int init_resc_defs(void)
{
int rindex = 0;
int dindex = 0;
int unkindex = 0;
#ifndef PBS_MOM
resource_def *tmpresc = NULL;
struct array_strings *resc_arst = NULL;
char *extra_resc;
int resc_num = 0;
#endif
svr_resc_size = sizeof(svr_resc_def_const) / sizeof(resource_def);
#ifndef PBS_MOM
/* build up a temporary list of string resources */
if (get_svr_attr_arst(SRV_ATR_ExtraResc, &resc_arst) == PBSE_NONE)
{
tmpresc = (resource_def *)calloc(resc_arst->as_usedptr + 1, sizeof(resource_def));
if (tmpresc == NULL)
{
return(-1);
}
for (resc_num = 0;resc_num < resc_arst->as_usedptr;resc_num++)
{
extra_resc = resc_arst->as_string[resc_num];
(tmpresc + resc_num)->rs_name = strdup(extra_resc);
(tmpresc + resc_num)->rs_decode = decode_str;
(tmpresc + resc_num)->rs_encode = encode_str;
(tmpresc + resc_num)->rs_set = set_str;
(tmpresc + resc_num)->rs_comp = comp_str;
(tmpresc + resc_num)->rs_free = free_str;
(tmpresc + resc_num)->rs_action = NULL_FUNC;
(tmpresc + resc_num)->rs_flags = READ_WRITE;
(tmpresc + resc_num)->rs_type = ATR_TYPE_STR;
dindex++;
}
}
#endif
svr_resc_def = (resource_def *)calloc(svr_resc_size + dindex, sizeof(resource_def));
if (svr_resc_def == NULL)
{
#ifndef PBS_MOM
if (tmpresc != NULL)
free(tmpresc);
#endif
return(-1);
}
/* copy all const resources, except for the last "unknown" */
for (rindex = 0; rindex < (svr_resc_size - 1); rindex++)
{
memcpy(svr_resc_def + rindex, svr_resc_def_const + rindex, sizeof(resource_def));
}
unkindex = rindex;
#ifndef PBS_MOM
/* copy our dynamic resources */
if (tmpresc)
{
for (dindex = 0; (tmpresc + dindex)->rs_decode; dindex++)
{
if (find_resc_def(svr_resc_def, (tmpresc + dindex)->rs_name, rindex) == NULL)
{
memcpy(svr_resc_def + rindex, tmpresc + dindex, sizeof(resource_def));
rindex++;
}
}
free(tmpresc);
}
#endif
/* copy the last "unknown" resource */
memcpy(svr_resc_def + rindex, svr_resc_def_const + unkindex, sizeof(resource_def));
svr_resc_size = rindex + 1;
return(PBSE_NONE);
} /* END init_resc_defs() */
int authenticate_user(
struct batch_request *preq, /* I */
struct credential *pcred,
char **autherr) /* O */
{
int rc;
char uath[PBS_MAXUSER + PBS_MAXHOSTNAME + 1];
time_t time_now = time(NULL);
char error_msg[1024];
bool acl_enabled = false;
#ifdef MUNGE_AUTH
if (strncmp(preq->rq_user, pcred->username, PBS_MAXUSER))
{
/* extra check for munge */
struct array_strings *my_acl = NULL;
char uh[PBS_MAXUSER + PBS_MAXHOSTNAME + 2];
sprintf(uh, "%s@%s", preq->rq_user, pcred->hostname);
get_svr_attr_arst(SRV_ATR_authusers, &my_acl);
if ((acl_check_my_array_string(my_acl, uh, ACL_User_Host)) == 0)
{
*autherr = strdup("User not in authorized user list.");
sprintf(error_msg, "%s Requested user %s: requested from host %s",
*autherr, preq->rq_user, preq->rq_host);
log_event(PBSEVENT_ADMIN, PBS_EVENTCLASS_SERVER, __func__, error_msg);
return(PBSE_BADCRED);
}
}
#else
if (strncmp(preq->rq_user, pcred->username, PBS_MAXUSER))
{
*autherr = strdup("Users do not match");
sprintf(error_msg, "%s: Requested user %s: credential user %s: requested from host %s",
*autherr, preq->rq_user, pcred->username, preq->rq_host);
log_event(PBSEVENT_ADMIN, PBS_EVENTCLASS_SERVER, __func__, error_msg);
return(PBSE_BADCRED);
}
#endif
if (strncmp(preq->rq_host, pcred->hostname, PBS_MAXHOSTNAME))
{
struct sockaddr_in *sai1;
