Only a support/help question.
Let say I have a user authenticated via kerberos SSO.
Now my node backend is running under system user and it has no access to a certain network folder.
The authenticated user instead has access to such network folder, so I want to impersonate the user; question: how to do that?
Should I use the access token from sso? I can't find an example, a tutorial or more instructions.
I've tried to look at the source code here.
The point is that I see that SSO.ts is doing sspi.ImpersonateSecurityContext(this.serverContextHandle); but to do that it is using a serverContextHandle that is kept private(*)! I would be tempted to fork and modify the code at that point (here, conceptually, I should be able to open the shared folder as the impersonated user, correct?), but it seems complex and before doing that, I would rather gather a better overall understanding. Also because I see also sspi.OpenThreadToken() immediately after the impersonation: is that needed for the impersonation (maybe not, I guess the user is already impersonated here, correct?) or just to save the access token? I guess it is for the latter goal, but, again, as I said before, I miss the usage of this access token.
(*) Well, it is passed via contructor from the auth.ts that in turn is gathering the serverSecurityContext.contextHandle, basically from sspi.AcceptSecurityContext(input) where the input is more or less the Kerberos authorization token... ok, but I believe I'm not supposed to repeat all that procedure (starting from Kerberos token and passing it to AcceptSecurityContext) again in my usage code: that would mean that saving the access token is useless, so I'm not considering this option.
Only a support/help question.
Let say I have a user authenticated via kerberos SSO.
Now my node backend is running under system user and it has no access to a certain network folder.
The authenticated user instead has access to such network folder, so I want to impersonate the user; question: how to do that?
Should I use the access token from sso? I can't find an example, a tutorial or more instructions.
I've tried to look at the source code here.
The point is that I see that SSO.ts is doing
sspi.ImpersonateSecurityContext(this.serverContextHandle);but to do that it is using a serverContextHandle that is kept private(*)! I would be tempted to fork and modify the code at that point (here, conceptually, I should be able to open the shared folder as the impersonated user, correct?), but it seems complex and before doing that, I would rather gather a better overall understanding. Also because I see alsosspi.OpenThreadToken()immediately after the impersonation: is that needed for the impersonation (maybe not, I guess the user is already impersonated here, correct?) or just to save the access token? I guess it is for the latter goal, but, again, as I said before, I miss the usage of this access token.(*) Well, it is passed via contructor from the auth.ts that in turn is gathering the
serverSecurityContext.contextHandle, basically fromsspi.AcceptSecurityContext(input)where the input is more or less the Kerberos authorization token... ok, but I believe I'm not supposed to repeat all that procedure (starting from Kerberos token and passing it to AcceptSecurityContext) again in my usage code: that would mean that saving the access token is useless, so I'm not considering this option.