int
authenticate_user(struct batch_request *preq, struct connection *pcred)
{
char uath[PBS_MAXUSER + PBS_MAXHOSTNAME + 1];
#if defined(PBS_SECURITY) && ((PBS_SECURITY == KAUTH ) || (PBS_SECURITY == KCRYPT ) )
strcpy(pcred->cn_username, preq->rq_user);
strcpy(pcred->cn_hostname, preq->rq_host);
#endif
if (strncmp(preq->rq_user, pcred->cn_username, PBS_MAXUSER))
return (PBSE_BADCRED);
if (strncasecmp(preq->rq_host, pcred->cn_hostname, PBS_MAXHOSTNAME))
return (PBSE_BADCRED);
if (pcred->cn_timestamp) {
if ((pcred->cn_timestamp - CREDENTIAL_TIME_DELTA > time_now) ||
(pcred->cn_timestamp + CREDENTIAL_LIFETIME < time_now))
return (PBSE_EXPIRED);
}
/* If Server's Acl_User enabled, check if user in list */
if (server.sv_attr[SRV_ATR_AclUserEnabled].at_val.at_long) {
(void)strcpy(uath, preq->rq_user);
(void)strcat(uath, "@");
(void)strcat(uath, preq->rq_host);
if (acl_check(&server.sv_attr[SRV_ATR_AclUsers],
uath, ACL_User) == 0) {
/* not in list, next check if listed as a manager */
if ((svr_get_privilege(preq->rq_user, preq->rq_host) &
(ATR_DFLAG_MGWR | ATR_DFLAG_OPWR)) == 0)
return (PBSE_PERM);
}
}
/* A site stub for additional checking */
return (site_allow_u(preq->rq_user, preq->rq_host));
}
void
process_request(int sfds)
{
int rc;
struct batch_request *request;
conn_t *conn;
time_now = time(NULL);
conn = get_conn(sfds);
if (!conn) {
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST, LOG_ERR,
"process_request", "did not find socket in connection table");
#ifdef WIN32
(void)closesocket(sfds);
#else
(void)close(sfds);
#endif
return;
}
if ((request = alloc_br(0)) == NULL) {
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST, LOG_ERR,
"process_request", "Unable to allocate request structure");
close_conn(sfds);
return;
}
request->rq_conn = sfds;
/*
* Read in the request and decode it to the internal request structure.
*/
if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME)) {
(void)sprintf(log_buffer, "%s: %lu", msg_reqbadhost,
get_connectaddr(sfds));
log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, LOG_DEBUG,
"", log_buffer);
req_reject(PBSE_BADHOST, 0, request);
return;
}
#ifndef PBS_MOM
if (conn->cn_active == FromClientDIS) {
rc = dis_request_read(sfds, request);
} else {
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST, LOG_ERR,
"process_req", "request on invalid type of connection");
close_conn(sfds);
free_br(request);
return;
}
#else /* PBS_MOM */
rc = dis_request_read(sfds, request);
#endif /* PBS_MOM */
if (rc == -1) { /* End of file */
close_client(sfds);
free_br(request);
return;
} else if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL)) {
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
close_client(sfds);
free_br(request);
return;
} else if (rc > 0) {
/*
* request didn't decode, either garbage or unknown
* request type, in ether case, return reject-reply
*/
req_reject(rc, 0, request);
close_client(sfds);
return;
}
#ifndef PBS_MOM
/* If the request is coming on the socket we opened to the */
/* scheduler, change the "user" from "root" to "Scheduler" */
if (find_sched_from_sock(request->rq_conn) != NULL) {
strncpy(request->rq_user, PBS_SCHED_DAEMON_NAME, PBS_MAXUSER);
request->rq_user[PBS_MAXUSER] = '\0';
}
#endif /* PBS_MOM */
(void)sprintf(log_buffer, msg_request, request->rq_type,
request->rq_user, request->rq_host, sfds);
log_event(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, LOG_DEBUG,
"", log_buffer);
/* is the request from a host acceptable to the server */
if (request->rq_type == PBS_BATCH_AuthExternal) {
rc = authenticate_external(conn, request);
if (rc == 0)
reply_ack(request);
else if (rc == -2)
req_reject(PBSE_NOSUP, 0, request);
else
req_reject(PBSE_BADCRED, 0, request);
return;
}
#ifndef PBS_MOM
if (server.sv_attr[(int)SRV_ATR_acl_host_enable].at_val.at_long) {
/* acl enabled, check it; always allow myself */
struct pbsnode *isanode = NULL;
if ((server.sv_attr[SRV_ATR_acl_host_moms_enable].at_flags & ATR_VFLAG_SET) &&
(server.sv_attr[(int)SRV_ATR_acl_host_moms_enable].at_val.at_long == 1)) {
isanode = find_nodebyaddr(get_connectaddr(sfds));
if ((isanode != NULL) && (isanode->nd_state & INUSE_DELETED))
isanode = NULL;
}
if (isanode == NULL) {
if ((acl_check(&server.sv_attr[(int)SRV_ATR_acl_hosts],
request->rq_host, ACL_Host) == 0) &&
(strcasecmp(server_host, request->rq_host) != 0)) {
req_reject(PBSE_BADHOST, 0, request);
close_client(sfds);
return;
}
}
}
/*
* determine source (user client or another server) of request.
