From: Alan T. DeKok Date: Tue, 31 Oct 2023 18:33:49 +0000 (-0400) Subject: remove default_user_profile, etc. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=deb9e7eb5710dc33591f969405d64f94ebc383a7;p=thirdparty%2Ffreeradius-server.git remove default_user_profile, etc. --- diff --git a/doc/antora/modules/howto/pages/modules/sql/index.adoc b/doc/antora/modules/howto/pages/modules/sql/index.adoc index 9c7e893aacb..0ade8dc3e4e 100644 --- a/doc/antora/modules/howto/pages/modules/sql/index.adoc +++ b/doc/antora/modules/howto/pages/modules/sql/index.adoc @@ -69,12 +69,7 @@ Processing continues to the next group if any of the following conditions are me - There was not a match for the last group’s check items OR - Fall-Through was set in the last group’s reply items -(The above is exactly the same as in the users file.) - -Finally, if the user has a User-Profile attribute set or the Default Profile -configuration item is set for the sql module, then the above group -processing steps are repeated for the groups that the profile is a member of. - +The above is exactly the same as in the `users` file. === Example with groups diff --git a/doc/antora/modules/howto/pages/tuning/tuning_guide.adoc b/doc/antora/modules/howto/pages/tuning/tuning_guide.adoc index 746d7ae2579..6bb89a89154 100644 --- a/doc/antora/modules/howto/pages/tuning/tuning_guide.adoc +++ b/doc/antora/modules/howto/pages/tuning/tuning_guide.adoc @@ -14,7 +14,7 @@ slow down your accounting. * Use the users file to only set default profiles. Do not place any users there. Keep it as small as possible. Always set default attributes in the users file and don’t fill the user entries in ldap/sql with -default values. In general the ldap/sql user profiles should contain +default values. In general the ldap user profiles should contain user attributes only in special user cases. * Tune thread pool parameters to match your size requirements. Set `max_requests_per_server` to zero to avoid server thread restarts. diff --git a/doc/antora/modules/installation/pages/upgrade.adoc b/doc/antora/modules/installation/pages/upgrade.adoc index 5de8dbd1ab4..3e893185309 100644 --- a/doc/antora/modules/installation/pages/upgrade.adoc +++ b/doc/antora/modules/installation/pages/upgrade.adoc @@ -923,6 +923,11 @@ if (%sql.group(sales)) { will return `true`. +==== Profiles + +The `default_user_profile` and the `User-Profile` attributes have been +removed. No one used them, as that behavior was already supported by the group functionality. + ==== rlm_sql_mysql Now calls `mysql_real_escape_string` and no longer produces diff --git a/doc/antora/modules/raddb/pages/mods-available/sql.adoc b/doc/antora/modules/raddb/pages/mods-available/sql.adoc index 95ebde6fe1b..a48620a5f86 100644 --- a/doc/antora/modules/raddb/pages/mods-available/sql.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/sql.adoc @@ -146,15 +146,6 @@ Default is `yes`. -read_profiles:: Read the profiles from the database. - -If set to `yes`, we read profiles unless `Fall-Through = no` in the groupreply table. -If set to `no` we do not read profiles unless `Fall-Through = yes` in the groupreply table. - -Default is `yes`. - - - logfile:: Write SQL queries to a logfile. This is potentially useful for tracing issues with authorization queries. @@ -355,7 +346,6 @@ sql { groupreply_table = "radgroupreply" usergroup_table = "radusergroup" # read_groups = yes -# read_profiles = yes # logfile = ${logdir}/sqllog.sql # query_timeout = 5 pool { diff --git a/raddb/mods-available/sql b/raddb/mods-available/sql index 2746375cadc..4a88b5d9e53 100644 --- a/raddb/mods-available/sql +++ b/raddb/mods-available/sql @@ -170,16 +170,6 @@ sql { # # read_groups = yes - # - # read_profiles:: Read the profiles from the database. - # - # If set to `yes`, we read profiles unless `Fall-Through = no` in the groupreply table. - # If set to `no` we do not read profiles unless `Fall-Through = yes` in the groupreply table. - # - # Default is `yes`. - # -# read_profiles = yes - # # logfile:: Write SQL queries to a logfile. # diff --git a/raddb/mods-config/sql/main/cassandra/queries.conf b/raddb/mods-config/sql/main/cassandra/queries.conf index 90a4a1acfcd..f1ecf277c9a 100644 --- a/raddb/mods-config/sql/main/cassandra/queries.conf +++ b/raddb/mods-config/sql/main/cassandra/queries.conf @@ -56,29 +56,6 @@ event_timestamp_epoch = %{((integer) &Event-Timestamp) || %l} event_timestamp = "%{${event_timestamp_epoch} * 1000}" -####################################################################### -# Default profile -####################################################################### -# This is the default profile. It is found in SQL by group membership. -# That means that this profile must be a member of at least one group -# which will contain the corresponding check and reply items. -# This profile will be queried in the authorize section for every user. -# The point is to assign all users a default profile without having to -# manually add each one to a group that will contain the profile. -# The SQL module will also honor the User-Profile attribute. This -# attribute can be set anywhere in the authorize section (ie the users -# file). It is found exactly as the default profile is found. -# If it is set then it will *overwrite* the default profile setting. -# The idea is to select profiles based on checks on the incoming packets, -# not on user group membership. For example: -# -- users file -- -# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" -# DEFAULT Service-Type == Framed-User, User-Profile := "framed" -# -# By default the default_user_profile is not set -# -#default_user_profile = "DEFAULT" - ####################################################################### # Authorization Queries ####################################################################### diff --git a/raddb/mods-config/sql/main/mysql/queries.conf b/raddb/mods-config/sql/main/mysql/queries.conf index a95d643281a..159eda9d5a0 100644 --- a/raddb/mods-config/sql/main/mysql/queries.conf +++ b/raddb/mods-config/sql/main/mysql/queries.conf @@ -56,29 +56,6 @@ event_timestamp_epoch = %{((integer) &Event-Timestamp) || %l} event_timestamp = "FROM_UNIXTIME(${event_timestamp_epoch})" -####################################################################### -# Default profile -####################################################################### -# This is the default profile. It is found in SQL by group membership. -# That means that this profile must be a member of at least one group -# which will contain the corresponding check and reply items. -# This profile will be queried in the authorize section for every user. -# The point is to assign all users a default profile without having to -# manually add each one to a group that will contain the profile. -# The SQL module will also honor the User-Profile attribute. This -# attribute can be set anywhere in the authorize section (ie the users -# file). It is found exactly as the default profile is found. -# If it is set then it will *overwrite* the default profile setting. -# The idea is to select profiles based on checks on the incoming packets, -# not on user group membership. For example: -# -- users file -- -# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" -# DEFAULT Service-Type == Framed-User, User-Profile := "framed" -# -# By default the default_user_profile is not set -# -#default_user_profile = "DEFAULT" - ####################################################################### # Authorization Queries ####################################################################### diff --git a/raddb/mods-config/sql/main/oracle/queries.conf b/raddb/mods-config/sql/main/oracle/queries.conf index 599a1b8d778..cbdb256e913 100644 --- a/raddb/mods-config/sql/main/oracle/queries.conf +++ b/raddb/mods-config/sql/main/oracle/queries.conf @@ -40,35 +40,6 @@ event_timestamp_epoch = %{((integer) &Event-Timestamp) || %l} event_timestamp = "TO_DATE('1970-01-01','YYYY-MM-DD') + NUMTODSINTERVAL(${event_timestamp_epoch},'SECOND')" -####################################################################### -# Default profile -####################################################################### -# This is the default profile. It is found in SQL by group membership. -# That means that this profile must be a member of at least one group -# which will contain the corresponding check and reply items. -# This profile will be queried in the authorize section for every user. -# The point is to assign all users a default profile without having to -# manually add each one to a group that will contain the profile. -# The SQL module will also honor the User-Profile attribute. This -# attribute can be set anywhere in the authorize section (ie the users -# file). It is found exactly as the default profile is found. -# If it is set then it will *overwrite* the default profile setting. -# The idea is to select profiles based on checks on the incoming packets, -# not on user group membership. For example: -# -- users file -- -# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" -# DEFAULT Service-Type == Framed-User, User-Profile := "framed" -# -# By default the default_user_profile is not set -# -#default_user_profile = "DEFAULT" -# -# Determines if we will query the default_user_profile or the User-Profile -# if the user is not found. If the profile is found then we consider the user -# found. By default this is set to 'no'. -# -#query_on_not_found = no - ####################################################################### # Authorization Queries ####################################################################### diff --git a/raddb/mods-config/sql/main/postgresql/queries.conf b/raddb/mods-config/sql/main/postgresql/queries.conf index 90c15a9b933..9d616b2e840 100644 --- a/raddb/mods-config/sql/main/postgresql/queries.conf +++ b/raddb/mods-config/sql/main/postgresql/queries.conf @@ -46,29 +46,6 @@ event_timestamp_epoch = %{((integer) &Event-Timestamp) || %l} event_timestamp = "TO_TIMESTAMP(${event_timestamp_epoch})" -####################################################################### -# Default profile -####################################################################### -# This is the default profile. It is found in SQL by group membership. -# That means that this profile must be a member of at least one group -# which will contain the corresponding check and reply items. -# This profile will be queried in the authorize section for every user. -# The point is to assign all users a default profile without having to -# manually add each one to a group that will contain the profile. -# The SQL module will also honor the User-Profile attribute. This -# attribute can be set anywhere in the authorize section (ie the users -# file). It is found exactly as the default profile is found. -# If it is set then it will *overwrite* the default profile setting. -# The idea is to select profiles based on checks on the incoming -# packets, not on user group membership. For example: -# -- users file -- -# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" -# DEFAULT Service-Type == Framed-User, User-Profile := "framed" -# -# By default the default_user_profile is not set -# -# default_user_profile = "DEFAULT" - ####################################################################### # Open Query ####################################################################### diff --git a/raddb/mods-config/sql/main/sqlite/queries.conf b/raddb/mods-config/sql/main/sqlite/queries.conf index 392970fb190..6f3b1ec21e0 100644 --- a/raddb/mods-config/sql/main/sqlite/queries.conf +++ b/raddb/mods-config/sql/main/sqlite/queries.conf @@ -50,29 +50,6 @@ event_timestamp = "${event_timestamp_epoch}" # these variables differentiated in preparation for switching away from # integer storage. -####################################################################### -# Default profile -####################################################################### -# This is the default profile. It is