void
process_request(int sfds)
{
int rc;
struct batch_request *request;
conn_t *conn;
time_now = time(NULL);
conn = get_conn(sfds);
if (!conn) {
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST, LOG_ERR,
"process_request", "did not find socket in connection table");
#ifdef WIN32
(void)closesocket(sfds);
#else
(void)close(sfds);
#endif
return;
}
if ((request = alloc_br(0)) == NULL) {
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST, LOG_ERR,
"process_request", "Unable to allocate request structure");
close_conn(sfds);
return;
}
request->rq_conn = sfds;
/*
* Read in the request and decode it to the internal request structure.
*/
if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME)) {
(void)sprintf(log_buffer, "%s: %lu", msg_reqbadhost,
get_connectaddr(sfds));
log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, LOG_DEBUG,
"", log_buffer);
req_reject(PBSE_BADHOST, 0, request);
return;
}
#ifndef PBS_MOM
if (conn->cn_active == FromClientDIS) {
rc = dis_request_read(sfds, request);
} else {
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST, LOG_ERR,
"process_req", "request on invalid type of connection");
close_conn(sfds);
free_br(request);
return;
}
#else /* PBS_MOM */
rc = dis_request_read(sfds, request);
#endif /* PBS_MOM */
if (rc == -1) { /* End of file */
close_client(sfds);
free_br(request);
return;
} else if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL)) {
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
close_client(sfds);
free_br(request);
return;
} else if (rc > 0) {
/*
* request didn't decode, either garbage or unknown
* request type, in ether case, return reject-reply
*/
req_reject(rc, 0, request);
close_client(sfds);
return;
}
#ifndef PBS_MOM
/* If the request is coming on the socket we opened to the */
/* scheduler, change the "user" from "root" to "Scheduler" */
if (find_sched_from_sock(request->rq_conn) != NULL) {
strncpy(request->rq_user, PBS_SCHED_DAEMON_NAME, PBS_MAXUSER);
request->rq_user[PBS_MAXUSER] = '\0';
}
#endif /* PBS_MOM */
(void)sprintf(log_buffer, msg_request, request->rq_type,
request->rq_user, request->rq_host, sfds);
log_event(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, LOG_DEBUG,
"", log_buffer);
/* is the request from a host acceptable to the server */
if (request->rq_type == PBS_BATCH_AuthExternal) {
rc = authenticate_external(conn, request);
if (rc == 0)
reply_ack(request);
else if (rc == -2)
req_reject(PBSE_NOSUP, 0, request);
else
req_reject(PBSE_BADCRED, 0, request);
return;
}
#ifndef PBS_MOM
if (server.sv_attr[(int)SRV_ATR_acl_host_enable].at_val.at_long) {
/* acl enabled, check it; always allow myself */
struct pbsnode *isanode = NULL;
if ((server.sv_attr[SRV_ATR_acl_host_moms_enable].at_flags & ATR_VFLAG_SET) &&
(server.sv_attr[(int)SRV_ATR_acl_host_moms_enable].at_val.at_long == 1)) {
isanode = find_nodebyaddr(get_connectaddr(sfds));
if ((isanode != NULL) && (isanode->nd_state & INUSE_DELETED))
isanode = NULL;
}
if (isanode == NULL) {
if ((acl_check(&server.sv_attr[(int)SRV_ATR_acl_hosts],
request->rq_host, ACL_Host) == 0) &&
(strcasecmp(server_host, request->rq_host) != 0)) {
req_reject(PBSE_BADHOST, 0, request);
close_client(sfds);
return;
}
}
}
/*
* determine source (user client or another server) of request.
* set the permissions granted to the client
*/
if (conn->cn_authen & PBS_NET_CONN_FROM_PRIVIL) {
/* request came from another server */
request->rq_fromsvr = 1;
request->rq_perm = ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR;
} else {
/* request not from another server */
request->rq_fromsvr = 0;
/*
* Client must be authenticated by a Authenticate User Request,
* if not, reject request and close connection.
