Skip to content

Getlogin #6775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: 8.4.x
Choose a base branch
from
Draft

Getlogin #6775

wants to merge 2 commits into from

Conversation

psa
Copy link
Contributor

@psa psa commented Jun 3, 2025

Provide more consistent logging messages so they're easier to parse and log the username from the system if a command isn't being run by the owner or a scheduler user.

Fixes #6773

Check List

  • I have read CONTRIBUTING.md and added my name as a Code Contributor.
  • Contains logically grouped changes (else tidy your branch by rebase).
  • Does not contain off-topic changes (use other PRs for other changes).
  • [N/A] Applied any dependency changes to both setup.cfg (and conda-environment.yml if present).
  • Tests are included (or explain why tests are not needed).
  • [N/A] Changelog entry included if this is a change that can affect users
  • [N/A] Cylc-Doc pull request opened if required at cylc/cylc-doc/pull/XXXX.
  • If this is a bug fix, PR should be raised against the relevant ?.?.x branch.

@psa
Always log who performed an action.
827a698 
This makes logs consistent for easier parsing
@psa psa force-pushed the getlogin branch 2 times, most recently from 2b00ed1 to 567ddd5 Compare June 3, 2025 04:02
@oliver-sanders oliver-sanders mentioned this pull request Jun 3, 2025
Open
oliver-sanders
oliver-sanders requested changes Jun 3, 2025
View reviewed changes
Copy link
Member

@oliver-sanders oliver-sanders left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The resolver code is run by the scheduler (i.e. the server) not the client, so this isn't going to extract the user who actioned the operation, you would need to shift this into the Cylc client code (cylc.flow.network.client).

However, the client cannot be trusted in this situation (because it is being run by a different user), so it is not possible to achieve this (#6773 (comment)).

cylc/flow/network/resolvers.py
Comment on lines 727 to 728
if user == self.schd.owner:
log_user = "" # don't log user name if owner
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this PR is effectively equivalent to:

Suggested change
if user == self.schd.owner:
log_user = "" # don't log user name if owner
if user == self.schd.owner or not user:
user = os.getlogin()

I.E:

  • Log the user name if provided with the request.
  • Otherwise log the scheduler owner.

@hjoliver
Copy link
Member

hjoliver commented Jun 4, 2025
edited
Loading

@psa - Oliver's comment above sounds like we're going to shut this PR down, but after discussing it offline he's suggested changes on the issue to make it acceptable.

  • the sudo-user identification bit has to be done client-side, or else this is useless (regardless of perceived security implications)
  • the phrasing of the server log message is very important because any user attribution will be perceived as a security issue if the facts behind it don't stack up
    • it should state that the action is being performed by the role user (which is true) and possibly on behalf of the sudo user (because that user is essentially self-identifying in a way that can't be verified).

And (IMO at least) we should document that use of sudo to interact with shared role accounts is common (for many reasons, not just workflows), and if Cylc commands are executed in this way (which Cylc has no control over) then Cylc will log the sudo-user merely as a convenience - strictly speaking this information should not be trusted, but logging the provided information (in the careful way described) does not in any way imply reduced security beyond what you opt into by use of sudo in the first place. For properly secure Cylc-based authorized user attribution, go via the Cylc UI Server (web UI now, hopefully CLI in future too).

@psa
Copy link
Contributor Author

psa commented Jun 5, 2025

I'm working on re-writing this based on the feedback in #6773 (comment)

@psa psa force-pushed the getlogin branch 5 times, most recently from f8f790e to 892c703 Compare June 5, 2025 06:49
@psa
Log the username of CLI users
466552e 
This passes the discovered CLI user, if available, and adds them with a
reference to who it might be. Uses getlogin by default, which grabs the
user based on the controlling terminal and if that fails uses getuser
which pulls from environment variables.

This passed couched in the terms of "possibly on behalf of" as this is
data from the client and so is not reliable.
oliver-sanders
oliver-sanders reviewed Jun 5, 2025
View reviewed changes
cylc/flow/network/client.py
default=CommsMeth.ZMQ.value
)
),
'behalf_of': behalf_of
Copy link
Member

@oliver-sanders oliver-sanders Jun 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Send the full message through using the existing auth_user field rather than creating a new behalf_of one.

auth_user = '<actor> (possibly on behalf of <user>)'

That way no changes will be required in cylc/flow/network/resolvers.py to log this and the feature will be fully backwards compatible.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@oliver-sanders
I've been poking at this but need help from someone with more py-zmq knowledge.

I was expecting self.socket.get(zmq.PLAIN_USERNAME) in async_request() to achieve this. I've not found a way to get the username on the client side.

Ideas on how I might approach this?

Copy link
Member

@oliver-sanders oliver-sanders Jun 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@psa, ZMQ doesn't come into it, just replace behalf_of with auth_user and supply it with the full text:

Suggested change
'behalf_of': behalf_of
'auth_user': f'{actor} (possibly on behalf of {user})'

Where actor is the actual user account (i.e. $USER) and user is the name of the person who is acting via sudo (i.e. $LOGNAME).

@oliver-sanders oliver-sanders added this to the 8.4.x milestone Jun 11, 2025
@oliver-sanders oliver-sanders added the could be better Not exactly a bug, but not ideal. label Jun 11, 2025
@wxtim wxtim marked this pull request as draft July 31, 2025 08:24
@wxtim
Copy link
Member

wxtim commented Jul 31, 2025

Drafted after nearly 2 months inactivity

@oliver-sanders
Copy link
Member

Ping @psa, let us know if you need any assistance to unstick this PR.

@psa
Copy link
Contributor Author

psa commented Sep 4, 2025
edited
Loading

Ping @psa, let us know if you need any assistance to unstick this PR.

Thanks @oliver-sanders This has ended up on the backburner due to some personal stuff going on right now. I might not get to it until October . But, I've added a reminder in October to make sure that it doesn't get lost.

@hjoliver hjoliver modified the milestones: 8.4.x, 8.x Sep 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliver-sanders oliver-sanders oliver-sanders requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@psa psa

Labels
could be better Not exactly a bug, but not ideal.
Projects
None yet
Milestone
8.x
Development

Successfully merging this pull request may close these issues.
4 participants
@psa @hjoliver @wxtim @oliver-sanders