found in SQL by group membership. -# That means that this profile must be a member of at least one group -# which will contain the corresponding check and reply items. -# This profile will be queried in the authorize section for every user. -# The point is to assign all users a default profile without having to -# manually add each one to a group that will contain the profile. -# The SQL module will also honor the User-Profile attribute. This -# attribute can be set anywhere in the authorize section (ie the users -# file). It is found exactly as the default profile is found. -# If it is set then it will *overwrite* the default profile setting. -# The idea is to select profiles based on checks on the incoming packets, -# not on user group membership. For example: -# -- users file -- -# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" -# DEFAULT Service-Type == Framed-User, User-Profile := "framed" -# -# By default the default_user_profile is not set -# -#default_user_profile = "DEFAULT" - ####################################################################### # Authorization Queries ####################################################################### diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c index 00035012f6b..d99f4065848 100644 --- a/src/modules/rlm_sql/rlm_sql.c +++ b/src/modules/rlm_sql/rlm_sql.c @@ -91,11 +91,9 @@ static const CONF_PARSER module_config[] = { { FR_CONF_OFFSET("password", FR_TYPE_STRING | FR_TYPE_SECRET, rlm_sql_config_t, sql_password), .dflt = "" }, { FR_CONF_OFFSET("radius_db", FR_TYPE_STRING, rlm_sql_config_t, sql_db), .dflt = "radius" }, { FR_CONF_OFFSET("read_groups", FR_TYPE_BOOL, rlm_sql_config_t, read_groups), .dflt = "yes" }, - { FR_CONF_OFFSET("read_profiles", FR_TYPE_BOOL, rlm_sql_config_t, read_profiles), .dflt = "yes" }, { FR_CONF_OFFSET("sql_user_name", FR_TYPE_STRING | FR_TYPE_XLAT, rlm_sql_config_t, query_user), .dflt = "" }, { FR_CONF_OFFSET("group_attribute", FR_TYPE_STRING, rlm_sql_config_t, group_attribute) }, { FR_CONF_OFFSET("logfile", FR_TYPE_STRING | FR_TYPE_XLAT, rlm_sql_config_t, logfile) }, - { FR_CONF_OFFSET("default_user_profile", FR_TYPE_STRING, rlm_sql_config_t, default_profile), .dflt = "" }, { FR_CONF_OFFSET("open_query", FR_TYPE_STRING, rlm_sql_config_t, connect_query) }, { FR_CONF_OFFSET("authorize_check_query", FR_TYPE_STRING | FR_TYPE_XLAT | FR_TYPE_NOT_EMPTY, rlm_sql_config_t, authorize_check_query) }, @@ -129,7 +127,6 @@ fr_dict_autoload_t rlm_sql_dict[] = { static fr_dict_attr_t const *attr_fall_through; static fr_dict_attr_t const *attr_sql_user_name; -static fr_dict_attr_t const *attr_user_profile; static fr_dict_attr_t const *attr_user_name; static fr_dict_attr_t const *attr_expr_bool_enum; @@ -137,7 +134,6 @@ extern fr_dict_attr_autoload_t rlm_sql_dict_attr[]; fr_dict_attr_autoload_t rlm_sql_dict_attr[] = { { .out = &attr_fall_through, .name = "Fall-Through", .type = FR_TYPE_BOOL, .dict = &dict_freeradius }, { .out = &attr_sql_user_name, .name = "SQL-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, - { .out = &attr_user_profile, .name = "User-Profile", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius }, { .out = &attr_expr_bool_enum, .name = "Expr-Bool-Enum", .type = FR_TYPE_BOOL, .dict = &dict_freeradius }, { NULL } @@ -1279,7 +1275,6 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod fr_pair_list_t check_tmp; fr_pair_list_t reply_tmp; - fr_pair_t *user_profile = NULL; bool user_found = false; @@ -1295,7 +1290,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod fr_assert(request->reply != NULL); if (!inst->config.authorize_check_query && !inst->config.authorize_reply_query && - !inst->config.read_groups && !inst->config.read_profiles) { + !inst->config.read_groups) { RWDEBUG("No authorization checks configured, returning noop"); RETURN_MODULE_NOOP; @@ -1410,8 +1405,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod } /* - * Neither group checks or profiles will work without - * a group membership query. + * group checks require a