struct sockaddr_in *sai2;
struct addrinfo *addr_info1 = NULL;
struct addrinfo *addr_info2 = NULL;
sai1 = get_cached_addrinfo(preq->rq_host);
sai2 = get_cached_addrinfo(pcred->hostname);
if ((sai1 == NULL) &&
(pbs_getaddrinfo(preq->rq_host, NULL, &addr_info1) == PBSE_NONE))
{
sai1 = (struct sockaddr_in *)addr_info1->ai_addr;
}
if ((sai2 == NULL) &&
(pbs_getaddrinfo(pcred->hostname, NULL, &addr_info2) == PBSE_NONE))
{
sai2 = (struct sockaddr_in *)addr_info2->ai_addr;
}
if ((sai1 == NULL) ||
(sai2 == NULL) ||
(memcmp(sai1, sai2, sizeof(struct sockaddr_in))))
{
*autherr = strdup("Hosts do not match");
sprintf(error_msg, "%s: Requested host %s: credential host: %s",
*autherr, preq->rq_host, pcred->hostname);
log_event(PBSEVENT_ADMIN, PBS_EVENTCLASS_SERVER, __func__, error_msg);
return(PBSE_BADCRED);
}
}
if (pcred->timestamp)
{
long lifetime = 0;
if (get_svr_attr_l(SRV_ATR_CredentialLifetime, &lifetime) == PBSE_NONE)
{
/* use configured value if set */
}
else
{
/* if not use the default */
lifetime = CREDENTIAL_LIFETIME;
}
/* negative values mean that credentials have an infinite lifetime */
if (lifetime > -1)
{
if ((pcred->timestamp - CREDENTIAL_TIME_DELTA > time_now) ||
(pcred->timestamp + lifetime < time_now))
{
return(PBSE_EXPIRED);
}
}
}
/* If Server's Acl_User enabled, check if user in list */
get_svr_attr_b(SRV_ATR_AclUserEnabled, &acl_enabled);
if (acl_enabled)
{
struct array_strings *acl_users = NULL;
snprintf(uath, sizeof(uath), "%s@%s", preq->rq_user, preq->rq_host);
get_svr_attr_arst(SRV_ATR_AclUsers, &acl_users);
if (acl_check_my_array_string(acl_users, uath, ACL_User) == 0)
{
int my_err;
pbs_net_t connect_addr = get_hostaddr(&my_err, preq->rq_host);
pbs_net_t server_addr = get_hostaddr(&my_err, server_host);
#ifdef __CYGWIN__
if ((!IamAdminByName(preq->rq_user)) ||
(connect_addr != server_addr))
{
return(PBSE_PERM);
}
#else /* __CYGWIN__ */
#ifdef PBS_ROOT_ALWAYS_ADMIN
if ((strcmp(preq->rq_user, PBS_DEFAULT_ADMIN) != 0) ||
(connect_addr != server_addr))
{
return(PBSE_PERM);
}
#else /* PBS_ROOT_ALWAYS_ADMIN */
return(PBSE_PERM);
#endif /* PBS_ROOT_ALWAYS_ADMIN */
#endif /* __CYGWIN__ */
}
}
/* A site stub for additional checking */
rc = site_allow_u(preq->rq_user, preq->rq_host);
return(rc);
} /* END authenticate_user() */
int set_jobexid(
job *pjob, /* I */
pbs_attribute *attrry, /* I */
char *EMsg) /* O (optional,minsize=1024) */
{
int addflags = 0;
pbs_attribute *pattr;
char **pmem;
struct group *gpent;
int free_puser = FALSE;
char *puser = NULL;
char *at;
char *usr_at_host = NULL;
int len;
struct passwd *pwent = NULL;
char *pgrpn;
int free_pgrpn = TRUE;
char gname[PBS_MAXGRPN + 1];
#ifdef _CRAY
struct udb *pudb;
#endif
char tmpLine[1024 + 1];
char log_buf[LOCAL_LOG_BUF_SIZE];
long disable_id_check = 0;
int CheckID; /* boolean */
if (EMsg != NULL)
EMsg[0] = '\0';
/* use the passed User_List if set, may be a newly modified one */
/* if not set, fall back to the job's actual User_List, may be same */
if (get_svr_attr_l(SRV_ATR_DisableServerIdCheck, &disable_id_check) != PBSE_NONE)
CheckID = 1;
else
CheckID = !disable_id_check;
if (CheckID == 0)
{
/* NOTE: use owner, not userlist - should this be changed? */
/* Yes, changed 10/17/2007 */
if (pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str != NULL)
{
/* start of change to use userlist instead of owner 10/17/2007 */
if ((attrry + JOB_ATR_userlst)->at_flags & ATR_VFLAG_SET)
pattr = attrry + JOB_ATR_userlst;
else
pattr = &pjob->ji_wattr[JOB_ATR_userlst];
if (pjob->ji_wattr[JOB_ATR_proxy_user].at_flags & ATR_VFLAG_SET)
{
puser = pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str;
/* set the job's owner as the new user, appending @host if
* the job's owner has that */
at = strchr(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str,'@');
len = strlen(puser) + 1;
if (at != NULL)
{
len += strlen(at);
usr_at_host = (char *)calloc(len, sizeof(char));
snprintf(usr_at_host,len,"%s%s",
puser,
at);
}
else
{
usr_at_host = (char *)calloc(len, sizeof(char));
snprintf(usr_at_host,len,"%s",
puser);
}
free(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str);
pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str = usr_at_host;
}
else if ((puser = geteusernam(pjob, pattr)) == NULL)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "cannot locate user name in job");
return(PBSE_BADUSER);
}
free_puser = TRUE;
sprintf(tmpLine, "%s", puser);
/* end of change to use userlist instead of owner 10/17/2007 */
}
else
{
strcpy(tmpLine, "???");
}
} /* END if (CheckID == 0) */
else
{
int perm;
if ((attrry + JOB_ATR_userlst)->at_flags & ATR_VFLAG_SET)
pattr = attrry + JOB_ATR_userlst;
else
pattr = &pjob->ji_wattr[JOB_ATR_userlst];
free_puser = TRUE;
if ((puser = geteusernam(pjob, pattr)) == NULL)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "cannot locate user name in job");
return(PBSE_BADUSER);
}
pwent = getpwnam_ext(puser);
perm = svr_get_privilege(puser,get_variable(pjob,(char *)"PBS_O_HOST"));
if (pwent == NULL)
{
snprintf(log_buf,sizeof(log_buf),
"User %s does not exist in server password file\n",
puser);
log_err(errno, __func__, log_buf);
if (EMsg != NULL)
snprintf(EMsg,1024,"%s",log_buf);
free(puser);
return(PBSE_BADUSER);
}
if ((pwent->pw_uid == 0) ||
(perm & ATR_DFLAG_MGWR))
{
struct array_strings *pas = NULL;
get_svr_attr_arst(SRV_ATR_AclRoot, &pas);
/* add check here for virtual user */
if (pjob->ji_wattr[JOB_ATR_proxy_user].at_flags & ATR_VFLAG_SET)
{
free(puser);
free_puser = FALSE;
puser = pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str;
pwent = getpwnam_ext(puser);
if (pwent == NULL)
{
snprintf(log_buf,sizeof(log_buf),
"User %s does not exist in server password file\n",
puser);
log_err(errno, __func__, log_buf);
if (EMsg != NULL)
snprintf(EMsg,1024,"%s",log_buf);
return(PBSE_BADUSER);
}
/* set the job's owner as the new user */
at = strchr(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str,'@');
len = strlen(puser) + 1;
if (at != NULL)
{
len += strlen(at);
usr_at_host = (char *)calloc(len, sizeof(char));
snprintf(usr_at_host,len,"%s%s",
puser,
at);
}
else
{
usr_at_host = (char *)calloc(len, sizeof(char));
snprintf(usr_at_host,len,"%s",
puser);
}
free(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str);
pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str = usr_at_host;
}
else if (get_svr_attr_arst(SRV_ATR_AclRoot, &pas) == PBSE_NONE)
{
if (acl_check_my_array_string(pas, pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str, ACL_User) == 0)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "root user %s fails ACL check",
puser);
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER); /* root not allowed */
}
}
else if (pwent->pw_uid == 0)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "root user %s not allowed",
puser);
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER); /* root not allowed */
}
} /* END if (pwent->pw_uid == 0) */
else if (pjob->ji_wattr[JOB_ATR_proxy_user].at_flags & ATR_VFLAG_SET)
{
/* cannot submit a proxy job if not root or a manager */
if (EMsg != NULL)
{
snprintf(EMsg, 1024,
"User '%s' is attempting to submit a proxy job for user '%s' but is not a manager",
puser,
pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str);
}
snprintf(log_buf, 1024,
"User '%s' is attempting to submit a proxy job for user '%s' but is not a manager",
puser,
pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str);
log_err(PBSE_BADUSER, __func__, log_buf);
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER);
}
if (site_check_user_map(pjob, puser, EMsg, LOGLEVEL) == -1)
{
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER);
}
snprintf(tmpLine, sizeof(tmpLine), "%s", puser);
} /* END else (CheckID == 0) */
pattr = attrry + JOB_ATR_euser;
job_attr_def[JOB_ATR_euser].at_free(pattr);
job_attr_def[JOB_ATR_euser].at_decode(pattr, NULL, NULL, tmpLine, 0);
#ifdef _CRAY
/* on cray check UDB (user data base) for permission to batch it */
if ((pwent != NULL) && (puser != NULL))
{
pudb = getudbuid(pwent->pw_uid);
endudb();
if (pudb == UDB_NULL)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "user %s not located in user data base",
puser);
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER);
}
if (pudb->ue_permbits & (PERMBITS_NOBATCH | PERMBITS_RESTRICTED))
{
if (free_puser == TRUE)
free(puser);
return(PBSE_QACESS);
}
/* if account (qsub -A) not specified, set default from UDB */
pattr = attrry + JOB_ATR_account;
if ((pattr->at_flags & ATR_VFLAG_SET) == 0)
{
job_attr_def[JOB_ATR_account].at_decode(
pattr,
NULL,
NULL,
(char *)acid2nam(pudb->ue_acids[0]));
}
} /* END if ((pwent != NULL) && (puser != NULL)) */
#endif /* _CRAY */
/*
* now figure out the group name under which the job should execute
* PBS requires that each group have an entry in the group file,
* see the admin guide for the reason why...
*
* use the passed group_list if set, may be a newly modified one
* if not set, fall back to the job's actual group_list, may be same
*/
if ((attrry + JOB_ATR_grouplst)->at_flags & ATR_VFLAG_SET)
pattr = attrry + JOB_ATR_grouplst;
else
pattr = &pjob->ji_wattr[JOB_ATR_grouplst];
/* extract user-specified egroup if it exists */
pgrpn = getegroup(pjob, pattr);
if (pgrpn == NULL)
{
free_pgrpn = FALSE;
if ((pwent != NULL) || ((pwent = getpwnam_ext(puser)) != NULL))
{
/* egroup not specified - use user login group */
gpent = getgrgid(pwent->pw_gid);
if (gpent != NULL)
{
pgrpn = gpent->gr_name; /* use group name */
}
else
{
sprintf(gname, "%ld",
(long)pwent->pw_gid);
pgrpn = gname; /* turn gid into string */
}
}
else if (CheckID == 0)
{
strcpy(gname, "???");
pgrpn = gname;
}
else
{
log_err(errno, __func__, (char *)"getpwnam failed");
if (EMsg != NULL)
snprintf(EMsg, 1024, "user does not exist in server password file");
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER);
}
/*
* setting the DEFAULT flag is a "kludgy" way to keep MOM from
* having to do an unneeded look up of the group file.
* We needed to have JOB_ATR_egroup set for the server but
* MOM only wants it if it is not the login group, so there!
*/
addflags = ATR_VFLAG_DEFLT;
} /* END if ((pgrpn = getegroup(pjob,pattr))) */
else if (CheckID == 0)
{
/* egroup specified - do not validate group within server */
/* NO-OP */
}
else
{
/* user specified a group, group must exist and either */
/* must be user's primary group or the user must be in it */
gpent = getgrnam_ext(pgrpn);
if (gpent == NULL)
{
if (CheckID == 0)
{
strcpy(gname, "???");
pgrpn = gname;
}
else
if (EMsg != NULL)
snprintf(EMsg, 1024, "cannot locate group %s in server group file",
pgrpn);
if (free_puser == TRUE)
free(puser);
free(pgrpn);
return(PBSE_BADGRP); /* no such group */
}
if (gpent->gr_gid != pwent->pw_gid)
{
/* not primary group */
pmem = gpent->gr_mem;
while (*pmem != NULL)
{
if (!strcmp(puser, *pmem))
break;
++pmem;
}
if (*pmem == NULL)
{
/* requested group not allowed */
snprintf(log_buf,sizeof(log_buf),
"user %s is not a member of group %s in server password file",
puser,
pgrpn);
log_err(-1, __func__, log_buf);
if (EMsg != NULL)
snprintf(EMsg, 1024, "%s",log_buf);
if (free_puser == TRUE)
free(puser);
free(pgrpn);
return(PBSE_BADGRP); /* user not in group */
}
}
} /* END if ((pgrpn = getegroup(pjob,pattr))) */
/* set new group */
pattr = attrry + JOB_ATR_egroup;
job_attr_def[JOB_ATR_egroup].at_free(pattr);
job_attr_def[JOB_ATR_egroup].at_decode(pattr, NULL, NULL, pgrpn, 0);
pattr->at_flags |= addflags;
/* SUCCESS */
if (free_puser == TRUE)
free(puser);
if (free_pgrpn == TRUE)
free(pgrpn);
return(0);
} /* END set_jobexid() */
int process_request(
struct tcp_chan *chan) /* file descriptor (socket) to get request */
{
int rc = PBSE_NONE;
struct batch_request *request = NULL;
char log_buf[LOCAL_LOG_BUF_SIZE];
long acl_enable = FALSE;
long state = SV_STATE_DOWN;
time_t time_now = time(NULL);
int free_request = TRUE;
char tmpLine[MAXLINE];
char *auth_err = NULL;
enum conn_type conn_active;
unsigned short conn_socktype;
unsigned short conn_authen;
unsigned long conn_addr;
int sfds = chan->sock;
pthread_mutex_lock(svr_conn[sfds].cn_mutex);
conn_active = svr_conn[sfds].cn_active;
conn_socktype = svr_conn[sfds].cn_socktype;
conn_authen = svr_conn[sfds].cn_authen;
conn_addr = svr_conn[sfds].cn_addr;
svr_conn[sfds].cn_lasttime = time_now;
pthread_mutex_unlock(svr_conn[sfds].cn_mutex);
if ((request = alloc_br(0)) == NULL)
{
snprintf(tmpLine, sizeof(tmpLine),
"cannot allocate memory for request from %lu",
conn_addr);
req_reject(PBSE_MEM_MALLOC, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_SYSTEM;
goto process_request_cleanup;
}
request->rq_conn = sfds;
/*
* Read in the request and decode it to the internal request structure.
*/
if (conn_active == FromClientDIS || conn_active == ToServerDIS)
{
#ifdef ENABLE_UNIX_SOCKETS
if ((conn_socktype & PBS_SOCK_UNIX) &&
(conn_authen != PBS_NET_CONN_AUTHENTICATED))
{
/* get_creds interestingly always returns 0 */
get_creds(sfds, conn_credent[sfds].username, conn_credent[sfds].hostname);
}
#endif /* END ENABLE_UNIX_SOCKETS */
rc = dis_request_read(chan, request);
}
else
{
char out[80];
snprintf(tmpLine, MAXLINE, "request on invalid type of connection: %d, sock type: %d, from address %s",
conn_active,conn_socktype, netaddr_long(conn_addr, out));
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST,
"process_req", tmpLine);
snprintf(tmpLine, sizeof(tmpLine),
"request on invalid type of connection (%d) from %s",
conn_active,
netaddr_long(conn_addr, out));
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (rc == -1)
{
/* FAILURE */
/* premature end of file */
rc = PBSE_PREMATURE_EOF;
goto process_request_cleanup;
}
if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL) || (rc == PBSE_SOCKET_CLOSE))
{
/* FAILURE */
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
goto process_request_cleanup;
}
if (rc > 0)
{
/* FAILURE */
/*
* request didn't decode, either garbage or unknown
* request type, in either case, return reject-reply
*/
req_reject(rc, 0, request, NULL, "cannot decode message");
free_request = FALSE;
goto process_request_cleanup;
}
if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME) != 0)
{
sprintf(log_buf, "%s: %lu",
pbse_to_txt(PBSE_BADHOST),
conn_addr);
log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, "", log_buf);
snprintf(tmpLine, sizeof(tmpLine),
"cannot determine hostname for connection from %lu",
conn_addr);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (LOGLEVEL >= 1)
{
sprintf(log_buf,
msg_request,
reqtype_to_txt(request->rq_type),
request->rq_user,
request->rq_host,
sfds);
log_event(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, "", log_buf);
}
/* is the request from a host acceptable to the server */
if (conn_socktype & PBS_SOCK_UNIX)
{
strcpy(request->rq_host, server_name);
}
get_svr_attr_l(SRV_ATR_acl_host_enable, &acl_enable);
if (acl_enable)
{
/* acl enabled, check it; always allow myself and nodes */
struct array_strings *pas = NULL;
struct pbsnode *isanode;
get_svr_attr_arst(SRV_ATR_acl_hosts, &pas);
isanode = PGetNodeFromAddr(conn_addr);
if ((isanode == NULL) &&
(strcmp(server_host, request->rq_host) != 0) &&
(acl_check_my_array_string(pas, request->rq_host, ACL_Host) == 0))
{
char tmpLine[MAXLINE];
snprintf(tmpLine, sizeof(tmpLine), "request not authorized from host %s",
request->rq_host);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (isanode != NULL)
unlock_node(isanode, "process_request", NULL, LOGLEVEL);
}
/*
* determine source (user client or another server) of request.
* set the permissions granted to the client
*/
if (conn_authen == PBS_NET_CONN_FROM_PRIVIL)
{
/* request came from another server */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR;
}
else
{
/* request not from another server */
conn_credent[sfds].timestamp = time_now;
request->rq_fromsvr = 0;
/*
* Client must be authenticated by an Authenticate User Request, if not,
* reject request and close connection. -- The following is retained for
* compat with old cmds -- The exception to this is of course the Connect
* Request which cannot have been authenticated, because it contains the
* needed ticket; so trap it here. Of course, there is no prior
* authentication on the Authenticate User request either, but it comes
* over a reserved port and appears from another server, hence is
* automatically granted authentication.
*
* The above is only true with inet sockets. With unix domain sockets, the
* user creds were read before the first dis_request_read call above.
* We automatically granted authentication because we can trust the socket
* creds. Authorization is still granted in svr_get_privilege below
*/
if (request->rq_type == PBS_BATCH_Connect)
{
req_connect(request);
if (conn_socktype == PBS_SOCK_INET)
{
rc = PBSE_IVALREQ;
req_reject(rc, 0, request, NULL, NULL);
free_request = FALSE;
goto process_request_cleanup;
}
}
if (conn_socktype & PBS_SOCK_UNIX)
{
pthread_mutex_lock(svr_conn[sfds].cn_mutex);
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
pthread_mutex_unlock(svr_conn[sfds].cn_mutex);
}
if (ENABLE_TRUSTED_AUTH == TRUE )
rc = PBSE_NONE; /* bypass the authentication of the user--trust the client completely */
else if (munge_on)
{
/* If munge_on is true we will validate the connection now */
if (request->rq_type == PBS_BATCH_AltAuthenUser)
{
rc = req_altauthenuser(request);
free_request = FALSE;
goto process_request_cleanup;
}
else
{
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
}
}
else if (conn_authen != PBS_NET_CONN_AUTHENTICATED)
/* skip checking user if we did not get an authenticated credential */
rc = PBSE_BADCRED;
else
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
if (rc != 0)
{
req_reject(rc, 0, request, NULL, auth_err);
if (auth_err != NULL)
free(auth_err);
free_request = FALSE;
goto process_request_cleanup;
}
/*
* pbs_mom and checkpoint restart scripts both need the authority to do
* alters and releases on checkpointable jobs. Allow manager permission
* for root on the jobs execution node.
*/
if (((request->rq_type == PBS_BATCH_ModifyJob) ||
(request->rq_type == PBS_BATCH_ReleaseJob)) &&
(strcmp(request->rq_user, PBS_DEFAULT_ADMIN) == 0))
{
job *pjob;
char *dptr;
int skip = FALSE;
char short_host[PBS_MAXHOSTNAME+1];
/* make short host name */
strcpy(short_host, request->rq_host);
if ((dptr = strchr(short_host, '.')) != NULL)
{
*dptr = '\0';
}
if ((pjob = svr_find_job(request->rq_ind.rq_modify.rq_objname, FALSE)) != (job *)0)
{
if (pjob->ji_qs.ji_state == JOB_STATE_RUNNING)
{
if ((pjob->ji_wattr[JOB_ATR_checkpoint].at_flags & ATR_VFLAG_SET) &&
((csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "s") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "c") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "enabled") != NULL)) &&
(strstr(pjob->ji_wattr[JOB_ATR_exec_host].at_val.at_str, short_host) != NULL))
{
request->rq_perm = svr_get_privilege(request->rq_user, server_host);
skip = TRUE;
}
}
unlock_ji_mutex(pjob, __func__, "1", LOGLEVEL);
}
if (!skip)
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
}
else
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
} /* END else (conn_authen == PBS_NET_CONN_FROM_PRIVIL) */
/* if server shutting down, disallow new jobs and new running */
get_svr_attr_l(SRV_ATR_State, &state);
if (state > SV_STATE_RUN)
{
switch (request->rq_type)
{
case PBS_BATCH_AsyrunJob:
case PBS_BATCH_JobCred:
case PBS_BATCH_MoveJob:
case PBS_BATCH_QueueJob:
case PBS_BATCH_RunJob:
case PBS_BATCH_StageIn:
case PBS_BATCH_jobscript:
req_reject(PBSE_SVRDOWN, 0, request, NULL, NULL);
rc = PBSE_SVRDOWN;
free_request = FALSE;
goto process_request_cleanup;
/*NOTREACHED*/
break;
}
}
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
rc = dispatch_request(sfds, request);
return(rc);
process_request_cleanup:
if (free_request == TRUE)
free_br(request);
return(rc);
} /* END process_request() */