* set the permissions granted to the client
*/
if (conn->cn_authen & PBS_NET_CONN_FROM_PRIVIL) {
/* request came from another server */
request->rq_fromsvr = 1;
request->rq_perm = ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR;
} else {
/* request not from another server */
request->rq_fromsvr = 0;
/*
* Client must be authenticated by a Authenticate User Request,
* if not, reject request and close connection.
* -- The following is retained for compat with old cmds --
* The exception to this is of course the Connect Request which
* cannot have been authenticated, because it contains the
* needed ticket; so trap it here. Of course, there is no
* prior authentication on the Authenticate User request either,
* but it comes over a reserved port and appears from another
* server, hence is automatically granted authorization.
*/
if (request->rq_type == PBS_BATCH_Connect) {
req_connect(request);
return;
}
if ((conn->cn_authen & PBS_NET_CONN_AUTHENTICATED) ==0) {
rc = PBSE_BADCRED;
} else {
rc = authenticate_user(request, conn);
}
if (rc != 0) {
req_reject(rc, 0, request);
if (rc == PBSE_BADCRED)
close_client(sfds);
return;
}
request->rq_perm =
svr_get_privilege(request->rq_user, request->rq_host);
}
/* if server shutting down, disallow new jobs and new running */
if (server.sv_attr[(int)SRV_ATR_State].at_val.at_long > SV_STATE_RUN) {
switch (request->rq_type) {
case PBS_BATCH_AsyrunJob:
case PBS_BATCH_JobCred:
case PBS_BATCH_UserCred:
case PBS_BATCH_UserMigrate:
case PBS_BATCH_MoveJob:
case PBS_BATCH_QueueJob:
case PBS_BATCH_RunJob:
case PBS_BATCH_StageIn:
case PBS_BATCH_jobscript:
req_reject(PBSE_SVRDOWN, 0, request);
return;
}
}
#else /* THIS CODE FOR MOM ONLY */
/* check connecting host against allowed list of ok clients */
if (!addrfind(conn->cn_addr)) {
req_reject(PBSE_BADHOST, 0, request);
close_client(sfds);
return;
}
request->rq_fromsvr = 1;
request->rq_perm = ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR | ATR_DFLAG_MOM;
#endif
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
dispatch_request(sfds, request);
return;
}
int set_jobexid(
job *pjob, /* I */
pbs_attribute *attrry, /* I */
char *EMsg) /* O (optional,minsize=1024) */
{
int addflags = 0;
pbs_attribute *pattr;
char **pmem;
struct group *gpent;
int free_puser = FALSE;
char *puser = NULL;
char *at;
char *usr_at_host = NULL;
int len;
struct passwd *pwent = NULL;
char *pgrpn;
int free_pgrpn = TRUE;
char gname[PBS_MAXGRPN + 1];
#ifdef _CRAY
struct udb *pudb;
#endif
char tmpLine[1024 + 1];
char log_buf[LOCAL_LOG_BUF_SIZE];
long disable_id_check = 0;
int CheckID; /* boolean */
if (EMsg != NULL)
EMsg[0] = '\0';
/* use the passed User_List if set, may be a newly modified one */
/* if not set, fall back to the job's actual User_List, may be same */
if (get_svr_attr_l(SRV_ATR_DisableServerIdCheck, &disable_id_check) != PBSE_NONE)
CheckID = 1;
else
CheckID = !disable_id_check;
if (CheckID == 0)
{
/* NOTE: use owner, not userlist - should this be changed? */
/* Yes, changed 10/17/2007 */
if (pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str != NULL)
{
/* start of change to use userlist instead of owner 10/17/2007 */
if ((attrry + JOB_ATR_userlst)->at_flags & ATR_VFLAG_SET)
pattr = attrry + JOB_ATR_userlst;
else
pattr = &pjob->ji_wattr[JOB_ATR_userlst];
if (pjob->ji_wattr[JOB_ATR_proxy_user].at_flags & ATR_VFLAG_SET)
{
puser = pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str;
/* set the job's owner as the new user, appending @host if
* the job's owner has that */
at = strchr(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str,'@');
len = strlen(puser) + 1;
if (at != NULL)
{
len += strlen(at);
usr_at_host = (char *)calloc(len, sizeof(char));
snprintf(usr_at_host,len,"%s%s",
puser,
at);
}
else
{
usr_at_host = (char *)calloc(len, sizeof(char));
snprintf(usr_at_host,len,"%s",
puser);
}
free(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str);
pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str = usr_at_host;
}
else if ((puser = geteusernam(pjob, pattr)) == NULL)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "cannot locate user name in job");
return(PBSE_BADUSER);
}
free_puser = TRUE;
sprintf(tmpLine, "%s", puser);
/* end of change to use userlist instead of owner 10/17/2007 */
}
else
{
strcpy(tmpLine, "???");
