edg_wll_gss_release_cred(&ctx->connections->connPool[cIndex].gsiCred, NULL);
free(ctx->connections->connPool[cIndex].peerName);
free(ctx->connections->connPool[cIndex].buf);
+ free(ctx->connections->connPool[cIndex].certfile);
memset(ctx->connections->connPool + cIndex, 0, sizeof(edg_wll_ConnPool));
int ConnectionIndex(edg_wll_Context ctx, const char *name, int port)
{
int i;
+ struct stat statinfo;
+ int using_certfile = 0;
+
+ if (ctx->p_proxy_filename || ctx->p_cert_filename) {
+ stat(ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_cert_filename, &statinfo);
+ using_certfile = 1;
+ }
for (i=0; i<ctx->connections->poolSize;i++) {
- if ((ctx->connections->connPool[i].peerName != NULL) &&
- !strcmp(name, ctx->connections->connPool[i].peerName) &&
- (port == ctx->connections->connPool[i].peerPort)) {
+// printf("*** Testing connection %d: peerName = %s, peerPort = %d, file = %s\n", i, ctx->connections->connPool[i].peerName != NULL ? ctx->connections->connPool[i].peerName : "NULL", ctx->connections->connPool[i].peerPort, ctx->connections->connPool[i].file);
+ if ((ctx->connections->connPool[i].peerName != NULL) && // Conn Pool record must exist
+ !strcmp(name, ctx->connections->connPool[i].peerName) && // Server names must be equal
+ (port == ctx->connections->connPool[i].peerPort) && // Ports must be equal
+ (!using_certfile || // we are either using the default cert file
+ ((ctx->connections->connPool[i].certfile->st_ino == statinfo.st_ino) && // or checking which file
+ (ctx->connections->connPool[i].certfile->st_dev == statinfo.st_dev)))) { // this conn uses to auth.
+
/* TryLock (next line) is in fact used only
to check the mutex status */
free(ctx->connections->connPool[index].peerName); // should be empty; just to be sure
ctx->connections->connPool[index].peerName = strdup(name);
ctx->connections->connPool[index].peerPort = port;
- ctx->connections->connPool[index].gsiCred = NULL; // initial value
+ ctx->connections->connPool[index].gsiCred = GSS_C_NO_CREDENTIAL; // initial value
+ ctx->connections->connPool[index].certfile = NULL;
ctx->connections->connOpened++;
return index;
{
int index;
edg_wll_GssStatus gss_stat;
+ OM_uint32 lifetime = 0;
+ struct stat statinfo;
+ int acquire_cred = 0;
edg_wll_ResetError(ctx);
edg_wll_poolLock(); /* We are going to search the pool, it has better be locked */
+ /* July 12, 2007 - ZS - Searching the pool for srvName/srvPort is not enough.
+ we also need to check the user identity so that there may be several connections
+ open to the same server using different identities. */
+
if ( (index = ConnectionIndex(ctx, ctx->srvName, ctx->srvPort)) == -1 ) {
/* no such open connection in pool */
if (ctx->connections->connOpened == ctx->connections->poolSize)
*connToUse = index;
- /* XXX support anonymous connections, perhaps add a flag to the connPool
+ /* Old Comment: support anonymous connections, perhaps add a flag to the connPool
* struct specifying whether or not this connection shall be authenticated
* to prevent from repeated calls to edg_wll_gss_acquire_cred_gsi() */
- if (!ctx->connections->connPool[index].gsiCred &&
- edg_wll_gss_acquire_cred_gsi(
- ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_cert_filename,
- ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_key_filename,
- &ctx->connections->connPool[index].gsiCred, NULL, &gss_stat)) {
- edg_wll_SetErrorGss(ctx, "failed to load GSI credentials", &gss_stat);
- goto err;
+
+ // In case of using a specifically given cert file, stat it and check for the need to reauthenticate
+ if (ctx->p_proxy_filename || ctx->p_cert_filename) {
+ if (ctx->connections->connPool[index].certfile) { // Has the file been stated before?
+ stat(ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_cert_filename, &statinfo);
+ if (ctx->connections->connPool[index].certfile->st_mtime != statinfo.st_mtime)
+ acquire_cred = 1; // File has been modified. Need to acquire new creds.
+ }
+ else acquire_cred = 1;
+ }
+
+ // Check if credentials exist. If so, check validity
+ if (ctx->connections->connPool[index].gsiCred) {
+ gss_inquire_cred(ctx->connections->connPool[index].gsiCred, NULL, &lifetime, NULL, NULL, NULL);
+ #ifdef EDG_WLL_CONNPOOL_DEBUG
+ printf ("Credential exists, lifetime: %d\n", lifetime);
+ #endif
+ if (!lifetime) acquire_cred = 1; // Credentials exist and lifetime is OK. No need to authenticate.
+ }
+ else {
+ acquire_cred = 1; // No credentials exist so far, acquire.