* -- The following is retained for compat with old cmds --
* The exception to this is of course the Connect Request which
* cannot have been authenticated, because it contains the
* needed ticket; so trap it here. Of course, there is no
* prior authentication on the Authenticate User request either,
* but it comes over a reserved port and appears from another
* server, hence is automatically granted authorization.
*/
if (request->rq_type == PBS_BATCH_Connect) {
req_connect(request);
return;
}
if ((conn->cn_authen & PBS_NET_CONN_AUTHENTICATED) ==0) {
rc = PBSE_BADCRED;
} else {
rc = authenticate_user(request, conn);
}
if (rc != 0) {
req_reject(rc, 0, request);
if (rc == PBSE_BADCRED)
close_client(sfds);
return;
}
request->rq_perm =
svr_get_privilege(request->rq_user, request->rq_host);
}
/* if server shutting down, disallow new jobs and new running */
if (server.sv_attr[(int)SRV_ATR_State].at_val.at_long > SV_STATE_RUN) {
switch (request->rq_type) {
case PBS_BATCH_AsyrunJob:
case PBS_BATCH_JobCred:
case PBS_BATCH_UserCred:
case PBS_BATCH_UserMigrate:
case PBS_BATCH_MoveJob:
case PBS_BATCH_QueueJob:
case PBS_BATCH_RunJob:
case PBS_BATCH_StageIn:
case PBS_BATCH_jobscript:
req_reject(PBSE_SVRDOWN, 0, request);
return;
}
}
#else /* THIS CODE FOR MOM ONLY */
/* check connecting host against allowed list of ok clients */
if (!addrfind(conn->cn_addr)) {
req_reject(PBSE_BADHOST, 0, request);
close_client(sfds);
return;
}
request->rq_fromsvr = 1;
request->rq_perm = ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR | ATR_DFLAG_MOM;
#endif
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
dispatch_request(sfds, request);
return;
}
void process_request(
int sfds) /* file descriptor (socket) to get request */
{
#ifdef PBS_MOM
char *id = "process_request";
#endif
int rc;
struct batch_request *request = NULL;
#ifndef PBS_MOM
char *auth_err = NULL;
#endif
time_now = time(NULL);
request = alloc_br(0);
request->rq_conn = sfds;
/*
* Read in the request and decode it to the internal request structure.
*/
#ifndef PBS_MOM
if (svr_conn[sfds].cn_active == FromClientDIS)
{
#ifdef ENABLE_UNIX_SOCKETS
if ((svr_conn[sfds].cn_socktype & PBS_SOCK_UNIX) &&
(svr_conn[sfds].cn_authen != PBS_NET_CONN_AUTHENTICATED))
{
get_creds(sfds, conn_credent[sfds].username, conn_credent[sfds].hostname);
}
#endif /* END ENABLE_UNIX_SOCKETS */
rc = dis_request_read(sfds, request);
}
else
{
LOG_EVENT(
PBSEVENT_SYSTEM,
PBS_EVENTCLASS_REQUEST,
"process_req",
"request on invalid type of connection");
close_conn(sfds);
free_br(request);
return;
}
#else /* PBS_MOM */
rc = dis_request_read(sfds, request);
#endif /* PBS_MOM */
if (rc == -1)
{
/* FAILURE */
/* premature end of file */
close_client(sfds);
free_br(request);
return;
}
if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL))
{
/* FAILURE */
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
close_client(sfds);
free_br(request);
return;
}
if (rc > 0)
{
/* FAILURE */
/*
* request didn't decode, either garbage or unknown
* request type, in either case, return reject-reply
*/
req_reject(rc, 0, request, NULL, "cannot decode message");
close_client(sfds);
return;
}
if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME) != 0)
{
char tmpLine[1024];
sprintf(log_buffer, "%s: %lu",
pbse_to_txt(PBSE_BADHOST),
get_connectaddr(sfds));
LOG_EVENT(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, "", log_buffer);
snprintf(tmpLine, sizeof(tmpLine), "cannot determine hostname for connection from %lu",
get_connectaddr(sfds));
