END_TEST
START_TEST(PGetNodeFromAddr_test)
{
pbs_net_t address = 0;
struct pbsnode *result;
/* alloc mutex, use, restore */
initialize_allnodes(&allnodes, NULL, NULL);
result = PGetNodeFromAddr(address);
fail_unless(result == NULL, "null address input fail");
}
int process_request(
struct tcp_chan *chan) /* file descriptor (socket) to get request */
{
int rc = PBSE_NONE;
struct batch_request *request = NULL;
char log_buf[LOCAL_LOG_BUF_SIZE];
long acl_enable = FALSE;
long state = SV_STATE_DOWN;
time_t time_now = time(NULL);
int free_request = TRUE;
char tmpLine[MAXLINE];
char *auth_err = NULL;
enum conn_type conn_active;
unsigned short conn_socktype;
unsigned short conn_authen;
unsigned long conn_addr;
int sfds = chan->sock;
pthread_mutex_lock(svr_conn[sfds].cn_mutex);
conn_active = svr_conn[sfds].cn_active;
conn_socktype = svr_conn[sfds].cn_socktype;
conn_authen = svr_conn[sfds].cn_authen;
conn_addr = svr_conn[sfds].cn_addr;
svr_conn[sfds].cn_lasttime = time_now;
pthread_mutex_unlock(svr_conn[sfds].cn_mutex);
if ((request = alloc_br(0)) == NULL)
{
snprintf(tmpLine, sizeof(tmpLine),
"cannot allocate memory for request from %lu",
conn_addr);
req_reject(PBSE_MEM_MALLOC, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_SYSTEM;
goto process_request_cleanup;
}
request->rq_conn = sfds;
/*
* Read in the request and decode it to the internal request structure.
*/
if (conn_active == FromClientDIS || conn_active == ToServerDIS)
{
#ifdef ENABLE_UNIX_SOCKETS
if ((conn_socktype & PBS_SOCK_UNIX) &&
(conn_authen != PBS_NET_CONN_AUTHENTICATED))
{
/* get_creds interestingly always returns 0 */
get_creds(sfds, conn_credent[sfds].username, conn_credent[sfds].hostname);
}
#endif /* END ENABLE_UNIX_SOCKETS */
rc = dis_request_read(chan, request);
}
else
{
char out[80];
snprintf(tmpLine, MAXLINE, "request on invalid type of connection: %d, sock type: %d, from address %s",
conn_active,conn_socktype, netaddr_long(conn_addr, out));
log_event(PBSEVENT_SYSTEM, PBS_EVENTCLASS_REQUEST,
"process_req", tmpLine);
snprintf(tmpLine, sizeof(tmpLine),
"request on invalid type of connection (%d) from %s",
conn_active,
netaddr_long(conn_addr, out));
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (rc == -1)
{
/* FAILURE */
/* premature end of file */
rc = PBSE_PREMATURE_EOF;
goto process_request_cleanup;
}
if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL) || (rc == PBSE_SOCKET_CLOSE))
{
/* FAILURE */
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
goto process_request_cleanup;
}
if (rc > 0)
{
/* FAILURE */
/*
* request didn't decode, either garbage or unknown
* request type, in either case, return reject-reply
*/
req_reject(rc, 0, request, NULL, "cannot decode message");
free_request = FALSE;
goto process_request_cleanup;
}
if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME) != 0)
{
sprintf(log_buf, "%s: %lu",
pbse_to_txt(PBSE_BADHOST),
conn_addr);
log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, "", log_buf);
snprintf(tmpLine, sizeof(tmpLine),
"cannot determine hostname for connection from %lu",
conn_addr);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (LOGLEVEL >= 1)
{
sprintf(log_buf,
msg_request,
reqtype_to_txt(request->rq_type),
request->rq_user,
request->rq_host,
sfds);
log_event(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, "", log_buf);
}
/* is the request from a host acceptable to the server */
if (conn_socktype & PBS_SOCK_UNIX)
{
strcpy(request->rq_host, server_name);
}
get_svr_attr_l(SRV_ATR_acl_host_enable, &acl_enable);
if (acl_enable)
{
/* acl enabled, check it; always allow myself and nodes */
struct array_strings *pas = NULL;
struct pbsnode *isanode;
get_svr_attr_arst(SRV_ATR_acl_hosts, &pas);
isanode = PGetNodeFromAddr(conn_addr);
if ((isanode == NULL) &&
(strcmp(server_host, request->rq_host) != 0) &&
(acl_check_my_array_string(pas, request->rq_host, ACL_Host) == 0))
{
char tmpLine[MAXLINE];
snprintf(tmpLine, sizeof(tmpLine), "request not authorized from host %s",
request->rq_host);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
free_request = FALSE;
rc = PBSE_BADHOST;
goto process_request_cleanup;
}
if (isanode != NULL)
unlock_node(isanode, "process_request", NULL, LOGLEVEL);
}
/*
* determine source (user client or another server) of request.