+ }
+
+
+ if (acquire_cred) {
+ if (edg_wll_gss_acquire_cred_gsi(
+ ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_cert_filename,
+ ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_key_filename,
+ &ctx->connections->connPool[index].gsiCred, NULL, &gss_stat)) {
+ edg_wll_SetErrorGss(ctx, "failed to load GSI credentials", &gss_stat);
+ goto err;
+ }
+ else {
+ // Credentials Acquired successfully. Storing file identification.
+ #ifdef EDG_WLL_CONNPOOL_DEBUG
+ printf("Cert file: %s\n", ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_cert_filename);
+ #endif
+
+ if (ctx->p_proxy_filename || ctx->p_cert_filename) {
+ if (!ctx->connections->connPool[index].certfile) // Allocate space for certfile stats
+ ctx->connections->connPool[index].certfile =
+ (struct stat*)calloc(1, sizeof(struct stat));
+ stat(ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_cert_filename, ctx->connections->connPool[index].certfile);
+ }
+ }
}
if (ctx->connections->connPool[index].gss.context == NULL) {
char ***resp_head,
char **resp_body)
{
+ int err;
+ char *et = NULL;
+
if (edg_wll_open_proxy(ctx)) return edg_wll_Error(ctx,NULL,NULL);
switch (edg_wll_http_send_proxy(ctx,request,req_head,req_body)) {
|| edg_wll_http_send_proxy(ctx,request,req_head,req_body)
|| edg_wll_http_recv_proxy(ctx,response,resp_head,resp_body));
}
+
+ /* XXX: workaround for bug #25153, don't keep proxy connection at all
+ * May have slight performance impact, it would be nice to cover proxy
+ * connections in the pool too.
+ */
+
+ err = edg_wll_Error(ctx,NULL,&et);
+ edg_wll_close_proxy(ctx);
+ if (err) {
+ edg_wll_SetError(ctx,err,et);
+ free(et);
+ }
return edg_wll_Error(ctx,NULL,NULL);
}
# directory with exported data (file per job)
GLITE_LB_EXPORT_JOBSDIR=${GLITE_LB_EXPORT_JOBSDIR:-/tmp/lbexport}
# purge args (timeouts)
-GLITE_LB_EXPORT_PURGE_ARGS=${GLITE_LB_EXPORT_PURGE_ARGS:---cleared 2d --aborted 2w --cancelled 2w --other 2m}
+GLITE_LB_EXPORT_PURGE_ARGS=${GLITE_LB_EXPORT_PURGE_ARGS:---cleared 2d --aborted 2w --cancelled 2w --other 60d}
# Book Keeping Server
GLITE_LB_SERVER_PORT=${GLITE_LB_SERVER_PORT:-9000}
GLITE_LB_EXPORT_BKSERVER=${GLITE_LB_EXPORT_BKSERVER:-localhost:$GLITE_LB_SERVER_PORT}
[ -d $GLITE_LB_EXPORT_PURGEDIR_KEEP ] || mkdir -p $GLITE_LB_EXPORT_PURGEDIR_KEEP
[ -d $GLITE_LB_EXPORT_JOBSDIR ] || mkdir -p $GLITE_LB_EXPORT_JOBSDIR
+<<<<<<< TODO: merge export.sh
if [ x"$GLITE_LB_PURGE_ENABLED" = x"true" ]; then
X509_USER_CERT="$X509_USER_CERT" X509_USER_KEY="$X509_USER_KEY" $PREFIX/bin/glite-lb-purge $GLITE_LB_EXPORT_PURGE_ARGS -l -m $GLITE_LB_EXPORT_BKSERVER -s
fi
+=======
+if [ x"$GLITE_LB_PURGE_ENABLED" = x"true" ]; then
+ X509_USER_CERT="$X509_USER_CERT" X509_USER_KEY="$X509_USER_KEY" $PREFIX/sbin/glite-lb-purge $GLITE_LB_EXPORT_PURGE_ARGS -l -m $GLITE_LB_EXPORT_BKSERVER -s
+fi
+>>>>>>> 1.2.4.2
+<<<<<<< TODO: merge export.sh
if [ x"$GLITE_LB_EXPORT_ENABLED" = x"true" ]; then
for file in $GLITE_LB_EXPORT_PURGEDIR/*; do
if [ -s $file ]; then
else
rm $file
fi
+=======
+if [ x"$GLITE_LB_EXPORT_ENABLED" = x"true" ]; then
+ list=`ls $GLITE_LB_EXPORT_PURGEDIR/* 2>/dev/null`
+ for file in $list; do
+ if [ -s $file ]; then
+ $PREFIX/sbin/glite-lb-lb_dump_exporter -d $file -s $GLITE_LB_EXPORT_JOBSDIR -m $GLITE_LB_EXPORT_JPDUMP_MAILDIR
+ if [ -n "$GLITE_LB_EXPORT_PURGEDIR_KEEP" ]; then
+ mv $file $GLITE_LB_EXPORT_PURGEDIR_KEEP
+ else
+ rm $file
+ fi
+>>>>>>> 1.2.4.2
else
rm $file
fi
git://scientific.zcu.cz / jra1mw.git / commitdiff