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
return;
}
if (LOGLEVEL >= 1)
{
sprintf(
log_buffer,
msg_request,
reqtype_to_txt(request->rq_type),
request->rq_user,
request->rq_host,
sfds);
LOG_EVENT(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, "", log_buffer);
}
/* is the request from a host acceptable to the server */
#ifndef PBS_MOM
if (svr_conn[sfds].cn_socktype & PBS_SOCK_UNIX)
{
strcpy(request->rq_host, server_name);
}
if (server.sv_attr[SRV_ATR_acl_host_enable].at_val.at_long)
{
/* acl enabled, check it; always allow myself and nodes */
struct pbsnode *isanode;
isanode = PGetNodeFromAddr(get_connectaddr(sfds));
if ((isanode == NULL) &&
(strcmp(server_host, request->rq_host) != 0) &&
(acl_check(
&server.sv_attr[SRV_ATR_acl_hosts],
request->rq_host,
ACL_Host) == 0))
{
char tmpLine[1024];
snprintf(tmpLine, sizeof(tmpLine), "request not authorized from host %s",
request->rq_host);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
close_client(sfds);
return;
}
}
/*
* determine source (user client or another server) of request.
* set the permissions granted to the client
*/
if (svr_conn[sfds].cn_authen == PBS_NET_CONN_FROM_PRIVIL)
{
/* request came from another server */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR;
}
else
{
/* request not from another server */
request->rq_fromsvr = 0;
/*
* Client must be authenticated by an Authenticate User Request, if not,
* reject request and close connection. -- The following is retained for
* compat with old cmds -- The exception to this is of course the Connect
* Request which cannot have been authenticated, because it contains the
* needed ticket; so trap it here. Of course, there is no prior
* authentication on the Authenticate User request either, but it comes
* over a reserved port and appears from another server, hence is
* automatically granted authentication.
*
* The above is only true with inet sockets. With unix domain sockets, the
* user creds were read before the first dis_request_read call above.
* We automatically granted authentication because we can trust the socket
* creds. Authorization is still granted in svr_get_privilege below
*/
if (request->rq_type == PBS_BATCH_Connect)
{
req_connect(request);
if (svr_conn[sfds].cn_socktype == PBS_SOCK_INET)
return;
}
if (svr_conn[sfds].cn_socktype & PBS_SOCK_UNIX)
{
conn_credent[sfds].timestamp = time_now;
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
}
if (ENABLE_TRUSTED_AUTH == TRUE )
rc = 0; /* bypass the authentication of the user--trust the client completely */
else if (munge_on)
{
/* If munge_on is true we will validate the connection now */
if ( request->rq_type == PBS_BATCH_AltAuthenUser)
{
rc = req_altauthenuser(request);
if (rc == PBSE_NONE)
{
conn_credent[sfds].timestamp = time_now;
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
}
return;
}
else if (svr_conn[sfds].cn_authen != PBS_NET_CONN_AUTHENTICATED)
/* skip checking user if we did not get an authenticated credential */
rc = PBSE_BADCRED;
else
{
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
}
}
else if (svr_conn[sfds].cn_authen != PBS_NET_CONN_AUTHENTICATED)
rc = PBSE_BADCRED;
else
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
if (rc != 0)
{
req_reject(rc, 0, request, NULL, auth_err);
if (auth_err != NULL)
free(auth_err);
close_client(sfds);
return;
}
/*
* pbs_mom and checkpoint restart scripts both need the authority to do
* alters and releases on checkpointable jobs. Allow manager permission
* for root on the jobs execution node.