}
} /* END if (CheckID == 0) */
else
{
int perm;
if ((attrry + JOB_ATR_userlst)->at_flags & ATR_VFLAG_SET)
pattr = attrry + JOB_ATR_userlst;
else
pattr = &pjob->ji_wattr[JOB_ATR_userlst];
free_puser = TRUE;
if ((puser = geteusernam(pjob, pattr)) == NULL)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "cannot locate user name in job");
return(PBSE_BADUSER);
}
pwent = getpwnam_ext(puser);
perm = svr_get_privilege(puser,get_variable(pjob,(char *)"PBS_O_HOST"));
if (pwent == NULL)
{
snprintf(log_buf,sizeof(log_buf),
"User %s does not exist in server password file\n",
puser);
log_err(errno, __func__, log_buf);
if (EMsg != NULL)
snprintf(EMsg,1024,"%s",log_buf);
free(puser);
return(PBSE_BADUSER);
}
if ((pwent->pw_uid == 0) ||
(perm & ATR_DFLAG_MGWR))
{
struct array_strings *pas = NULL;
get_svr_attr_arst(SRV_ATR_AclRoot, &pas);
/* add check here for virtual user */
if (pjob->ji_wattr[JOB_ATR_proxy_user].at_flags & ATR_VFLAG_SET)
{
free(puser);
free_puser = FALSE;
puser = pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str;
pwent = getpwnam_ext(puser);
if (pwent == NULL)
{
snprintf(log_buf,sizeof(log_buf),
"User %s does not exist in server password file\n",
puser);
log_err(errno, __func__, log_buf);
if (EMsg != NULL)
snprintf(EMsg,1024,"%s",log_buf);
return(PBSE_BADUSER);
}
/* set the job's owner as the new user */
at = strchr(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str,'@');
len = strlen(puser) + 1;
if (at != NULL)
{
len += strlen(at);
usr_at_host = (char *)calloc(len, sizeof(char));
snprintf(usr_at_host,len,"%s%s",
puser,
at);
}
else
{
usr_at_host = (char *)calloc(len, sizeof(char));
snprintf(usr_at_host,len,"%s",
puser);
}
free(pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str);
pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str = usr_at_host;
}
else if (get_svr_attr_arst(SRV_ATR_AclRoot, &pas) == PBSE_NONE)
{
if (acl_check_my_array_string(pas, pjob->ji_wattr[JOB_ATR_job_owner].at_val.at_str, ACL_User) == 0)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "root user %s fails ACL check",
puser);
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER); /* root not allowed */
}
}
else if (pwent->pw_uid == 0)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "root user %s not allowed",
puser);
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER); /* root not allowed */
}
} /* END if (pwent->pw_uid == 0) */
else if (pjob->ji_wattr[JOB_ATR_proxy_user].at_flags & ATR_VFLAG_SET)
{
/* cannot submit a proxy job if not root or a manager */
if (EMsg != NULL)
{
snprintf(EMsg, 1024,
"User '%s' is attempting to submit a proxy job for user '%s' but is not a manager",
puser,
pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str);
}
snprintf(log_buf, 1024,
"User '%s' is attempting to submit a proxy job for user '%s' but is not a manager",
puser,
pjob->ji_wattr[JOB_ATR_proxy_user].at_val.at_str);
log_err(PBSE_BADUSER, __func__, log_buf);
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER);
}
if (site_check_user_map(pjob, puser, EMsg, LOGLEVEL) == -1)
{
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER);
}
snprintf(tmpLine, sizeof(tmpLine), "%s", puser);
} /* END else (CheckID == 0) */
pattr = attrry + JOB_ATR_euser;
job_attr_def[JOB_ATR_euser].at_free(pattr);
job_attr_def[JOB_ATR_euser].at_decode(pattr, NULL, NULL, tmpLine, 0);
#ifdef _CRAY
/* on cray check UDB (user data base) for permission to batch it */
if ((pwent != NULL) && (puser != NULL))
{
pudb = getudbuid(pwent->pw_uid);
endudb();
if (pudb == UDB_NULL)
{
if (EMsg != NULL)
snprintf(EMsg, 1024, "user %s not located in user data base",
puser);
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER);
}
if (pudb->ue_permbits & (PERMBITS_NOBATCH | PERMBITS_RESTRICTED))
{
if (free_puser == TRUE)
free(puser);
return(PBSE_QACESS);
}
/* if account (qsub -A) not specified, set default from UDB */
pattr = attrry + JOB_ATR_account;
if ((pattr->at_flags & ATR_VFLAG_SET) == 0)
{
job_attr_def[JOB_ATR_account].at_decode(
pattr,
NULL,
NULL,
(char *)acid2nam(pudb->ue_acids[0]));
}
} /* END if ((pwent != NULL) && (puser != NULL)) */
#endif /* _CRAY */
/*
* now figure out the group name under which the job should execute
* PBS requires that each group have an entry in the group file,
* see the admin guide for the reason why...