* set the permissions granted to the client
*/
if (conn_authen == PBS_NET_CONN_FROM_PRIVIL)
{
/* request came from another server */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR;
}
else
{
/* request not from another server */
conn_credent[sfds].timestamp = time_now;
request->rq_fromsvr = 0;
/*
* Client must be authenticated by an Authenticate User Request, if not,
* reject request and close connection. -- The following is retained for
* compat with old cmds -- The exception to this is of course the Connect
* Request which cannot have been authenticated, because it contains the
* needed ticket; so trap it here. Of course, there is no prior
* authentication on the Authenticate User request either, but it comes
* over a reserved port and appears from another server, hence is
* automatically granted authentication.
*
* The above is only true with inet sockets. With unix domain sockets, the
* user creds were read before the first dis_request_read call above.
* We automatically granted authentication because we can trust the socket
* creds. Authorization is still granted in svr_get_privilege below
*/
if (request->rq_type == PBS_BATCH_Connect)
{
req_connect(request);
if (conn_socktype == PBS_SOCK_INET)
{
rc = PBSE_IVALREQ;
req_reject(rc, 0, request, NULL, NULL);
free_request = FALSE;
goto process_request_cleanup;
}
}
if (conn_socktype & PBS_SOCK_UNIX)
{
pthread_mutex_lock(svr_conn[sfds].cn_mutex);
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
pthread_mutex_unlock(svr_conn[sfds].cn_mutex);
}
if (ENABLE_TRUSTED_AUTH == TRUE )
rc = PBSE_NONE; /* bypass the authentication of the user--trust the client completely */
else if (munge_on)
{
/* If munge_on is true we will validate the connection now */
if (request->rq_type == PBS_BATCH_AltAuthenUser)
{
rc = req_altauthenuser(request);
free_request = FALSE;
goto process_request_cleanup;
}
else
{
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
}
}
else if (conn_authen != PBS_NET_CONN_AUTHENTICATED)
/* skip checking user if we did not get an authenticated credential */
rc = PBSE_BADCRED;
else
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
if (rc != 0)
{
req_reject(rc, 0, request, NULL, auth_err);
if (auth_err != NULL)
free(auth_err);
free_request = FALSE;
goto process_request_cleanup;
}
/*
* pbs_mom and checkpoint restart scripts both need the authority to do
* alters and releases on checkpointable jobs. Allow manager permission
* for root on the jobs execution node.