*/
if (((request->rq_type == PBS_BATCH_ModifyJob) ||
(request->rq_type == PBS_BATCH_ReleaseJob)) &&
(strcmp(request->rq_user, PBS_DEFAULT_ADMIN) == 0))
{
job *pjob;
char *dptr;
int skip = FALSE;
char short_host[PBS_MAXHOSTNAME+1];
/* make short host name */
strcpy(short_host, request->rq_host);
if ((dptr = strchr(short_host, '.')) != NULL)
{
*dptr = '\0';
}
if (((pjob = find_job(request->rq_ind.rq_modify.rq_objname)) != (job *)0) &&
(pjob->ji_qs.ji_state == JOB_STATE_RUNNING))
{
if ((pjob->ji_wattr[JOB_ATR_checkpoint].at_flags & ATR_VFLAG_SET) &&
((csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "s") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "c") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "enabled") != NULL)) &&
(strstr(pjob->ji_wattr[JOB_ATR_exec_host].at_val.at_str, short_host) != NULL))
{
request->rq_perm = svr_get_privilege(request->rq_user, server_host);
skip = TRUE;
}
}
if (!skip)
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
}
else
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
} /* END else (svr_conn[sfds].cn_authen == PBS_NET_CONN_FROM_PRIVIL) */
/* if server shutting down, disallow new jobs and new running */
if (server.sv_attr[SRV_ATR_State].at_val.at_long > SV_STATE_RUN)
{
switch (request->rq_type)
{
case PBS_BATCH_AsyrunJob:
case PBS_BATCH_JobCred:
case PBS_BATCH_MoveJob:
case PBS_BATCH_QueueJob:
case PBS_BATCH_RunJob:
case PBS_BATCH_StageIn:
case PBS_BATCH_jobscript:
req_reject(PBSE_SVRDOWN, 0, request, NULL, NULL);
return;
/*NOTREACHED*/
break;
}
}
#else /* THIS CODE FOR MOM ONLY */
{
/*extern tree *okclients; */
extern void mom_server_update_receive_time_by_ip(u_long ipaddr, const char *cmd);
/* check connecting host against allowed list of ok clients */
if (LOGLEVEL >= 6)
{
sprintf(log_buffer, "request type %s from host %s received",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
id,
log_buffer);
}
/* if (!tfind(svr_conn[sfds].cn_addr, &okclients)) */
if (!AVL_is_in_tree(svr_conn[sfds].cn_addr, 0, okclients))
{
sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
id,
log_buffer);
req_reject(PBSE_BADHOST, 0, request, NULL, "request not authorized");
close_client(sfds);
return;
}
if (LOGLEVEL >= 3)
{
sprintf(log_buffer, "request type %s from host %s allowed",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
id,
log_buffer);
}
mom_server_update_receive_time_by_ip(svr_conn[sfds].cn_addr, reqtype_to_txt(request->rq_type));
} /* END BLOCK */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR | ATR_DFLAG_MOM;
#endif /* END else !PBS_MOM */
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
dispatch_request(sfds, request);
return;
} /* END process_request() */
int process_request(
struct tcp_chan *chan) /* file descriptor (socket) to get request */
{
int rc = PBSE_NONE;
struct batch_request *request = NULL;
char log_buf[LOCAL_LOG_BUF_SIZE];
long acl_enable = FALSE;
long state = SV_STATE_DOWN;
time_t time_now = time(NULL);
int free_request = TRUE;
char tmpLine[MAXLINE];
char *auth_err = NULL;
enum conn_type conn_active;
unsigned short conn_socktype;
unsigned short conn_authen;
unsigned long conn_addr;
int sfds = chan->sock;
pthread_mutex_lock(svr_conn[sfds].cn_mutex);
conn_active = svr_conn[sfds].cn_active;
conn_socktype = svr_conn[sfds].cn_socktype;
conn_authen = svr_conn[sfds].cn_authen;
conn_addr = svr_conn[sfds].cn_addr;
svr_conn[sfds].cn_lasttime = time_now;
pthread_mutex_unlock(svr_conn[sfds].cn_mutex);
if ((request = alloc_br(0)) == NULL)
{
snprintf(tmpLine, sizeof(tmpLine),
"cannot allocate memory for request from %lu",
conn_addr);
req_reject(PBSE_MEM_MALLOC, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_SYSTEM;
goto process_request_cleanup;
}
request->rq_conn = sfds;
/*
* Read in the request and decode it to the internal request structure.
