Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correction of error message and documentation #504

Merged
merged 21 commits into from
Oct 23, 2024
Merged

Correction of error message and documentation #504

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
572589e
fix: message protocol in ACL.pm
TomRicci Oct 17, 2024
24d6e62
fix: message scpdownload scpupload in upgrading.rst
TomRicci Oct 17, 2024
ac902b8
fix: message scpdownload scpupload in sftp_scp_rsync.rst
TomRicci Oct 17, 2024
d22a3cf
fix: message scpdownload scpupload in accountDelPersonalAccess
TomRicci Oct 21, 2024
99ac650
fix: message scpdownload scpupload in selfAddPersonalAccess
TomRicci Oct 21, 2024
2513ba9
fix: message scpdownload scpupload in selfDelPersonalAccess
TomRicci Oct 21, 2024
a9e38f1
fix: message scpdownload scpupload in accountAddPersonalAccess
TomRicci Oct 21, 2024
4fdba5f
fix: message scpdownload scpupload in groupAddGuestAccess
TomRicci Oct 21, 2024
b2d4463
fix: message scpdownload scpupload in groupDelGuestAccess
TomRicci Oct 21, 2024
11e43a9
fix: message scpdownload scpupload in scp
TomRicci Oct 21, 2024
65268c4
fix: protocol scpdownload scpupload in 395-mfa-scp-sftp-rsync.sh
TomRicci Oct 21, 2024
767f4a1
fix: message scpdownload scpupload in scp.rst
TomRicci Oct 21, 2024
2771ec9
fix: message scpdownload scpupload in scp.override.rst
TomRicci Oct 21, 2024
114358f
Merge branch 'ovh:master' into master
TomRicci Oct 21, 2024
2e5f146
fix: lint ACL.pm
TomRicci Oct 21, 2024
e23c7ed
fix: documentation groupAddGuestAccess.rst
TomRicci Oct 21, 2024
af9bca3
fix: documentation groupDelGuestAccess.rst
TomRicci Oct 21, 2024
ad52e4b
fix: documentation accountAddPersonalAccess.rst
TomRicci Oct 21, 2024
08f7325
fix: documentation accountDelPersonalAccess.rst
TomRicci Oct 21, 2024
bc709d5
fix: documentation selfAddPersonalAccess.rst
TomRicci Oct 21, 2024
db863d6
fix: documentation selfDelPersonalAccess.rst
TomRicci Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions bin/plugin/group-gatekeeper/groupAddGuestAccess
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,10 @@ Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
--ttl SECONDS|DURATION Specify a number of seconds after which the access will automatically expire
--comment '"ANY TEXT"' Add a comment alongside this access. Quote it twice as shown if you're under a shell.
If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers
Expand Down
8 changes: 4 additions & 4 deletions bin/plugin/group-gatekeeper/groupDelGuestAccess
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,10 @@ Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion

This command removes, from an existing bastion account, access to a given server, using the
egress keys of the group. The list of such servers is given by ``groupListGuestAccesses``
Expand Down
4 changes: 2 additions & 2 deletions bin/plugin/open/scp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,8 +258,8 @@ For example:

Please note that you need to be granted for uploading or downloading files
with scp to/from the remote host, in addition to having the right to SSH to it.
For a group, the right should be added with --scpup/--scpdown of the groupAddServer command.
For a personal access, the right should be added with --scpup/--scpdown of the selfAddPersonalAccess command.
For a group, the right should be added with --protocol scpupload/--protocol scpdownload of the groupAddServer command.
For a personal access, the right should be added with --protocol scpupload/--protocol scpdownload of the selfAddPersonalAccess command.
EOF
osh_ok({script => $base64, "content-encoding" => 'base64-gzip'});
return 0;
Expand Down
8 changes: 4 additions & 4 deletions bin/plugin/restricted/accountAddPersonalAccess
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,10 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST --user USER --port PORT [
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
--force-key FINGERPRINT Only use the key with the specified fingerprint to connect to the server (cf accountListEgressKeys)
--force-password HASH Only use the password with the specified hash to connect to the server (cf accountListPasswords)
--ttl SECONDS|DURATION Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
Expand Down
8 changes: 4 additions & 4 deletions bin/plugin/restricted/accountDelPersonalAccess
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,10 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST --user USER --port PORT [
--protocol PROTO Specify that a special protocol allowance should be removed from this HOST:PORT tuple, note that you
must not specify --user in that case.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
EOF
);

Expand Down
8 changes: 4 additions & 4 deletions bin/plugin/restricted/selfAddPersonalAccess
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,10 @@ Usage: --osh SCRIPT_NAME --host HOST --user USER --port PORT [OPTIONS]
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
--force Add the access without checking that the public SSH key is properly installed remotely
--force-key FINGERPRINT Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys)
--force-password HASH Only use the password with the specified hash to connect to the server (cf selfListPasswords)
Expand Down
8 changes: 4 additions & 4 deletions bin/plugin/restricted/selfDelPersonalAccess
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ Usage: --osh SCRIPT_NAME --host HOST --user USER --port PORT [OPTIONS]
--protocol PROTO Specify that a special protocol allowance should be removed from this HOST:PORT tuple, note that you
must not specify --user in that case.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
EOF
);

Expand Down
4 changes: 2 additions & 2 deletions doc/sphinx-plugins-override/scp.override.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Or to recursively download a folder contents::

Please note that you need to be granted for uploading or downloading files
with scp to/from the remote host, in addition to having the right to SSH to it.
For a group, the right should be added with ``--scpup``/``--scpdown`` of the :doc:`/plugins/group-aclkeeper/groupAddServer` command.
For a personal access, the right should be added with ``--scpup``/``--scpdown`` of the :doc:`/plugins/restricted/selfAddPersonalAccess` command.
For a group, the right should be added with ``--protocol scpupload``/``--protocol scpdownload`` of the :doc:`/plugins/group-aclkeeper/groupAddServer` command.
For a personal access, the right should be added with ``--protocol scpupload``/``--protocol scpdownload`` of the :doc:`/plugins/restricted/selfAddPersonalAccess` command.