*
* use the passed group_list if set, may be a newly modified one
* if not set, fall back to the job's actual group_list, may be same
*/
if ((attrry + JOB_ATR_grouplst)->at_flags & ATR_VFLAG_SET)
pattr = attrry + JOB_ATR_grouplst;
else
pattr = &pjob->ji_wattr[JOB_ATR_grouplst];
/* extract user-specified egroup if it exists */
pgrpn = getegroup(pjob, pattr);
if (pgrpn == NULL)
{
free_pgrpn = FALSE;
if ((pwent != NULL) || ((pwent = getpwnam_ext(puser)) != NULL))
{
/* egroup not specified - use user login group */
gpent = getgrgid(pwent->pw_gid);
if (gpent != NULL)
{
pgrpn = gpent->gr_name; /* use group name */
}
else
{
sprintf(gname, "%ld",
(long)pwent->pw_gid);
pgrpn = gname; /* turn gid into string */
}
}
else if (CheckID == 0)
{
strcpy(gname, "???");
pgrpn = gname;
}
else
{
log_err(errno, __func__, (char *)"getpwnam failed");
if (EMsg != NULL)
snprintf(EMsg, 1024, "user does not exist in server password file");
if (free_puser == TRUE)
free(puser);
return(PBSE_BADUSER);
}
/*
* setting the DEFAULT flag is a "kludgy" way to keep MOM from
* having to do an unneeded look up of the group file.
* We needed to have JOB_ATR_egroup set for the server but
* MOM only wants it if it is not the login group, so there!
*/
addflags = ATR_VFLAG_DEFLT;
} /* END if ((pgrpn = getegroup(pjob,pattr))) */
else if (CheckID == 0)
{
/* egroup specified - do not validate group within server */
/* NO-OP */
}
else
{
/* user specified a group, group must exist and either */
/* must be user's primary group or the user must be in it */
gpent = getgrnam_ext(pgrpn);
if (gpent == NULL)
{
if (CheckID == 0)
{
strcpy(gname, "???");
pgrpn = gname;
}
else
if (EMsg != NULL)
snprintf(EMsg, 1024, "cannot locate group %s in server group file",
pgrpn);
if (free_puser == TRUE)
free(puser);
free(pgrpn);
return(PBSE_BADGRP); /* no such group */
}
if (gpent->gr_gid != pwent->pw_gid)
{
/* not primary group */
pmem = gpent->gr_mem;
while (*pmem != NULL)
{
if (!strcmp(puser, *pmem))
break;
++pmem;
}
if (*pmem == NULL)
{
/* requested group not allowed */
snprintf(log_buf,sizeof(log_buf),
"user %s is not a member of group %s in server password file",
puser,
pgrpn);
log_err(-1, __func__, log_buf);
if (EMsg != NULL)
snprintf(EMsg, 1024, "%s",log_buf);
if (free_puser == TRUE)
free(puser);
free(pgrpn);
return(PBSE_BADGRP); /* user not in group */
}
}
} /* END if ((pgrpn = getegroup(pjob,pattr))) */
/* set new group */
pattr = attrry + JOB_ATR_egroup;
job_attr_def[JOB_ATR_egroup].at_free(pattr);
job_attr_def[JOB_ATR_egroup].at_decode(pattr, NULL, NULL, pgrpn, 0);
pattr->at_flags |= addflags;
/* SUCCESS */
if (free_puser == TRUE)
free(puser);
if (free_pgrpn == TRUE)
free(pgrpn);
return(0);
} /* END set_jobexid() */
int svr_get_privilege(
char *user, /* I */
char *host) /* I */
{
int is_root = 0;
int priv = (ATR_DFLAG_USRD | ATR_DFLAG_USWR);
int num_host_chars;
char uh[PBS_MAXUSER + PBS_MAXHOSTNAME + 2];
char host_no_port[PBS_MAXHOSTNAME+1];
char *colon_loc = NULL;
char log_buf[LOCAL_LOG_BUF_SIZE];
char *other_host;
int other_priv = 0;
int my_err;
pbs_net_t server_addr;
pbs_net_t connect_addr;
#ifndef __CYGWIN__
pbs_net_t local_server_addr;
#endif
if (!user)
{
sprintf(log_buf, "Invalid user: %s", "null");
log_record(PBSEVENT_SECURITY, PBS_EVENTCLASS_SERVER, __func__, log_buf);
return(0);
}
/* user name cannot be longer than PBS_MAXUSER*/
if (strlen(user) > PBS_MAXUSER)
{
sprintf(log_buf, "Invalid user: %s", user);
log_record(PBSEVENT_SECURITY, PBS_EVENTCLASS_SERVER, __func__, log_buf);
return(0);
}
if (!host)
return(0);
colon_loc = strchr(host, ':');
