From 17b53730718e211c4e19f5bb4c6a0d17d6efb112 Mon Sep 17 00:00:00 2001
From: lissav <lissav@8638fb3e-16cb-4fca-ae20-7b5d299a9bcd>
Date: Fri, 12 Mar 2010 18:35:54 +0000
Subject: [PATCH] add supported for trusted polciy for MN  and update
 request->{username}

git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@5459 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd
---
 xCAT-server/sbin/xcatd | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/xCAT-server/sbin/xcatd b/xCAT-server/sbin/xcatd
index 752ee606b..1fb07c8e4 100755
--- a/xCAT-server/sbin/xcatd
+++ b/xCAT-server/sbin/xcatd
@@ -1573,10 +1573,16 @@ sub validate {
      xCAT::MsgUtils->message("S","Unable to open policy data, denying");
     return 0;
   }
+ 
   my $policies = $policytable->getAllEntries;
   $policytable->close;
   my $rule;
+  my $peerstatus;
   RULE: foreach $rule (@$policies) {
+    # check to see if peerhost is trusted
+    if (($rule->{name} eq $peerhost)  && ($rule->{rule}=~ /trusted/i)) {
+     $peerstatus="Trusted";
+    }
     if ($rule->{name} and $rule->{name} ne '*') {
       #TODO: more complex matching (lists, wildcards)
       next unless ($peername and $peername eq $rule->{name});
@@ -1606,7 +1612,7 @@ sub validate {
     }
     if ($rule->{noderange} and $rule->{noderange} ne '*') {
       my $matchall=0;
-      if ($rule->{rule} =~ /allow/i or $rule->{rule} =~ /accept/i) {
+      if ($rule->{rule} =~ /allow/i or $rule->{rule} =~ /accept/i or $rule->{rule} =~ /trusted/i) {
           $matchall=1;
       }
       if (defined $request->{noderange}->[0]) {
@@ -1638,7 +1644,7 @@ sub validate {
       my $logst;
       my $rc;
       my $status;
-      if ($rule->{rule} =~ /allow/i or $rule->{rule} =~ /accept/i) {
+      if ($rule->{rule} =~ /allow/i or $rule->{rule} =~ /accept/i or $rule->{rule} =~ /trusted/i) {
          $logst = "xCAT: Allowing ".$request->{command}->[0];
          $status = "Allowed";
          $rc=1;
@@ -1647,6 +1653,15 @@ sub validate {
          $status = "Denied";
          $rc=0;
       }
+      # set username authenticated to run command
+      # if from Trusted host, use input username,  else set from creds
+      if (($request->{username}) && defined($request->{username}->[0])) {
+         if ($peerstatus ne "Trusted" ) {  # then set to peername
+            $request->{username}->[0] = $peername;
+         }
+      } else {
+            $request->{username}->[0] = $peername;
+      }
       if ($request->{noderange} && defined($request->{noderange}->[0])) { $logst .= " to ".$request->{noderange}->[0]; }
         # add each argument
       my $args = $request->{arg};
@@ -1656,14 +1671,13 @@ sub validate {
              $arglist .= " " . $argument;
       }
       $logst .= $arglist;
-      if ($peername) { $logst .= " for " . $peername };
+      if($peername) { $logst .= " for " . $request->{username}->[0]};
       if ($peerhost) { $logst .= " from " . $peerhost };
-      # xCAT::MsgUtils->message("S",$logst);
       # put in audit Table
       my $rsp = {};
       $rsp->{syslogdata}->[0] = $logst;
       if ($peername) {
-           $rsp->{userid} ->[0] = $peername;
+           $rsp->{userid} ->[0] = $request->{username}->[0];
       }
       if ($peerhost) {
         $rsp->{clientname} -> [0] = $peerhost;