*/
if (((request->rq_type == PBS_BATCH_ModifyJob) ||
(request->rq_type == PBS_BATCH_ReleaseJob)) &&
(strcmp(request->rq_user, PBS_DEFAULT_ADMIN) == 0))
{
job *pjob;
char *dptr;
int skip = FALSE;
char short_host[PBS_MAXHOSTNAME+1];
/* make short host name */
strcpy(short_host, request->rq_host);
if ((dptr = strchr(short_host, '.')) != NULL)
{
*dptr = '\0';
}
if ((pjob = svr_find_job(request->rq_ind.rq_modify.rq_objname, FALSE)) != (job *)0)
{
if (pjob->ji_qs.ji_state == JOB_STATE_RUNNING)
{
if ((pjob->ji_wattr[JOB_ATR_checkpoint].at_flags & ATR_VFLAG_SET) &&
((csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "s") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "c") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "enabled") != NULL)) &&
(strstr(pjob->ji_wattr[JOB_ATR_exec_host].at_val.at_str, short_host) != NULL))
{
request->rq_perm = svr_get_privilege(request->rq_user, server_host);
skip = TRUE;
}
}
unlock_ji_mutex(pjob, __func__, "1", LOGLEVEL);
}
if (!skip)
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
}
else
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
} /* END else (conn_authen == PBS_NET_CONN_FROM_PRIVIL) */
/* if server shutting down, disallow new jobs and new running */
get_svr_attr_l(SRV_ATR_State, &state);
if (state > SV_STATE_RUN)
{
switch (request->rq_type)
{
case PBS_BATCH_AsyrunJob:
case PBS_BATCH_JobCred:
case PBS_BATCH_MoveJob:
case PBS_BATCH_QueueJob:
case PBS_BATCH_RunJob:
case PBS_BATCH_StageIn:
case PBS_BATCH_jobscript:
req_reject(PBSE_SVRDOWN, 0, request, NULL, NULL);
rc = PBSE_SVRDOWN;
free_request = FALSE;
goto process_request_cleanup;
/*NOTREACHED*/
break;
}
}
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
rc = dispatch_request(sfds, request);
return(rc);
process_request_cleanup:
if (free_request == TRUE)
free_br(request);
return(rc);
} /* END process_request() */
int send_job(
job *jobp,
pbs_net_t hostaddr, /* host address, host byte order */
int port, /* service port, host byte order */
int move_type, /* move, route, or execute */
void (*post_func)(struct work_task *), /* after move */
void *data) /* ptr to optional batch_request to be put */
/* in the work task structure */
{
tlist_head attrl;
enum conn_type cntype = ToServerDIS;
int con;
char *destin = jobp->ji_qs.ji_destin;
int encode_type;
int i;
int NumRetries;
char *id = "send_job";
attribute *pattr;
pid_t pid;
struct attropl *pqjatr; /* list (single) of attropl for quejob */
char *safail = "sigaction failed\n";
char *spfail = "sigprocmask failed\n";
char script_name[MAXPATHLEN + 1];
sigset_t child_set, all_set;
struct sigaction child_action;
struct work_task *ptask;
mbool_t Timeout = FALSE;
char *pc;
sigemptyset(&child_set);
sigaddset(&child_set, SIGCHLD);
sigfillset(&all_set);
/* block SIGCHLD until work task is established */
if (sigprocmask(SIG_BLOCK, &child_set, NULL) == -1)
{
log_err(errno,id,spfail);
pbs_errno = PBSE_SYSTEM;
log_event(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
jobp->ji_qs.ji_jobid,
"cannot set signal mask");
return(ROUTE_PERM_FAILURE);
}
if (LOGLEVEL >= 6)
{
sprintf(log_buffer,"about to send job - type=%d",
move_type);
log_event(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
jobp->ji_qs.ji_jobid,
"forking in send_job");
}
pid = fork();
if (pid == -1)
{
/* error on fork */
log_err(errno, id, "fork failed\n");
if (sigprocmask(SIG_UNBLOCK, &child_set, NULL) == -1)
log_err(errno, id, spfail);
pbs_errno = PBSE_SYSTEM;
return(ROUTE_PERM_FAILURE);
}
if (pid != 0)
{
/* The parent (main server) */
/* create task to monitor job startup */
/* CRI: need way to report to scheduler job is starting, not started */
ptask = set_task(WORK_Deferred_Child, pid, post_func, jobp);
if (ptask == NULL)
{
log_err(errno, id, msg_err_malloc);
return(ROUTE_PERM_FAILURE);
}
ptask->wt_parm2 = data;
append_link(
&((job *)jobp)->ji_svrtask,
&ptask->wt_linkobj,
ptask);
/* now can unblock SIGCHLD */
if (sigprocmask(SIG_UNBLOCK, &child_set, NULL) == -1)
log_err(errno, id, spfail);
if (LOGLEVEL >= 1)
{
extern long DispatchTime[];
extern job *DispatchJob[];
extern char *DispatchNode[];
extern time_t time_now;
struct pbsnode *NP;
/* record job dispatch time */
int jindex;
for (jindex = 0;jindex < 20;jindex++)
{
if (DispatchJob[jindex] == NULL)
{
DispatchTime[jindex] = time_now;
DispatchJob[jindex] = jobp;
if ((NP = PGetNodeFromAddr(hostaddr)) != NULL)
DispatchNode[jindex] = NP->nd_name;
else
DispatchNode[jindex] = NULL;
break;
}
}
}
/* SUCCESS */
return(ROUTE_DEFERRED);
} /* END if (pid != 0) */
/*
* the child process
*
* set up signal catcher for error return
*/
rpp_terminate();
child_action.sa_handler = net_move_die;
sigfillset(&child_action.sa_mask);
child_action.sa_flags = 0;
if (sigaction(SIGHUP, &child_action, NULL))
log_err(errno, id, safail);
if (sigaction(SIGINT, &child_action, NULL))
log_err(errno, id, safail);
if (sigaction(SIGQUIT, &child_action, NULL))
log_err(errno, id, safail);
/* signal handling is set, now unblock */
if (sigprocmask(SIG_UNBLOCK, &child_set, NULL) == -1)
log_err(errno, id, spfail);
/* encode job attributes to be moved */
CLEAR_HEAD(attrl);
/* select attributes/resources to send based on move type */
if (move_type == MOVE_TYPE_Exec)
{
/* moving job to MOM - ie job start */
resc_access_perm = ATR_DFLAG_MOM;
encode_type = ATR_ENCODE_MOM;
cntype = ToServerDIS;
}
else
{
/* moving job to alternate server? */
resc_access_perm =
ATR_DFLAG_USWR |
ATR_DFLAG_OPWR |
ATR_DFLAG_MGWR |
ATR_DFLAG_SvRD;
encode_type = ATR_ENCODE_SVR;
/* clear default resource settings */
svr_dequejob(jobp);
}
pattr = jobp->ji_wattr;
for (i = 0;i < JOB_ATR_LAST;i++)
{
if (((job_attr_def + i)->at_flags & resc_access_perm) ||
((strncmp((job_attr_def + i)->at_name,"session_id",10) == 0) &&
(jobp->ji_wattr[JOB_ATR_checkpoint_name].at_flags & ATR_VFLAG_SET)))
{
(job_attr_def + i)->at_encode(
pattr + i,
&attrl,
(job_attr_def + i)->at_name,
NULL,
encode_type);
}
} /* END for (i) */
attrl_fixlink(&attrl);
/* put together the job script file name */
strcpy(script_name, path_jobs);
if (jobp->ji_wattr[JOB_ATR_job_array_request].at_flags & ATR_VFLAG_SET)
{
strcat(script_name, jobp->ji_arraystruct->ai_qs.fileprefix);
}
else
{
strcat(script_name, jobp->ji_qs.ji_fileprefix);
}
strcat(script_name, JOB_SCRIPT_SUFFIX);
pbs_errno = 0;
con = -1;
for (NumRetries = 0;NumRetries < RETRY;NumRetries++)
{
int rc;
/* connect to receiving server with retries */
if (NumRetries > 0)
{
/* recycle after an error */
if (con >= 0)
svr_disconnect(con);
/* check pbs_errno from previous attempt */
if (should_retry_route(pbs_errno) == -1)
{
sprintf(log_buffer, "child failed in previous commit request for job %s",
jobp->ji_qs.ji_jobid);
log_err(pbs_errno, id, log_buffer);
exit(1); /* fatal error, don't retry */
}
sleep(1 << NumRetries);
}
/* NOTE: on node hangs, svr_connect is successful */
if ((con = svr_connect(hostaddr, port, 0, cntype)) == PBS_NET_RC_FATAL)
{
sprintf(log_buffer, "send_job failed to %lx port %d",
hostaddr,
port);
log_err(pbs_errno, id, log_buffer);
exit(1);
}
if (con == PBS_NET_RC_RETRY)
{
pbs_errno = 0; /* should retry */
continue;
}
/*
* if the job is substate JOB_SUBSTATE_TRNOUTCM which means
* we are recovering after being down or a late failure, we
* just want to send the "ready-to-commit/commit"
*/
if (jobp->ji_qs.ji_substate != JOB_SUBSTATE_TRNOUTCM)
{
if (jobp->ji_qs.ji_substate != JOB_SUBSTATE_TRNOUT)
{
jobp->ji_qs.ji_substate = JOB_SUBSTATE_TRNOUT;
job_save(jobp, SAVEJOB_QUICK);
}
pqjatr = &((svrattrl *)GET_NEXT(attrl))->al_atopl;
if ((pc = PBSD_queuejob(
con,
jobp->ji_qs.ji_jobid,
destin,
pqjatr,
NULL)) == NULL)
{
if ((pbs_errno == PBSE_EXPIRED) || (pbs_errno == PBSE_READ_REPLY_TIMEOUT))
{
/* queue job timeout based on pbs_tcp_timeout */
Timeout = TRUE;
}
if ((pbs_errno == PBSE_JOBEXIST) && (move_type == MOVE_TYPE_Exec))
{
/* already running, mark it so */
log_event(
PBSEVENT_ERROR,
PBS_EVENTCLASS_JOB,
jobp->ji_qs.ji_jobid,
"MOM reports job already running");
exit(0);
}
sprintf(log_buffer, "send of job to %s failed error = %d",
destin,
pbs_errno);
log_event(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
jobp->ji_qs.ji_jobid,
log_buffer);
continue;
} /* END if ((pc = PBSD_queuejob() == NULL) */
free(pc);
if (jobp->ji_qs.ji_svrflags & JOB_SVFLG_SCRIPT)
{
if (PBSD_jscript(con, script_name, jobp->ji_qs.ji_jobid) != 0)
continue;
}
/* XXX may need to change the logic below, if we are sending the job to
a mom on the same host and the mom and server are not sharing the same
spool directory, then we still need to move the file */
if ((move_type == MOVE_TYPE_Exec) &&
(jobp->ji_qs.ji_svrflags & JOB_SVFLG_HASRUN) &&
(hostaddr != pbs_server_addr))
{
/* send files created on prior run */
if ((move_job_file(con,jobp,StdOut) != 0) ||
(move_job_file(con,jobp,StdErr) != 0) ||
(move_job_file(con,jobp,Checkpoint) != 0))
{
continue;
}
}
/* ignore signals */
if (sigprocmask(SIG_BLOCK, &all_set, NULL) == -1)
log_err(errno, id, "sigprocmask\n");
jobp->ji_qs.ji_substate = JOB_SUBSTATE_TRNOUTCM;
job_save(jobp, SAVEJOB_QUICK);
}
else
{
/* ignore signals */
if (sigprocmask(SIG_BLOCK, &all_set, NULL) == -1)
log_err(errno, id, "sigprocmask\n");
}
if (PBSD_rdytocmt(con, jobp->ji_qs.ji_jobid) != 0)
{
if (sigprocmask(SIG_UNBLOCK, &all_set, NULL) == -1)
log_err(errno, id, "sigprocmask\n");
continue;
}
if ((rc = PBSD_commit(con, jobp->ji_qs.ji_jobid)) != 0)
{
int errno2;
/* NOTE: errno is modified by log_err */
errno2 = errno;
sprintf(log_buffer, "send_job commit failed, rc=%d (%s)",
rc,
(connection[con].ch_errtxt != NULL) ? connection[con].ch_errtxt : "N/A");
log_ext(errno2, id, log_buffer, LOG_WARNING);
/* if failure occurs, pbs_mom should purge job and pbs_server should set *
job state to idle w/error msg */
if (errno2 == EINPROGRESS)
{
/* request is still being processed */
/* increase tcp_timeout in qmgr? */
Timeout = TRUE;
/* do we need a continue here? */
sprintf(log_buffer, "child commit request timed-out for job %s, increase tcp_timeout?",
jobp->ji_qs.ji_jobid);
log_ext(errno2, id, log_buffer, LOG_WARNING);
/* don't retry on timeout--break out and report error! */
break;
}
else
{
sprintf(log_buffer, "child failed in commit request for job %s",
jobp->ji_qs.ji_jobid);
log_ext(errno2, id, log_buffer, LOG_CRIT);
/* FAILURE */
exit(1);
}
} /* END if ((rc = PBSD_commit(con,jobp->ji_qs.ji_jobid)) != 0) */
svr_disconnect(con);
/* child process is done */
/* SUCCESS */
exit(0);
} /* END for (NumRetries) */
if (con >= 0)
svr_disconnect(con);
if (Timeout == TRUE)
{
/* 10 indicates that job migrate timed out, server will mark node down *
and abort the job - see post_sendmom() */
sprintf(log_buffer, "child timed-out attempting to start job %s",
jobp->ji_qs.ji_jobid);
log_ext(pbs_errno, id, log_buffer, LOG_WARNING);
exit(10);
}
if (should_retry_route(pbs_errno) == -1)
{
sprintf(log_buffer, "child failed and will not retry job %s",
jobp->ji_qs.ji_jobid);
log_err(pbs_errno, id, log_buffer);
exit(1);
}
exit(2);
/*NOTREACHED*/
return(ROUTE_SUCCESS);
} /* END send_job() */
void process_request(
int sfds) /* file descriptor (socket) to get request */
{
#ifdef PBS_MOM
char *id = "process_request";
#endif
int rc;
struct batch_request *request = NULL;
#ifndef PBS_MOM
char *auth_err = NULL;
#endif
time_now = time(NULL);
request = alloc_br(0);
request->rq_conn = sfds;
/*
* Read in the request and decode it to the internal request structure.
*/
#ifndef PBS_MOM
if (svr_conn[sfds].cn_active == FromClientDIS)
{
#ifdef ENABLE_UNIX_SOCKETS
if ((svr_conn[sfds].cn_socktype & PBS_SOCK_UNIX) &&
(svr_conn[sfds].cn_authen != PBS_NET_CONN_AUTHENTICATED))
{
get_creds(sfds, conn_credent[sfds].username, conn_credent[sfds].hostname);
}
#endif /* END ENABLE_UNIX_SOCKETS */
rc = dis_request_read(sfds, request);
}
else
{
LOG_EVENT(
PBSEVENT_SYSTEM,
PBS_EVENTCLASS_REQUEST,
"process_req",
"request on invalid type of connection");
close_conn(sfds);
free_br(request);
return;
}
#else /* PBS_MOM */
rc = dis_request_read(sfds, request);
#endif /* PBS_MOM */
if (rc == -1)
{
/* FAILURE */
/* premature end of file */
close_client(sfds);
free_br(request);
return;
}
if ((rc == PBSE_SYSTEM) || (rc == PBSE_INTERNAL))
{
/* FAILURE */
/* read error, likely cannot send reply so just disconnect */
/* ??? not sure about this ??? */
close_client(sfds);
free_br(request);
return;
}
if (rc > 0)
{
/* FAILURE */
/*
* request didn't decode, either garbage or unknown
* request type, in either case, return reject-reply
*/
req_reject(rc, 0, request, NULL, "cannot decode message");
close_client(sfds);
return;
}
if (get_connecthost(sfds, request->rq_host, PBS_MAXHOSTNAME) != 0)
{
char tmpLine[1024];
sprintf(log_buffer, "%s: %lu",
pbse_to_txt(PBSE_BADHOST),
get_connectaddr(sfds));
LOG_EVENT(PBSEVENT_DEBUG, PBS_EVENTCLASS_REQUEST, "", log_buffer);
snprintf(tmpLine, sizeof(tmpLine), "cannot determine hostname for connection from %lu",
get_connectaddr(sfds));
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
return;
}
if (LOGLEVEL >= 1)
{
sprintf(
log_buffer,
msg_request,
reqtype_to_txt(request->rq_type),
request->rq_user,
request->rq_host,
sfds);
LOG_EVENT(PBSEVENT_DEBUG2, PBS_EVENTCLASS_REQUEST, "", log_buffer);
}
/* is the request from a host acceptable to the server */
#ifndef PBS_MOM
if (svr_conn[sfds].cn_socktype & PBS_SOCK_UNIX)
{
strcpy(request->rq_host, server_name);
}
if (server.sv_attr[SRV_ATR_acl_host_enable].at_val.at_long)
{
/* acl enabled, check it; always allow myself and nodes */
struct pbsnode *isanode;
isanode = PGetNodeFromAddr(get_connectaddr(sfds));
if ((isanode == NULL) &&
(strcmp(server_host, request->rq_host) != 0) &&
(acl_check(
&server.sv_attr[SRV_ATR_acl_hosts],
request->rq_host,
ACL_Host) == 0))
{
char tmpLine[1024];
snprintf(tmpLine, sizeof(tmpLine), "request not authorized from host %s",
request->rq_host);
req_reject(PBSE_BADHOST, 0, request, NULL, tmpLine);
close_client(sfds);
return;
}
}
/*
* determine source (user client or another server) of request.
* set the permissions granted to the client
*/
if (svr_conn[sfds].cn_authen == PBS_NET_CONN_FROM_PRIVIL)
{
/* request came from another server */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR;
}
else
{
/* request not from another server */
request->rq_fromsvr = 0;
/*
* Client must be authenticated by an Authenticate User Request, if not,
* reject request and close connection. -- The following is retained for
* compat with old cmds -- The exception to this is of course the Connect
* Request which cannot have been authenticated, because it contains the
* needed ticket; so trap it here. Of course, there is no prior
* authentication on the Authenticate User request either, but it comes
* over a reserved port and appears from another server, hence is
* automatically granted authentication.
*
* The above is only true with inet sockets. With unix domain sockets, the
* user creds were read before the first dis_request_read call above.
* We automatically granted authentication because we can trust the socket
* creds. Authorization is still granted in svr_get_privilege below
*/
if (request->rq_type == PBS_BATCH_Connect)
{
req_connect(request);
if (svr_conn[sfds].cn_socktype == PBS_SOCK_INET)
return;
}
if (svr_conn[sfds].cn_socktype & PBS_SOCK_UNIX)
{
conn_credent[sfds].timestamp = time_now;
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
}
if (ENABLE_TRUSTED_AUTH == TRUE )
rc = 0; /* bypass the authentication of the user--trust the client completely */
else if (munge_on)
{
/* If munge_on is true we will validate the connection now */
if ( request->rq_type == PBS_BATCH_AltAuthenUser)
{
rc = req_altauthenuser(request);
if (rc == PBSE_NONE)
{
conn_credent[sfds].timestamp = time_now;
svr_conn[sfds].cn_authen = PBS_NET_CONN_AUTHENTICATED;
}
return;
}
else if (svr_conn[sfds].cn_authen != PBS_NET_CONN_AUTHENTICATED)
/* skip checking user if we did not get an authenticated credential */
rc = PBSE_BADCRED;
else
{
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
}
}
else if (svr_conn[sfds].cn_authen != PBS_NET_CONN_AUTHENTICATED)
rc = PBSE_BADCRED;
else
rc = authenticate_user(request, &conn_credent[sfds], &auth_err);
if (rc != 0)
{
req_reject(rc, 0, request, NULL, auth_err);
if (auth_err != NULL)
free(auth_err);
close_client(sfds);
return;
}
/*
* pbs_mom and checkpoint restart scripts both need the authority to do
* alters and releases on checkpointable jobs. Allow manager permission
* for root on the jobs execution node.