You'll find more information and examples in :doc:`/using/sftp_scp_rsync`.
2 changes: 1 addition & 1 deletion doc/sphinx/installation/upgrading.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ when using the ``--user`` option for plugins such as ``groupAddServer``, ``group
``selfDelPersonalAccess``.

We also deprecate all the ``--sftp``, ``--scpdown``, ``--scpup`` options that are now replaced by a more generic
``--protocol`` option, which supports ``sftp``, ``scpdown ``, ``scpup`` and now also ``rsync`` as parameters.
``--protocol`` option, which supports ``sftp``, ``scpdownload``, ``scpupload`` and now also ``rsync`` as parameters.
The use of rsync is similar to sftp and scp, and is detailed here: :doc:`/plugins/open/rsync`.

Last but not least, the ``[email protected]`` KEX algorithm is now enabled by default on shipped
Expand Down
8 changes: 4 additions & 4 deletions doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,10 @@ Add a specific group server access to an account
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
.. option:: --ttl SECONDS|DURATION

Specify a number of seconds after which the access will automatically expire
Expand Down
8 changes: 4 additions & 4 deletions doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,10 @@ Remove a specific group server access from an account
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion

This command removes, from an existing bastion account, access to a given server, using the
egress keys of the group. The list of such servers is given by ``groupListGuestAccesses``
Expand Down
4 changes: 2 additions & 2 deletions doc/sphinx/plugins/open/scp.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Or to recursively download a folder contents::

Please note that you need to be granted for uploading or downloading files
with scp to/from the remote host, in addition to having the right to SSH to it.
For a group, the right should be added with ``--scpup``/``--scpdown`` of the :doc:`/plugins/group-aclkeeper/groupAddServer` command.
For a personal access, the right should be added with ``--scpup``/``--scpdown`` of the :doc:`/plugins/restricted/selfAddPersonalAccess` command.
For a group, the right should be added with ``--protocol scpupload``/``--protocol scpdownload`` of the :doc:`/plugins/group-aclkeeper/groupAddServer` command.
For a personal access, the right should be added with ``--protocol scpupload``/``--protocol scpdownload`` of the :doc:`/plugins/restricted/selfAddPersonalAccess` command.

You'll find more information and examples in :doc:`/using/sftp_scp_rsync`.
8 changes: 4 additions & 4 deletions doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@ Add a personal server access to an account
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
.. option:: --force-key FINGERPRINT

Only use the key with the specified fingerprint to connect to the server (cf accountListEgressKeys)
Expand Down
8 changes: 4 additions & 4 deletions doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ Remove a personal server access from an account

must not specify --user in that case.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
8 changes: 4 additions & 4 deletions doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,10 @@ Add a personal server access to your account
must not specify --user in that case. However, for this protocol to be usable under a given
remote user, access to the USER@HOST:PORT tuple must also be allowed.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
.. option:: --force

Add the access without checking that the public SSH key is properly installed remotely
Expand Down
8 changes: 4 additions & 4 deletions doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ Remove a personal server access from your account

must not specify --user in that case.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
scpupload allow SCP upload, you--bastion-->server
scpdownload allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
6 changes: 3 additions & 3 deletions doc/sphinx/using/sftp_scp_rsync.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,13 +83,13 @@ To declare an SCP/SFTP/RSYNC access, in addition to a preexisting SSH access, yo
if the SSH access is personal (tied to an account)

In both cases, where you would use the ``--user`` option to the command, to specify the remote user to use for
the SSH access being declared, you should replace it by either ``--protocol scpdown``, ``--protocol scpup``,
the SSH access being declared, you should replace it by either ``--protocol scpdownload``, ``--protocol scpupload``,
``--protocol sftp`` or ``--protocol rsync``,
to specify that you're about to add an SCP/SFTP/RSYNC access (and not a bare SSH one), and which direction you want
to allow in the case of SCP.

For SCP, you can allow both directions by using the command first with ``--protocol scpdown``,
then with ``--protocol scpup``.
For SCP, you can allow both directions by using the command first with ``--protocol scpdownload``,
then with ``--protocol scpupload``.
Note that for SFTP and RYSNC, you can't specify a direction, due to how these protocols work: you either have
SFTP/RSYNC access (hence being able to upload and download files), or you don't.

Expand Down
3 changes: 2 additions & 1 deletion lib/perl/OVH/Bastion/Plugin/ACL.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ sub check {
}
if (!grep { $protocol eq $_ } qw{ scpupload scpdownload sftp rsync }) {
return R('ERR_INVALID_PARAMETER',
msg => "The protocol '$protocol' is not supported, expected either scpup, scpdown, sftp or rsync");
msg =>
"The protocol '$protocol' is not supported, expected either scpupload, scpdownload, sftp or rsync");
}
}

Expand Down
Loading