server_access¶
Server Access
Explicit passwd entries for shell acounts and sftp.
- This module sends the following signals:
- server_access/sftp
- server_access/ssh
Schema Contents
Tables¶
server_access.user
¶
unix user
- Primary key
- user
- Foreign keys
Reference service entity
- Local Columns
- service_entity_name
- service
- Referenced Columns
Reference subservice entity
- Local Columns
- service_entity_name
- service
- subservice
- Referenced Columns
- Columns
service_entity_name
dns.t_hostnameService entity name
service
commons.t_keyService (e.g. email, jabber)
subservice
commons.t_keySubservice (e.g. account, alias)
backend_status
NULL | backend.t_statusStatus of database entry in backend. NULL: nothing pending, ‘ins’: entry not present on backend client, ‘upd’: update pending on backend client, ‘del’: deletion peding on backend client.
- Default
'ins'
owner
user.t_userOwner
References user.user.owner
On Update: CASCADE
uid
integerUnix user identifier
- Default
nextval('commons.uid')
user
server_access.t_userUser
password
NULL | commons.t_passwordUnix shadow crypt format
Functions¶
server_access.del_user
¶
delete
- Parameters
p_user
server_access.t_userp_service_entity_name
dns.t_hostname
- Variables defined for body
v_subservice
commons.t_keyv_owner
user.t_user
- Returns
- void
- Execute privilege
-- begin userlogin prelude
v_owner := (SELECT t.act_as FROM "user"._get_login() AS t);
-- end userlogin prelude
BEGIN
-- perform DELETE to trigger potential foreign key errors
DELETE FROM server_access.user
WHERE
"user" = p_user AND
service_entity_name = p_service_entity_name AND
owner = v_owner;
-- if not failed yet, emulate rollback of DELETE
RAISE transaction_rollback;
EXCEPTION
WHEN transaction_rollback THEN
UPDATE server_access.user
SET backend_status = 'del'
WHERE
"user" = p_user AND
service_entity_name = p_service_entity_name AND
owner = v_owner
RETURNING subservice INTO v_subservice;
PERFORM backend._conditional_notify_service_entity_name(
FOUND, p_service_entity_name, 'server_access', v_subservice
);
END;
server_access.ins_user
¶
ins user
- Parameters
p_user
server_access.t_userp_service_entity_name
dns.t_hostnamep_subservice
commons.t_keyp_password
commons.t_password_plaintext
- Variables defined for body
v_password
commons.t_passwordv_owner
user.t_user
- Returns
- void
- Execute privilege
-- begin userlogin prelude
v_owner := (SELECT t.act_as FROM "user"._get_login() AS t);
-- end userlogin prelude
IF p_password IS NULL THEN
v_password := NULL;
ELSE
v_password := commons._hash_password(p_password);
END IF;
INSERT INTO server_access.user
(service, subservice, service_entity_name, "user", password, owner)
VALUES
('server_access', p_subservice, p_service_entity_name, p_user, v_password, v_owner);
PERFORM backend._notify_service_entity_name(p_service_entity_name, 'server_access', p_subservice);
server_access.sel_user
¶
sel user
- Parameters
- None
- Variables defined for body
v_owner
user.t_user
- Returns
- TABLE
- Returned columns
user
server_access.t_userpassword_login
booleanservice
commons.t_keysubservice
commons.t_keyservice_entity_name
dns.t_hostnamebackend_status
backend.t_status
- Execute privilege
-- begin userlogin prelude
v_owner := (SELECT t.act_as FROM "user"._get_login() AS t);
-- end userlogin prelude
RETURN QUERY
SELECT
t.user,
t.password IS NOT NULL,
t.service,
t.subservice,
t.service_entity_name,
t.backend_status
FROM
server_access.user AS t
WHERE
owner = v_owner
ORDER BY backend_status, "user"
;
server_access.srv_user
¶
backend server_access.user
- Parameters
p_include_inactive
boolean
- Returns
- TABLE
- Returned columns
user
server_access.t_userpassword
commons.t_passwordservice
commons.t_keysubservice
commons.t_keyservice_entity_name
dns.t_hostnamebackend_status
backend.t_statusuid
int
- Execute privilege
PERFORM backend._get_login();
RETURN QUERY
WITH
-- DELETE
d AS (
DELETE FROM server_access.user AS t
WHERE
backend._deleted(t.backend_status) AND
backend._machine_priviledged_service(t.service, t.service_entity_name)
),
-- UPDATE
s AS (
UPDATE server_access.user AS t
SET backend_status = NULL
WHERE
backend._machine_priviledged_service(t.service, t.service_entity_name) AND
backend._active(t.backend_status)
)
-- SELECT
SELECT
t.user,
t.password,
t.service,
t.subservice,
t.service_entity_name,
t.backend_status,
t.uid
FROM server_access.user AS t
WHERE
backend._machine_priviledged_service(t.service, t.service_entity_name) AND
(backend._active(t.backend_status) OR p_include_inactive);
server_access.upd_user
¶
passwd user
- Parameters
p_user
server_access.t_userp_service_entity_name
dns.t_hostnamep_password
commons.t_password_plaintext
- Variables defined for body
v_password
commons.t_password (default:NULL
)v_subservice
commons.t_keyv_owner
user.t_user
- Returns
- void
- Execute privilege
-- begin userlogin prelude
v_owner := (SELECT t.act_as FROM "user"._get_login() AS t);
-- end userlogin prelude
IF p_password IS NOT NULL THEN
v_password := commons._hash_password(p_password);
END IF;
UPDATE server_access.user
SET
password = v_password,
backend_status = 'upd'
WHERE
"user" = p_user AND
service_entity_name = p_service_entity_name AND
owner = v_owner
RETURNING subservice INTO v_subservice;
PERFORM backend._conditional_notify_service_entity_name(
FOUND, p_service_entity_name, 'server_access', v_subservice
);
Domains¶
server_access.t_user
¶
Unix user. This type only allows a subset of those names allowed by POSIX.
- Checks
valid_characters
Only allow lower-case characters.
VALUE ~ '^[a-z0-9\-_]+$'
no_repeated_hyphens
Reserve double hyphens as a seperator for system generated users.
NOT (VALUE LIKE '%--%')
no_starting_hyphen
No hyphens at the beginning: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_431
left(VALUE, 1) <> '-'