*/
if (((request->rq_type == PBS_BATCH_ModifyJob) ||
(request->rq_type == PBS_BATCH_ReleaseJob)) &&
(strcmp(request->rq_user, PBS_DEFAULT_ADMIN) == 0))
{
job *pjob;
char *dptr;
int skip = FALSE;
char short_host[PBS_MAXHOSTNAME+1];
/* make short host name */
strcpy(short_host, request->rq_host);
if ((dptr = strchr(short_host, '.')) != NULL)
{
*dptr = '\0';
}
if (((pjob = find_job(request->rq_ind.rq_modify.rq_objname)) != (job *)0) &&
(pjob->ji_qs.ji_state == JOB_STATE_RUNNING))
{
if ((pjob->ji_wattr[JOB_ATR_checkpoint].at_flags & ATR_VFLAG_SET) &&
((csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "s") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "c") != NULL) ||
(csv_find_string(pjob->ji_wattr[JOB_ATR_checkpoint].at_val.at_str, "enabled") != NULL)) &&
(strstr(pjob->ji_wattr[JOB_ATR_exec_host].at_val.at_str, short_host) != NULL))
{
request->rq_perm = svr_get_privilege(request->rq_user, server_host);
skip = TRUE;
}
}
if (!skip)
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
}
else
{
request->rq_perm = svr_get_privilege(request->rq_user, request->rq_host);
}
} /* END else (svr_conn[sfds].cn_authen == PBS_NET_CONN_FROM_PRIVIL) */
/* if server shutting down, disallow new jobs and new running */
if (server.sv_attr[SRV_ATR_State].at_val.at_long > SV_STATE_RUN)
{
switch (request->rq_type)
{
case PBS_BATCH_AsyrunJob:
case PBS_BATCH_JobCred:
case PBS_BATCH_MoveJob:
case PBS_BATCH_QueueJob:
case PBS_BATCH_RunJob:
case PBS_BATCH_StageIn:
case PBS_BATCH_jobscript:
req_reject(PBSE_SVRDOWN, 0, request, NULL, NULL);
return;
/*NOTREACHED*/
break;
}
}
#else /* THIS CODE FOR MOM ONLY */
{
/*extern tree *okclients; */
extern void mom_server_update_receive_time_by_ip(u_long ipaddr, const char *cmd);
/* check connecting host against allowed list of ok clients */
if (LOGLEVEL >= 6)
{
sprintf(log_buffer, "request type %s from host %s received",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
id,
log_buffer);
}
/* if (!tfind(svr_conn[sfds].cn_addr, &okclients)) */
if (!AVL_is_in_tree(svr_conn[sfds].cn_addr, 0, okclients))
{
sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
id,
log_buffer);
req_reject(PBSE_BADHOST, 0, request, NULL, "request not authorized");
close_client(sfds);
return;
}
if (LOGLEVEL >= 3)
{
sprintf(log_buffer, "request type %s from host %s allowed",
reqtype_to_txt(request->rq_type),
request->rq_host);
log_record(
PBSEVENT_JOB,
PBS_EVENTCLASS_JOB,
id,
log_buffer);
}
mom_server_update_receive_time_by_ip(svr_conn[sfds].cn_addr, reqtype_to_txt(request->rq_type));
} /* END BLOCK */
request->rq_fromsvr = 1;
request->rq_perm =
ATR_DFLAG_USRD | ATR_DFLAG_USWR |
ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR |
ATR_DFLAG_SvWR | ATR_DFLAG_MOM;
#endif /* END else !PBS_MOM */
/*
* dispatch the request to the correct processing function.
* The processing function must call reply_send() to free
* the request struture.
*/
dispatch_request(sfds, request);
return;
} /* END process_request() */