*/
if (conn_active == FromClientDIS || conn_active == ToServerDIS)
{
#ifdef ENABLE_UNIX_SOCKETS
if ((conn_socktype & PBS_SOCK_UNIX) &&
(conn_authen != PBS_NET_CONN_AUTHENTICATED))
{
/* get_creds interestingly always returns 0 */
get_creds(sfds, conn_credent[sfds].username, conn_credent[sfds].hostname);
}
#endif /* END ENABLE_UNIX_SOCKETS */
rc = dis_request_read(chan, request);
}
else
{
char out[80];
snprintf(tmpLine, MAXLINE, "request on invalid type of connection: %d, sock type: %d, from address %s",
conn_active,conn_socktype, netaddr_long(conn_addr, out));
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST,
"process_req", tmpLine);
snprintf(tmpLine, sizeof(tmpLine),
"request on invalid type of connection (%d) from %s",
conn_active,
netaddr_long(conn_addr, out));
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (rc == -1)
{
/* FAILURE */
/* premature end of file */
rc = PBSE_PREMATURE_EOF;
goto process_request_cleanup;
}
if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL) || (rc == PBSE_SOCKET_CLOSE))
{
/* FAILURE */
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
goto process_request_cleanup;
}
if (rc > 0)
{
/* FAILURE */
/*
* request didn't decode, either garbage or unknown
* request type, in either case, return reject-reply
*/
req_reject(rc, 0, request, NULL, "cannot decode message");
free_request = FALSE;
goto process_request_cleanup;
}
if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME) != 0)
{
sprintf(log_buf, "%s: %lu",
pbse_to_txt(PBSE_BADHOST),
conn_addr);
log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, "", log_buf);
snprintf(tmpLine, sizeof(tmpLine),
"cannot determine hostname for connection from %lu",
conn_addr);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (LOGLEVEL >= 1)
{
sprintf(log_buf,
msg_request,
reqtype_to_txt(request->rq_type),
request->rq_user,
request->rq_host,
sfds);
log_event(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, "", log_buf);
}
/* is the request from a host acceptable to the server */
if (conn_socktype & PBS_SOCK_UNIX)
{
strcpy(request->rq_host, server_name);
}
get_svr_attr_l(SRV_ATR_acl_host_enable, &acl_enable);
if (acl_enable)
{
/* acl enabled, check it; always allow myself and nodes */
struct array_strings *pas = NULL;
struct pbsnode *isanode;
get_svr_attr_arst(SRV_ATR_acl_hosts, &pas);
isanode = PGetNodeFromAddr(conn_addr);
if ((isanode == NULL) &&
(strcmp(server_host, request->rq_host) != 0) &&
(acl_check_my_array_string(pas, request->rq_host, ACL_Host) == 0))
{
char tmpLine[MAXLINE];
snprintf(tmpLine, sizeof(tmpLine), "request not authorized from host %s",
request->rq_host);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (isanode != NULL)
unlock_node(isanode, "process_request", NULL, LOGLEVEL);
}
/*
* determine source (user client or another server) of request.
