Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add MFA support for SSHExecutor #348

Merged
merged 10 commits into from
May 27, 2024

Conversation

giffels
Copy link
Member

@giffels giffels commented May 23, 2024

This pull request adds support for multi-factor authentication (MFA) to the SSHExecutor to be used with clusters enforcing MFA to access login nodes for job submission.

@giffels giffels added the enhancement New feature or request label May 23, 2024
@giffels giffels force-pushed the add/mfa-ssh-support branch from af3ebc4 to 1de0bee Compare May 23, 2024 15:21
@codecov-commenter
Copy link

codecov-commenter commented May 23, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.93%. Comparing base (2edc478) to head (2858c81).
Report is 1 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #348      +/-   ##
==========================================
+ Coverage   98.92%   98.93%   +0.01%     
==========================================
  Files          55       55              
  Lines        2226     2255      +29     
==========================================
+ Hits         2202     2231      +29     
  Misses         24       24              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@@ -75,7 +75,7 @@
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
language = None
language = "en"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated change. sphix was complaining about language is None.

@giffels giffels force-pushed the add/mfa-ssh-support branch from 39f6196 to 121d8d8 Compare May 24, 2024 11:20
@giffels giffels force-pushed the add/mfa-ssh-support branch from 121d8d8 to ce68e20 Compare May 24, 2024 11:43
new_cls = cls
if isinstance(node, yaml.nodes.MappingNode):
parameters = loader.construct_mapping(node)
parameters = loader.construct_mapping(node, deep=settings.eager)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is necessary since MFA is using nested lists and dictionaries, when initialised using a yaml tag. This function is only used in the unittest. In real life it will be evaluated by COBalD, which already supports eager evaluation of yaml tags.

@giffels giffels marked this pull request as ready for review May 24, 2024 11:50
@giffels giffels requested review from maxfischer2781, a team and RHofsaess and removed request for a team May 24, 2024 11:50
Copy link
Member

@maxfischer2781 maxfischer2781 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is simpler than expected! However, for good measure I would like to raise the issue of bikeshed color parameter naming.

tardis/utilities/executors/sshexecutor.py Outdated Show resolved Hide resolved
Comment on lines 80 to 82
mfa_secrets:
- prompt: "Enter 2FA Token:"
secret: "IMIZDDO2I45ZSTR6XDGFSPFDUY"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, my head is a bit hung op on having mfa_secrets->secret. It duplicates the information without saying much.

  • Instead of mfa_secrets I recommend to use totp so it's clear which method we are dealing with (not that I necessarily expect another, but it's free lunch).
  • Instead of secret I could also see key working here, since that is what it's called often. However, secret has the added benefit of being just as long as prompt and I kind of like how the colons align... 🫣

Copy link
Member Author

@giffels giffels May 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about calling it mfa_config instead?

mfa_config:
  - prompt: "Enter 2 FA TOken:"
    secret: "IMIZDDO2I45ZSTR6XDGFSPFDUY"

Three colons aligned. 👍

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However, I think

mfa_config:
  - prompt: "Enter 2 FA TOken:"
    totp: "IMIZDDO2I45ZSTR6XDGFSPFDUY"

is much better. Since it's clear that we are just supporting totp.

@giffels giffels requested a review from maxfischer2781 May 24, 2024 13:42
Copy link

@RHofsaess RHofsaess left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice 👍

Copy link
Member

@maxfischer2781 maxfischer2781 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thanks for the adjustments.

Definitely a worthy addition!

Multi-Factor Approval, activate! 🤖

@giffels giffels added this pull request to the merge queue May 27, 2024
Merged via the queue into MatterMiners:master with commit 2b4ad48 May 27, 2024
16 checks passed
@giffels giffels deleted the add/mfa-ssh-support branch May 27, 2024 09:54
@giffels giffels mentioned this pull request May 27, 2024
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants