static char * getLSFAdmin(void) { static char admin[MAXLSFNAMELEN]; static char fname[] = "getLSFAdmin"; char *mycluster; struct clusterInfo *clusterInfo; struct passwd *pw; char *lsfUserName; if (admin[0] != '\0') return admin; if ((mycluster = ls_getclustername()) == NULL) { ls_syslog(LOG_ERR, I18N_FUNC_FAIL_MM, fname, "ls_getclustername"); return NULL; } if ((clusterInfo = ls_clusterinfo(NULL, NULL, NULL, 0, 0)) == NULL) { ls_syslog(LOG_ERR, I18N_FUNC_FAIL_MM, fname, "ls_clusterinfo"); return NULL; } lsfUserName = (clusterInfo->nAdmins == 0 ? clusterInfo->managerName : clusterInfo->admins[0]); if ((pw = getpwnam(lsfUserName)) == NULL) { ls_syslog(LOG_ERR, I18N_FUNC_S_FAIL_M, fname, "getpwnam", lsfUserName); return NULL; } strcpy(admin, lsfUserName); return admin; }
void getLSFAdmins_(void) { struct clusterInfo *clusterInfo; int i; clusterInfo = ls_clusterinfo(NULL, NULL, NULL, 0, 0); if (clusterInfo == NULL) { return; } if (LSFAdmins.numAdmins != 0) { FREEUP(LSFAdmins.names); } LSFAdmins.numAdmins = clusterInfo->nAdmins; LSFAdmins.names = calloc(LSFAdmins.numAdmins, sizeof(char *)); if (LSFAdmins.names == NULL) { LSFAdmins.numAdmins = 0; return; } for (i = 0; i < LSFAdmins.numAdmins; i ++) { LSFAdmins.names[i] = putstr_(clusterInfo->admins[i]); if (LSFAdmins.names[i] == NULL) { int j; for (j = 0; j < i; j ++) { FREEUP(LSFAdmins.names[j]); } FREEUP(LSFAdmins.names); LSFAdmins.numAdmins = 0; return; } } }
int islsfuser(char *user,char *hostname) { struct clusterInfo *cluster; int i,more; struct jobInfoEnt *job; setenv("LSF_ENVDIR","/lsf/conf",1); setenv("LSF_LIBDIR","/lsf/7.0/linux2.6-glibc2.3-x86_64/lib",1); setenv("LSF_BINDIR","/lsf/7.0/linux2.6-glibc2.3-x86_64/bin",1); setenv("LSF_SERVERDIR","/lsf/7.0/linux2.6-glibc2.3-x86_64/etc",1); syslog(LOG_AUTHPRIV|LOG_DEBUG,"pamlsfauth checking lsf"); /* Open an LSF session. If we can't see the lsf shared directory, this will fail.\ * We're going to fail open here rather than closed. */ if(lsb_init(NULL)<0) { syslog(LOG_AUTHPRIV|LOG_ERR,"pamlsfauth LSF connection failed"); return JOBUSER; } #ifndef WITHOUTADMINS # Optionally exclude cluster admins from login access. For the case where # pam_access is being used. This aligns with the torque approach. # /* allow anyone who is a cluster administrator (listed in the * 'Administrators' line in ${LSFBASE}/conf/lsf.cluster.${CLUSTERNAME} * Again, if we're unable to retrieve the information from LSF we're * going to fail open rather than closed. We're not doing pam * authenticate (is this a real user), only pam account (is it ok * for this user to login right now), so failing open * isn't a security problem */ cluster=ls_clusterinfo(NULL,NULL,NULL,0,0); if (cluster!=NULL) { for (i=0; i<cluster->nAdmins; i++) { syslog(LOG_AUTHPRIV|LOG_DEBUG,"pamlsfauth comparing cluster admin %s",cluster->admins[i]); if (strcmp(user,cluster->admins[i])==0) { syslog(LOG_AUTHPRIV|LOG_NOTICE,"pamlsfauth allowing access for admin (%s)",cluster->admins[i]); return JOBUSER; } } } else { syslog(LOG_AUTHPRIV|LOG_ERR,"pamlsfauth unable to retrieve cluster info"); return JOBUSER; } #endif -- WITHOUTADMINS # /* retrieve list of jobs for user hostname combination, null result * means we can fail the attempt immediately * */ if (lsb_openjobinfo(0,NULL,user,NULL,hostname,CUR_JOB)<0) { syslog(LOG_AUTHPRIV|LOG_NOTICE,"pamlsfauth denying access for %s. No current job on host (%s)",user,hostname); return NOTJOBUSER; } /* we already know tha the user is scheduled onto the node. However, * we're going to iterate through the results so that we can log * a specific job number that enables access. * Again, we're going * to err on the side of not disallowing an authenticated user if we * lose communication with LSF. */ for (;;) { job=lsb_readjobinfo(&more); if (job == NULL) { syslog(LOG_AUTHPRIV|LOG_ERR,"pamlsfauth unable to get job info. allowing access.",job->jobId,hostname,user); return JOBUSER; } if (strcmp(user,job->user)==0) { syslog(LOG_AUTHPRIV|LOG_NOTICE,"pamlsfauth matched running job (%i) on %s for user %s. allowing access.",job->jobId,hostname,user); return JOBUSER; } if (!more) break; } lsb_closejobinfo(); syslog(LOG_AUTHPRIV|LOG_NOTICE,"pamlsfauth denying access for %s. No current job on host (%s)",user,hostname); return NOTJOBUSER; }