* set the permissions granted to the client
*/
if (conn_authen == PBS_NET_CONN_FROM_PRIVIL)
{
/* request came from another server */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR;
}
else
{
/* request not from another server */
conn_credent[sfds].timestamp = time_now;
request->rq_fromsvr = 0;
/*
* Client must be authenticated by an Authenticate User Request, if not,
* reject request and close connection. -- The following is retained for
* compat with old cmds -- The exception to this is of course the Connect
* Request which cannot have been authenticated, because it contains the
* needed ticket; so trap it here. Of course, there is no prior
* authentication on the Authenticate User request either, but it comes
* over a reserved port and appears from another server, hence is
* automatically granted authentication.
*
* The above is only true with inet sockets. With unix domain sockets, the
* user creds were read before the first dis_request_read call above.
* We automatically granted authentication because we can trust the socket
* creds. Authorization is still granted in svr_get_privilege below
*/
if (request->rq_type == PBS_BATCH_Connect)
{
req_connect(request);
if (conn_socktype == PBS_SOCK_INET)
{
rc = PBSE_IVALREQ;
req_reject(rc, 0, request, NULL, NULL);
free_request = FALSE;
goto process_request_cleanup;
}
}
if (conn_socktype & PBS_SOCK_UNIX)
{
pthread_mutex_lock(svr_conn[sfds].cn_mutex);
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
pthread_mutex_unlock(svr_conn[sfds].cn_mutex);
}
if (ENABLE_TRUSTED_AUTH == TRUE )
rc = PBSE_NONE; /* bypass the authentication of the user--trust the client completely */
else if (munge_on)
{
/* If munge_on is true we will validate the connection now */
if (request->rq_type == PBS_BATCH_AltAuthenUser)
{
rc = req_altauthenuser(request);
free_request = FALSE;
goto process_request_cleanup;
}
else
{
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
}
}
else if (conn_authen != PBS_NET_CONN_AUTHENTICATED)
/* skip checking user if we did not get an authenticated credential */
rc = PBSE_BADCRED;
else
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
if (rc != 0)
{
req_reject(rc, 0, request, NULL, auth_err);
if (auth_err != NULL)
free(auth_err);
free_request = FALSE;
goto process_request_cleanup;
}
/*
* pbs_mom and checkpoint restart scripts both need the authority to do
* alters and releases on checkpointable jobs. Allow manager permission
* for root on the jobs execution node.
*/
if (((request->rq_type == PBS_BATCH_ModifyJob) ||
(request->rq_type == PBS_BATCH_ReleaseJob)) &&
(strcmp(request->rq_user, PBS_DEFAULT_ADMIN) == 0))
{
job *pjob;
char *dptr;
int skip = FALSE;
char short_host[PBS_MAXHOSTNAME+1];
/* make short host name */
strcpy(short_host, request->rq_host);
if ((dptr = strchr(short_host, '.')) != NULL)
{
*dptr = '\0';
}
if ((pjob = svr_find_job(request->rq_ind.rq_modify.rq_objname, FALSE)) != (job *)0)
{
if (pjob->ji_qs.ji_state == JOB_STATE_RUNNING)
{
if ((pjob->ji_wattr[JOB_ATR_checkpoint].at_flags & ATR_VFLAG_SET) &&
((csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "s") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "c") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "enabled") != NULL)) &&
(strstr(pjob->ji_wattr[JOB_ATR_exec_host].at_val.at_str, short_host) != NULL))
{
request->rq_perm = svr_get_privilege(request->rq_user, server_host);
skip = TRUE;
}
}
unlock_ji_mutex(pjob, __func__, "1", LOGLEVEL);
}
if (!skip)
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
}
else
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
} /* END else (conn_authen == PBS_NET_CONN_FROM_PRIVIL) */
/* if server shutting down, disallow new jobs and new running */
get_svr_attr_l(SRV_ATR_State, &state);
