static char *
getLSFAdmin(void)
{
static char admin[MAXLSFNAMELEN];
static char fname[] = "getLSFAdmin";
char *mycluster;
struct clusterInfo *clusterInfo;
struct passwd *pw;
char *lsfUserName;
if (admin[0] != '\0')
return admin;
if ((mycluster = ls_getclustername()) == NULL) {
ls_syslog(LOG_ERR, I18N_FUNC_FAIL_MM, fname, "ls_getclustername");
return NULL;
}
if ((clusterInfo = ls_clusterinfo(NULL, NULL, NULL, 0, 0)) == NULL) {
ls_syslog(LOG_ERR, I18N_FUNC_FAIL_MM, fname, "ls_clusterinfo");
return NULL;
}
lsfUserName = (clusterInfo->nAdmins == 0 ? clusterInfo->managerName :
clusterInfo->admins[0]);
if ((pw = getpwnam(lsfUserName)) == NULL) {
ls_syslog(LOG_ERR, I18N_FUNC_S_FAIL_M,
fname, "getpwnam", lsfUserName);
return NULL;
}
strcpy(admin, lsfUserName);
return admin;
}
void
getLSFAdmins_(void)
{
struct clusterInfo *clusterInfo;
int i;
clusterInfo = ls_clusterinfo(NULL, NULL, NULL, 0, 0);
if (clusterInfo == NULL) {
return;
}
if (LSFAdmins.numAdmins != 0) {
FREEUP(LSFAdmins.names);
}
LSFAdmins.numAdmins = clusterInfo->nAdmins;
LSFAdmins.names = calloc(LSFAdmins.numAdmins, sizeof(char *));
if (LSFAdmins.names == NULL) {
LSFAdmins.numAdmins = 0;
return;
}
for (i = 0; i < LSFAdmins.numAdmins; i ++) {
LSFAdmins.names[i] = putstr_(clusterInfo->admins[i]);
if (LSFAdmins.names[i] == NULL) {
int j;
for (j = 0; j < i; j ++) {
FREEUP(LSFAdmins.names[j]);
}
FREEUP(LSFAdmins.names);
LSFAdmins.numAdmins = 0;
return;
}
}
}
int islsfuser(char *user,char *hostname)
{
struct clusterInfo *cluster;
int i,more;
struct jobInfoEnt *job;
setenv("LSF_ENVDIR","/lsf/conf",1);
setenv("LSF_LIBDIR","/lsf/7.0/linux2.6-glibc2.3-x86_64/lib",1);
setenv("LSF_BINDIR","/lsf/7.0/linux2.6-glibc2.3-x86_64/bin",1);
setenv("LSF_SERVERDIR","/lsf/7.0/linux2.6-glibc2.3-x86_64/etc",1);
syslog(LOG_AUTHPRIV|LOG_DEBUG,"pamlsfauth checking lsf");
/* Open an LSF session. If we can't see the lsf shared directory, this will fail.\
* We're going to fail open here rather than closed.
*/
if(lsb_init(NULL)<0)
{
syslog(LOG_AUTHPRIV|LOG_ERR,"pamlsfauth LSF connection failed");
return JOBUSER;
}
#ifndef WITHOUTADMINS
# Optionally exclude cluster admins from login access. For the case where
# pam_access is being used. This aligns with the torque approach.
#
/* allow anyone who is a cluster administrator (listed in the
* 'Administrators' line in ${LSFBASE}/conf/lsf.cluster.${CLUSTERNAME}
* Again, if we're unable to retrieve the information from LSF we're
* going to fail open rather than closed. We're not doing pam
* authenticate (is this a real user), only pam account (is it ok
* for this user to login right now), so failing open
* isn't a security problem
*/
cluster=ls_clusterinfo(NULL,NULL,NULL,0,0);
if (cluster!=NULL)
{
for (i=0; i<cluster->nAdmins; i++)
{
syslog(LOG_AUTHPRIV|LOG_DEBUG,"pamlsfauth comparing cluster admin %s",cluster->admins[i]);
if (strcmp(user,cluster->admins[i])==0)
{
syslog(LOG_AUTHPRIV|LOG_NOTICE,"pamlsfauth allowing access for admin (%s)",cluster->admins[i]);
return JOBUSER;
}
}
}
else
{
syslog(LOG_AUTHPRIV|LOG_ERR,"pamlsfauth unable to retrieve cluster info");
return JOBUSER;
}
#endif -- WITHOUTADMINS
#
/* retrieve list of jobs for user hostname combination, null result
* means we can fail the attempt immediately
* */
if (lsb_openjobinfo(0,NULL,user,NULL,hostname,CUR_JOB)<0)
{
syslog(LOG_AUTHPRIV|LOG_NOTICE,"pamlsfauth denying access for %s. No current job on host (%s)",user,hostname);
return NOTJOBUSER;
}
/* we already know tha the user is scheduled onto the node. However,
* we're going to iterate through the results so that we can log
* a specific job number that enables access. * Again, we're going
* to err on the side of not disallowing an authenticated user if we
* lose communication with LSF.
*/
for (;;)
{
job=lsb_readjobinfo(&more);
if (job == NULL)
{
syslog(LOG_AUTHPRIV|LOG_ERR,"pamlsfauth unable to get job info. allowing access.",job->jobId,hostname,user);
return JOBUSER;
}
if (strcmp(user,job->user)==0)
{
syslog(LOG_AUTHPRIV|LOG_NOTICE,"pamlsfauth matched running job (%i) on %s for user %s. allowing access.",job->jobId,hostname,user);
return JOBUSER;
}
if (!more) break;
}
lsb_closejobinfo();
syslog(LOG_AUTHPRIV|LOG_NOTICE,"pamlsfauth denying access for %s. No current job on host (%s)",user,hostname);
return NOTJOBUSER;
}