group membership query. */ if (!inst->config.groupmemb_query) goto release; @@ -1448,63 +1442,9 @@ skip_reply: } } - /* - * Repeat the above process with the default profile or User-Profile - */ - if ((do_fall_through == FALL_THROUGH_YES) || - (inst->config.read_profiles && (do_fall_through == FALL_THROUGH_DEFAULT))) { - rlm_rcode_t ret; - char const *profile; - - /* - * Check for a default_profile or for a User-Profile. - */ - RDEBUG3("... falling-through to profile processing"); - user_profile = fr_pair_find_by_da(&request->control_pairs, NULL, attr_user_profile); - - profile = user_profile ? - user_profile->vp_strvalue : - inst->config.default_profile; - - if (!profile || !*profile) goto release; - - RDEBUG2("Checking profile %s", profile); - - if (sql_set_user(inst, request, profile) < 0) { - REDEBUG("Error setting profile"); - rcode = RLM_MODULE_FAIL; - goto error; - } - - rlm_sql_process_groups(&ret, inst, request, &handle, &do_fall_through); - switch (ret) { - /* - * Nothing bad happened, continue... - */ - case RLM_MODULE_UPDATED: - rcode = RLM_MODULE_UPDATED; - FALL_THROUGH; - - case RLM_MODULE_OK: - if (rcode != RLM_MODULE_UPDATED) rcode = RLM_MODULE_OK; - FALL_THROUGH; - - case RLM_MODULE_NOOP: - user_found = true; - break; - - case RLM_MODULE_NOTFOUND: - break; - - default: - rcode = ret; - goto release; - } - } - /* * At this point the key (user) hasn't be found in the check table, the reply table - * or the group mapping table, and there was no matching profile. + * or the group mapping table. */ release: if (!user_found) rcode = RLM_MODULE_NOTFOUND; diff --git a/src/modules/rlm_sql/rlm_sql.h b/src/modules/rlm_sql/rlm_sql.h index dd94e34a8b6..527a62cd953 100644 --- a/src/modules/rlm_sql/rlm_sql.h +++ b/src/modules/rlm_sql/rlm_sql.h @@ -97,9 +97,6 @@ typedef struct { char const *group_attribute; //!< Name of the group attribute. - char const *default_profile; //!< Default profile to use if no other - //!< profiles were configured. - char const *authorize_check_query; //!< Query used get check VPs for a user. char const *authorize_reply_query; //!< Query used get reply VPs for a user. char const *authorize_group_check_query; //!< Query used get check VPs for a group. @@ -112,10 +109,6 @@ typedef struct { //!< If false, Fall-Through = yes is required //!< in the previous reply list to process //!< groups. - bool read_profiles; //!< Read user profiles by default. - //!< If false, Fall-Through = yes is required - //!< in the previous reply list to process - //!< profiles. char const *logfile; //!< Keep a log of all SQL queries executed //!< Useful for batch insertion with the //!< NULL drivers. diff --git a/src/tests/modules/sql_mysql/module.conf b/src/tests/modules/sql_mysql/module.conf index 7392c1ce824..fc0183da803 100644 --- a/src/tests/modules/sql_mysql/module.conf +++ b/src/tests/modules/sql_mysql/module.conf @@ -21,7 +21,6 @@ sql { groupreply_table = "radgroupreply" usergroup_table = "radusergroup" read_groups = yes - read_profiles = yes # Remove stale session if checkrad does not see a double login delete_stale_sessions = yes diff --git a/src/tests/modules/sql_postgresql/module.conf b/src/tests/modules/sql_postgresql/module.conf index e03bd7c47c0..83b1b12bf9e 100644 --- a/src/tests/modules/sql_postgresql/module.conf +++ b/src/tests/modules/sql_postgresql/module.conf @@ -21,7 +21,6 @@ sql { groupreply_table = "radgroupreply" usergroup_table = "radusergroup" read_groups = yes - read_profiles = yes # Remove stale session if checkrad does not see a double login delete_stale_sessions = yes diff --git a/src/tests/modules/sql_sqlite/module.conf b/src/tests/modules/sql_sqlite/module.conf index 3a5f75c87a6..580d5385e9a 100644 --- a/src/tests/modules/sql_sqlite/module.conf +++ b/src/tests/modules/sql_sqlite/module.conf @@ -21,7 +21,6 @@ sql { groupreply_table = "radgroupreply" usergroup_table = "radusergroup" read_groups = yes - read_profiles = yes # Remove stale session if checkrad does not see a double login delete_stale_sessions = yes