if (state > SV_STATE_RUN)
{
switch (request->rq_type)
{
case PBS_BATCH_AsyrunJob:
case PBS_BATCH_JobCred:
case PBS_BATCH_MoveJob:
case PBS_BATCH_QueueJob:
case PBS_BATCH_RunJob:
case PBS_BATCH_StageIn:
case PBS_BATCH_jobscript:
req_reject(PBSE_SVRDOWN, 0, request, NULL, NULL);
rc = PBSE_SVRDOWN;
free_request = FALSE;
goto process_request_cleanup;
/*NOTREACHED*/
break;
}
}
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
rc = dispatch_request(sfds, request);
return(rc);
process_request_cleanup:
if (free_request == TRUE)
free_br(request);
return(rc);
} /* END process_request() */
void *mom_process_request(
void *sock_num) /* file descriptor (socket) to get request */
{
int rc;
struct batch_request *request = NULL;
int sfds = *(int *)sock_num;
struct tcp_chan *chan = NULL;
time_now = time(NULL);
if ((request = alloc_br(0)) == NULL)
{
mom_close_client(sfds);
return NULL;
}
request->rq_conn = sfds;
if ((chan = DIS_tcp_setup(sfds)) == NULL)
{
mom_close_client(sfds);
free_br(request);
return NULL;
}
/* Read in the request and decode it to the internal request structure. */
rc = dis_request_read(chan, request);
if (rc == -1)
{
/* FAILURE */
/* premature end of file */
mom_close_client(chan->sock);
free_br(request);
DIS_tcp_cleanup(chan);
return NULL;
}
if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL) || (rc == PBSE_SOCKET_CLOSE))
{
/* FAILURE */
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
mom_close_client(chan->sock);
free_br(request);
DIS_tcp_cleanup(chan);
return NULL;
}
if (rc > 0)
{
/* FAILURE */
/*
* request didn't decode, either garbage or unknown
* request type, in either case, return reject-reply
*/
req_reject(rc, 0, request, NULL, "cannot decode message");
mom_close_client(chan->sock);
DIS_tcp_cleanup(chan);
return NULL;
}
if (get_connecthost(chan->sock, request->rq_host, PBS_MAXHOSTNAME) != 0)
{
char tmpLine[MAXLINE];
sprintf(log_buffer, "%s: %lu",
pbse_to_txt(PBSE_BADHOST),
get_connectaddr(chan->sock,FALSE));
log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, "", log_buffer);
snprintf(tmpLine, sizeof(tmpLine), "cannot determine hostname for connection from %lu",
get_connectaddr(chan->sock,FALSE));
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
mom_close_client(chan->sock);
DIS_tcp_cleanup(chan);
return NULL;
}
if (LOGLEVEL >= 1)
{
sprintf(
log_buffer,
msg_request,
reqtype_to_txt(request->rq_type),
request->rq_user,
request->rq_host,
chan->sock);
log_event(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, "", log_buffer);
}
/* is the request from a host acceptable to the server */
{
/*extern tree *okclients; */
extern void mom_server_update_receive_time_by_ip(u_long ipaddr, const char *cmd);
/* check connecting host against allowed list of ok clients */
if (LOGLEVEL >= 6)
{
sprintf(log_buffer, "request type %s from host %s received",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, __func__, log_buffer);
}
if (!AVL_is_in_tree_no_port_compare(svr_conn[chan->sock].cn_addr, 0, okclients))
{
sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, __func__, log_buffer);
req_reject(PBSE_BADHOST, 0, request, NULL, "request not authorized");
mom_close_client(chan->sock);
DIS_tcp_cleanup(chan);
return NULL;
}
if (LOGLEVEL >= 3)
{
sprintf(log_buffer, "request type %s from host %s allowed",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, __func__, log_buffer);
}
mom_server_update_receive_time_by_ip(svr_conn[chan->sock].cn_addr, reqtype_to_txt(request->rq_type));
} /* END BLOCK */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR | ATR_DFLAG_MOM;
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
mom_dispatch_request(chan->sock, request);
DIS_tcp_cleanup(chan);
return NULL;
} /* END mom_process_request() */