/* if the request host has port information in it, we want to strip it out */
if (colon_loc == NULL)
{
/* no colon found */
num_host_chars = strlen(host);
sprintf(host_no_port, "%s", host);
}
else
{
num_host_chars = colon_loc - host;
/* actually remove the colon for host_no_port */
*colon_loc = '\0';
sprintf(host_no_port,"%s",host);
*colon_loc = ':';
}
/* num_host_chars cannot be more than PBS_MAXHOSTNAME */
if (num_host_chars > PBS_MAXHOSTNAME)
{
snprintf(log_buf, sizeof(log_buf), "Invalid host: %s", host);
log_record(PBSEVENT_SECURITY, PBS_EVENTCLASS_SERVER, __func__, log_buf);
return(0);
}
sprintf(uh, "%s@%s", user, host);
server_addr = get_hostaddr(&my_err, server_host);
connect_addr = get_hostaddr(&my_err, host_no_port);
#ifdef __CYGWIN__
if ((IamAdminByName(user)) &&
(server_addr == connect_addr))
{
return(priv | ATR_DFLAG_MGRD | ATR_DFLAG_MGWR | ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
}
#else /* __CYGWIN__ */
local_server_addr = get_hostaddr(&my_err, server_localhost);
if ((strcmp(user, PBS_DEFAULT_ADMIN) == 0) &&
((connect_addr == server_addr) ||
(connect_addr == local_server_addr)))
{
is_root = 1;
#ifdef PBS_ROOT_ALWAYS_ADMIN
if (is_root)
{
/* This statement allows us to compile with gcc-warnings */
/* if PBS_ROOT_ALWAYS_ADMIN is true is_root is assigned but never used */
;
}
return(priv | ATR_DFLAG_MGRD | ATR_DFLAG_MGWR | ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
#endif
}
#endif /* __CYGWIN__ */
pthread_mutex_lock(server.sv_attr_mutex);
if (!(server.sv_attr[SRV_ATR_managers].at_flags & ATR_VFLAG_SET))
{
#ifndef PBS_ROOT_ALWAYS_ADMIN
if (is_root)
priv |= (ATR_DFLAG_MGRD | ATR_DFLAG_MGWR);
#endif
}
else if (acl_check(&server.sv_attr[SRV_ATR_managers], uh, ACL_User))
{
priv |= (ATR_DFLAG_MGRD | ATR_DFLAG_MGWR);
}
if (!(server.sv_attr[SRV_ATR_operators].at_flags & ATR_VFLAG_SET))
{
#ifndef PBS_ROOT_ALWAYS_ADMIN
if (is_root)
priv |= (ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
#endif
}
else if (acl_check(&server.sv_attr[SRV_ATR_operators], uh, ACL_User))
{
priv |= (ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
}
pthread_mutex_unlock(server.sv_attr_mutex);
/* resolve using the other hostname (if available) and give the higher privilege */
other_host = get_cached_fullhostname(host, NULL);
if ((other_host != NULL) &&
(strcmp(host, other_host)))
other_priv = svr_get_privilege(user, other_host);
if (other_priv > priv)
priv = other_priv;
return(priv);
} /* END svr_get_privilege() */
int process_request(
struct tcp_chan *chan) /* file descriptor (socket) to get request */
{
int rc = PBSE_NONE;
struct batch_request *request = NULL;
char log_buf[LOCAL_LOG_BUF_SIZE];
long acl_enable = FALSE;
long state = SV_STATE_DOWN;
time_t time_now = time(NULL);
int free_request = TRUE;
char tmpLine[MAXLINE];
char *auth_err = NULL;
enum conn_type conn_active;
unsigned short conn_socktype;
unsigned short conn_authen;
unsigned long conn_addr;
int sfds = chan->sock;
pthread_mutex_lock(svr_conn[sfds].cn_mutex);
conn_active = svr_conn[sfds].cn_active;
conn_socktype = svr_conn[sfds].cn_socktype;
conn_authen = svr_conn[sfds].cn_authen;
conn_addr = svr_conn[sfds].cn_addr;
svr_conn[sfds].cn_lasttime = time_now;
pthread_mutex_unlock(svr_conn[sfds].cn_mutex);
if ((request = alloc_br(0)) == NULL)
{
snprintf(tmpLine, sizeof(tmpLine),
"cannot allocate memory for request from %lu",
conn_addr);
req_reject(PBSE_MEM_MALLOC, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_SYSTEM;
goto process_request_cleanup;
}
request->rq_conn = sfds;
/*
* Read in the request and decode it to the internal request structure.
