PBS are "MUNGE" (for munge authentication), "GSS" (for GSS/Kerberos authentication) and "resvport" (for resv-port authentication)

"resvport" is the default value for PBS_AUTH_METHOD, if not specified in the PBS configuration file.

Once PBS loads its configuration, it will call load_auth_lib(), which will decide which auth library to dynamically load based on "auth_method" and "is_auth_resvport" obj in "pbs_config" structure.

If it is an external auth method (aka "pbs_conf.is_auth_resvport == 0" and "auth_method" != "resvport") then it will try to load "libauth_<auth_method>.so" from PBS_EXEC/lib directory.

Once approriate libauth is loaded using dlopen()/LoadLibrary() it will load LibAuth APIs from loaded library using dlsym()/GetProcAddress() and put it in global function pointers for LibAuth (see src/lib/Libifl/auth.c for those function pointers).

Now rest of the PBS code will use those function pointers to access LibAuth APIs from the given auth library.

For more details please see below flows on where and how which LibAuth API will be used in PBS to authenticate and encrypt/decrypt data.

For now "resvport" is considered as internal and default auth method as it is still part of PBS code and all other auth method is considered as an external auth method, but in future, if resvport becomes auth library then it will also be considered as external auth method.

How Client Authenticate to Server (TCP)

How Server Authenticate client (TCP)

How TPP Leaf/Router authenticate to Router

How Secure data flows in TCP connection (between Client and Server)

How Secure data flows in TPP connection (between TPP Leaf/Router and Router)

Changes in PR:

  • Removed tcparray, pbs_client_thread_lock_tcp() and pbs_client_thread_unlock_tcp()
  • fd number == index in connection table
  • Removed unused ch_stream from connection struct, and removed ch_inuse and ch_socket from the same struct as those are no longer needed
  • Removed pbs_connection_getsocket(), socket_to_handle() since not need due to fd == index
  • Moved in TCP chan to the connection structure
  • New value to PBS_AUTH_METHOD, "resvport", to indicate resv port auth and a default value
  • Removed pbs_auth_method enum, as no longer needed
  • Removed PBSPRO_IGNORE_KERBEROS, not needed anymore, all its use case can be fulfilled by PBS_AUTH_METHOD=resvport
  • changed pbs_conf.auth_method to char array from flag, to store auth method name, needed by load_auth_lib()
  • changed tpp_config.auth_method to char array from flag, to store auth method name, needed by post_connect and pkt_handler()
  • Added pbs_conf.is_auth_resvport, to indicate whether current auth is resv-port or not? just to save few strcmp()
  • Removed unused cnt2mom()
  • Removed PBS_NET_CONN_GSSAPIAUTH and B_EXTERNAL, no longer needed
  • Removed get_ext_auth_data and validate_ext_auth_data from tpp_config struct and args to set_tpp_config(), no longer needed
  • Removed DIS functions pointers and merged all DIS routines for different transports (see dis_helpers.c)
  • Changes TPP transport handlers to support generic authentication, encrypt data and decrypt data for any kind of auth method
  • Merged PBS_BATCH_AuthenResvPort and PBS_BATCH_AuthExternal batch request types into one generic batch request type called PBS_BATCH_Authenticate
  • Merged rq_authen_resvport and rq_authen_external structs into one generic struct called rq_auth in batch_request.h
  • Removed engage_external_authentication() as no longer needed, as all of its functionality is covered by the use of LibAuth API at different places in code
  • Removed SC_DAEMON macro and its use to mark the connection as privilege connection in req_connect(), as no one is using SC_DAEMON, it was introduced in earlier Multi-Sched design but the new design of Multi-Sched doesn't need it.
  • Removed Libifl/tcp_dis_gss.c, Libifl/tcp_dis_win.c and Libtpp/tpp_dis.c as all of its functionality is covered by tcp_dis.c and refactored DIS method in dis_helpers.c


OSS Site Map

Project Documentation Main Page

Developer Guide Pages