*/
if (conn_active == FromClientDIS || conn_active == ToServerDIS)
{
#ifdef ENABLE_UNIX_SOCKETS
if ((conn_socktype & PBS_SOCK_UNIX) &&
(conn_authen != PBS_NET_CONN_AUTHENTICATED))
{
/* get_creds interestingly always returns 0 */
get_creds(sfds, conn_credent[sfds].username, conn_credent[sfds].hostname);
}
#endif /* END ENABLE_UNIX_SOCKETS */
rc = dis_request_read(chan, request);
}
else
{
char out[80];
snprintf(tmpLine, MAXLINE, "request on invalid type of connection: %d, sock type: %d, from address %s",
conn_active,conn_socktype, netaddr_long(conn_addr, out));
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST,
"process_req", tmpLine);
snprintf(tmpLine, sizeof(tmpLine),
"request on invalid type of connection (%d) from %s",
conn_active,
netaddr_long(conn_addr, out));
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (rc == -1)
{
/* FAILURE */
/* premature end of file */
rc = PBSE_PREMATURE_EOF;
goto process_request_cleanup;
}
if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL) || (rc == PBSE_SOCKET_CLOSE))
{
/* FAILURE */
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
goto process_request_cleanup;
}
if (rc > 0)
{
/* FAILURE */
/*
* request didn't decode, either garbage or unknown
* request type, in either case, return reject-reply
*/
req_reject(rc, 0, request, NULL, "cannot decode message");
free_request = FALSE;
goto process_request_cleanup;
}
if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME) != 0)
{
sprintf(log_buf, "%s: %lu",
pbse_to_txt(PBSE_BADHOST),
conn_addr);
log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, "", log_buf);
snprintf(tmpLine, sizeof(tmpLine),
"cannot determine hostname for connection from %lu",
conn_addr);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (LOGLEVEL >= 1)
{
sprintf(log_buf,
msg_request,
reqtype_to_txt(request->rq_type),
request->rq_user,
request->rq_host,
sfds);
log_event(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, "", log_buf);
}
/* is the request from a host acceptable to the server */
if (conn_socktype & PBS_SOCK_UNIX)
{
strcpy(request->rq_host, server_name);
}
get_svr_attr_l(SRV_ATR_acl_host_enable, &acl_enable);
if (acl_enable)
{
/* acl enabled, check it; always allow myself and nodes */
struct array_strings *pas = NULL;
struct pbsnode *isanode;
get_svr_attr_arst(SRV_ATR_acl_hosts, &pas);
isanode = PGetNodeFromAddr(conn_addr);
if ((isanode == NULL) &&
(strcmp(server_host, request->rq_host) != 0) &&
(acl_check_my_array_string(pas, request->rq_host, ACL_Host) == 0))
{
char tmpLine[MAXLINE];
snprintf(tmpLine, sizeof(tmpLine), "request not authorized from host %s",
request->rq_host);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (isanode != NULL)
unlock_node(isanode, "process_request", NULL, LOGLEVEL);
}
/*
* determine source (user client or another server) of request.
* set the permissions granted to the client
*/
if (conn_authen == PBS_NET_CONN_FROM_PRIVIL)
{
/* request came from another server */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR;
}
else
{
/* request not from another server */
conn_credent[sfds].timestamp = time_now;
request->rq_fromsvr = 0;
/*
* Client must be authenticated by an Authenticate User Request, if not,
* reject request and close connection. -- The following is retained for
* compat with old cmds -- The exception to this is of course the Connect
* Request which cannot have been authenticated, because it contains the
* needed ticket; so trap it here. Of course, there is no prior
* authentication on the Authenticate User request either, but it comes
* over a reserved port and appears from another server, hence is
* automatically granted authentication.
*
* The above is only true with inet sockets. With unix domain sockets, the
* user creds were read before the first dis_request_read call above.
* We automatically granted authentication because we can trust the socket
* creds. Authorization is still granted in svr_get_privilege below
*/
if (request->rq_type == PBS_BATCH_Connect)
{
req_connect(request);
if (conn_socktype == PBS_SOCK_INET)
{
rc = PBSE_IVALREQ;
req_reject(rc, 0, request, NULL, NULL);
free_request = FALSE;
goto process_request_cleanup;
}
}
if (conn_socktype & PBS_SOCK_UNIX)
{
pthread_mutex_lock(svr_conn[sfds].cn_mutex);
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
pthread_mutex_unlock(svr_conn[sfds].cn_mutex);
}
if (ENABLE_TRUSTED_AUTH == TRUE )
rc = PBSE_NONE; /* bypass the authentication of the user--trust the client completely */
else if (munge_on)
{
/* If munge_on is true we will validate the connection now */
if (request->rq_type == PBS_BATCH_AltAuthenUser)
{
rc = req_altauthenuser(request);
free_request = FALSE;
goto process_request_cleanup;
}
else
{
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
}
}
else if (conn_authen != PBS_NET_CONN_AUTHENTICATED)
/* skip checking user if we did not get an authenticated credential */
rc = PBSE_BADCRED;
else
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
if (rc != 0)
{
req_reject(rc, 0, request, NULL, auth_err);
if (auth_err != NULL)
free(auth_err);
free_request = FALSE;
goto process_request_cleanup;
}
/*
* pbs_mom and checkpoint restart scripts both need the authority to do
* alters and releases on checkpointable jobs. Allow manager permission
* for root on the jobs execution node.
*/
if (((request->rq_type == PBS_BATCH_ModifyJob) ||
(request->rq_type == PBS_BATCH_ReleaseJob)) &&
(strcmp(request->rq_user, PBS_DEFAULT_ADMIN) == 0))
{
job *pjob;
char *dptr;
int skip = FALSE;
char short_host[PBS_MAXHOSTNAME+1];
/* make short host name */
strcpy(short_host, request->rq_host);
if ((dptr = strchr(short_host, '.')) != NULL)
{
*dptr = '\0';
}
if ((pjob = svr_find_job(request->rq_ind.rq_modify.rq_objname, FALSE)) != (job *)0)
{
if (pjob->ji_qs.ji_state == JOB_STATE_RUNNING)
{
if ((pjob->ji_wattr[JOB_ATR_checkpoint].at_flags & ATR_VFLAG_SET) &&
((csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "s") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "c") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "enabled") != NULL)) &&
(strstr(pjob->ji_wattr[JOB_ATR_exec_host].at_val.at_str, short_host) != NULL))
{
request->rq_perm = svr_get_privilege(request->rq_user, server_host);
skip = TRUE;
}
}
unlock_ji_mutex(pjob, __func__, "1", LOGLEVEL);
}
if (!skip)
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
}
else
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
} /* END else (conn_authen == PBS_NET_CONN_FROM_PRIVIL) */
/* if server shutting down, disallow new jobs and new running */
get_svr_attr_l(SRV_ATR_State, &state);
if (state > SV_STATE_RUN)
{
switch (request->rq_type)
{
case PBS_BATCH_AsyrunJob:
case PBS_BATCH_JobCred:
case PBS_BATCH_MoveJob:
case PBS_BATCH_QueueJob:
case PBS_BATCH_RunJob:
case PBS_BATCH_StageIn:
case PBS_BATCH_jobscript:
req_reject(PBSE_SVRDOWN, 0, request, NULL, NULL);
rc = PBSE_SVRDOWN;
free_request = FALSE;
goto process_request_cleanup;
/*NOTREACHED*/
break;
}
}
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
rc = dispatch_request(sfds, request);
return(rc);
process_request_cleanup:
if (free_request == TRUE)
free_br(request);
return(rc);
} /* END process_request() */
void process_request(
int sfds) /* file descriptor (socket) to get request */
{
#ifdef PBS_MOM
char *id = "process_request";
#endif
int rc;
struct batch_request *request = NULL;
#ifndef PBS_MOM
char *auth_err = NULL;
#endif
time_now = time(NULL);
request = alloc_br(0);
request->rq_conn = sfds;
/*
* Read in the request and decode it to the internal request structure.
*/
#ifndef PBS_MOM
if (svr_conn[sfds].cn_active == FromClientDIS)
{
#ifdef ENABLE_UNIX_SOCKETS
if ((svr_conn[sfds].cn_socktype & PBS_SOCK_UNIX) &&
(svr_conn[sfds].cn_authen != PBS_NET_CONN_AUTHENTICATED))
{
get_creds(sfds, conn_credent[sfds].username, conn_credent[sfds].hostname);
}
#endif /* END ENABLE_UNIX_SOCKETS */
rc = dis_request_read(sfds, request);
}
else
{
LOG_EVENT(
PBSEVENT_SYSTEM,
PBS_EVENTCLASS_REQUEST,
"process_req",
"request on invalid type of connection");
close_conn(sfds);
free_br(request);
return;
}
#else /* PBS_MOM */
rc = dis_request_read(sfds, request);
#endif /* PBS_MOM */
if (rc == -1)
{
/* FAILURE */
/* premature end of file */
close_client(sfds);
free_br(request);
return;
}
if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL))
{
/* FAILURE */
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
close_client(sfds);
free_br(request);
return;
}
if (rc > 0)
{
/* FAILURE */
/*
* request didn't decode, either garbage or unknown
* request type, in either case, return reject-reply
*/
req_reject(rc, 0, request, NULL, "cannot decode message");
close_client(sfds);
return;
}
if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME) != 0)
{
char tmpLine[1024];
sprintf(log_buffer, "%s: %lu",
pbse_to_txt(PBSE_BADHOST),
get_connectaddr(sfds));
LOG_EVENT(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, "", log_buffer);
snprintf(tmpLine, sizeof(tmpLine), "cannot determine hostname for connection from %lu",
get_connectaddr(sfds));
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
return;
}
if (LOGLEVEL >= 1)
{
sprintf(
log_buffer,
msg_request,
reqtype_to_txt(request->rq_type),
request->rq_user,
request->rq_host,
sfds);
LOG_EVENT(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, "", log_buffer);
}
/* is the request from a host acceptable to the server */
#ifndef PBS_MOM
if (svr_conn[sfds].cn_socktype & PBS_SOCK_UNIX)
{
strcpy(request->rq_host, server_name);
}
if (server.sv_attr[SRV_ATR_acl_host_enable].at_val.at_long)
{
/* acl enabled, check it; always allow myself and nodes */
struct pbsnode *isanode;
isanode = PGetNodeFromAddr(get_connectaddr(sfds));
if ((isanode == NULL) &&
(strcmp(server_host, request->rq_host) != 0) &&
(acl_check(
&server.sv_attr[SRV_ATR_acl_hosts],
request->rq_host,
ACL_Host) == 0))
{
char tmpLine[1024];
snprintf(tmpLine, sizeof(tmpLine), "request not authorized from host %s",
request->rq_host);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
close_client(sfds);
return;
}
}
/*
* determine source (user client or another server) of request.
* set the permissions granted to the client
*/
if (svr_conn[sfds].cn_authen == PBS_NET_CONN_FROM_PRIVIL)
{
/* request came from another server */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR;
}
else
{
/* request not from another server */
request->rq_fromsvr = 0;
/*
* Client must be authenticated by an Authenticate User Request, if not,
* reject request and close connection. -- The following is retained for
* compat with old cmds -- The exception to this is of course the Connect
* Request which cannot have been authenticated, because it contains the
* needed ticket; so trap it here. Of course, there is no prior
* authentication on the Authenticate User request either, but it comes
* over a reserved port and appears from another server, hence is
* automatically granted authentication.
*
* The above is only true with inet sockets. With unix domain sockets, the
* user creds were read before the first dis_request_read call above.
* We automatically granted authentication because we can trust the socket
* creds. Authorization is still granted in svr_get_privilege below
*/
if (request->rq_type == PBS_BATCH_Connect)
{
req_connect(request);
if (svr_conn[sfds].cn_socktype == PBS_SOCK_INET)
return;
}
if (svr_conn[sfds].cn_socktype & PBS_SOCK_UNIX)
{
conn_credent[sfds].timestamp = time_now;
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
}
if (ENABLE_TRUSTED_AUTH == TRUE )
rc = 0; /* bypass the authentication of the user--trust the client completely */
else if (munge_on)
{
/* If munge_on is true we will validate the connection now */
if ( request->rq_type == PBS_BATCH_AltAuthenUser)
{
rc = req_altauthenuser(request);
if (rc == PBSE_NONE)
{
conn_credent[sfds].timestamp = time_now;
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
}
return;
}
else if (svr_conn[sfds].cn_authen != PBS_NET_CONN_AUTHENTICATED)
/* skip checking user if we did not get an authenticated credential */
rc = PBSE_BADCRED;
else
{
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
}
}
else if (svr_conn[sfds].cn_authen != PBS_NET_CONN_AUTHENTICATED)
rc = PBSE_BADCRED;
else
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
if (rc != 0)
{
req_reject(rc, 0, request, NULL, auth_err);
if (auth_err != NULL)
free(auth_err);
close_client(sfds);
return;
}
/*
* pbs_mom and checkpoint restart scripts both need the authority to do
* alters and releases on checkpointable jobs. Allow manager permission
* for root on the jobs execution node.
*/
if (((request->rq_type == PBS_BATCH_ModifyJob) ||
(request->rq_type == PBS_BATCH_ReleaseJob)) &&
(strcmp(request->rq_user, PBS_DEFAULT_ADMIN) == 0))
{
job *pjob;
char *dptr;
int skip = FALSE;
char short_host[PBS_MAXHOSTNAME+1];
/* make short host name */
strcpy(short_host, request->rq_host);
if ((dptr = strchr(short_host, '.')) != NULL)
{
*dptr = '\0';
}
if (((pjob = find_job(request->rq_ind.rq_modify.rq_objname)) != (job *)0) &&
(pjob->ji_qs.ji_state == JOB_STATE_RUNNING))
{
if ((pjob->ji_wattr[JOB_ATR_checkpoint].at_flags & ATR_VFLAG_SET) &&
((csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "s") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "c") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "enabled") != NULL)) &&
(strstr(pjob->ji_wattr[JOB_ATR_exec_host].at_val.at_str, short_host) != NULL))
{
request->rq_perm = svr_get_privilege(request->rq_user, server_host);
skip = TRUE;
}
}
if (!skip)
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
}
else
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
} /* END else (svr_conn[sfds].cn_authen == PBS_NET_CONN_FROM_PRIVIL) */
/* if server shutting down, disallow new jobs and new running */
if (server.sv_attr[SRV_ATR_State].at_val.at_long > SV_STATE_RUN)
{
switch (request->rq_type)
{
case PBS_BATCH_AsyrunJob:
case PBS_BATCH_JobCred:
case PBS_BATCH_MoveJob:
case PBS_BATCH_QueueJob:
case PBS_BATCH_RunJob:
case PBS_BATCH_StageIn:
case PBS_BATCH_jobscript:
req_reject(PBSE_SVRDOWN, 0, request, NULL, NULL);
return;
/*NOTREACHED*/
break;
}
}
#else /* THIS CODE FOR MOM ONLY */
{
/*extern tree *okclients; */
extern void mom_server_update_receive_time_by_ip(u_long ipaddr, const char *cmd);
/* check connecting host against allowed list of ok clients */
if (LOGLEVEL >= 6)
{
sprintf(log_buffer, "request type %s from host %s received",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
id,
log_buffer);
}
/* if (!tfind(svr_conn[sfds].cn_addr, &okclients)) */
if (!AVL_is_in_tree(svr_conn[sfds].cn_addr, 0, okclients))
{
sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
id,
log_buffer);
req_reject(PBSE_BADHOST, 0, request, NULL, "request not authorized");
close_client(sfds);
return;
}
if (LOGLEVEL >= 3)
{
sprintf(log_buffer, "request type %s from host %s allowed",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
id,
log_buffer);
}
mom_server_update_receive_time_by_ip(svr_conn[sfds].cn_addr, reqtype_to_txt(request->rq_type));
} /* END BLOCK */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR | ATR_DFLAG_MOM;
#endif /* END else !PBS_MOM */
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
dispatch_request(sfds, request);
return;
} /* END process_request() */
