Support for READ_ALL, PURGE and GET_STATISTICS HHactions

author Daniel Kouřil <kouril@ics.muni.cz>

Thu, 8 Apr 2010 12:01:04 +0000 (12:01 +0000)

committer Daniel Kouřil <kouril@ics.muni.cz>

Thu, 8 Apr 2010 12:01:04 +0000 (12:01 +0000)
author Daniel Kouřil <kouril@ics.muni.cz>
Thu, 8 Apr 2010 12:01:04 +0000 (12:01 +0000)
committer Daniel Kouřil <kouril@ics.muni.cz>
Thu, 8 Apr 2010 12:01:04 +0000 (12:01 +0000)
diff --git a/org.glite.lb.server/src/authz_policy.c b/org.glite.lb.server/src/authz_policy.c

index 4aa707e..bbc5492 100644 (file)
--- a/org.glite.lb.server/src/authz_policy.c
+++ b/org.glite.lb.server/src/authz_policy.c
@@ -29,6 +29,8 @@ struct action_name action_names[] = {
      { LOG_GENERAL_EVENTS,      "LOG_GENERAL_EVENTS" },
      { GET_STATISTICS,  "GET_STATISTICS" },
      { REGISTER_JOBS,   "REGISTER_JOBS" },      
+    { READ_ALL, "READ_ALL" },
+    { PURGE, "PURGE" },
  };
  
  static int num_actions =
diff --git a/org.glite.lb.server/src/authz_policy.h b/org.glite.lb.server/src/authz_policy.h

index 7566059..c335fb3 100644 (file)
--- a/org.glite.lb.server/src/authz_policy.h
+++ b/org.glite.lb.server/src/authz_policy.h
@@ -31,6 +31,8 @@ typedef enum {
      LOG_GENERAL_EVENTS = 1 << 4,
      GET_STATISTICS     = 1 << 5,
      REGISTER_JOBS      = 1 << 6,
+    READ_ALL           = 1 << 7,
+    PURGE              = 1 << 8,
  } authz_action;
  
  typedef struct action_name {
diff --git a/org.glite.lb.server/src/bkserverd.c b/org.glite.lb.server/src/bkserverd.c

index b92363d..54fc17c 100644 (file)
--- a/org.glite.lb.server/src/bkserverd.c
+++ b/org.glite.lb.server/src/bkserverd.c
@@ -303,7 +303,7 @@ static void usage(char *me)
  static int wait_for_open(edg_wll_Context,const char *);
  static int decrement_timeout(struct timeval *, struct timeval, struct timeval);
  static int asyn_gethostbyaddr(char **, char **, const struct sockaddr *, int, struct timeval *, int );
-static int add_root(edg_wll_Context, char *);
+static int add_root(edg_wll_Context, char *, authz_action);
  static int parse_limits(char *, int *, int *, int *);
  static int check_mkdir(const char *);
  
@@ -472,7 +472,7 @@ int main(int argc, char *argv[])
                 case 'X': notif_ilog_socket_path = strdup(optarg); break;
                 case 'Y': notif_ilog_file_prefix = strdup(optarg); break;
                 case 'i': strcpy(pidfile,optarg); pidfile_forced = 1; break;
-               case 'R': add_root(ctx, optarg); break;
+               case 'R': add_root(ctx, optarg, ADMIN_ACCESS); break;
                 case 'F': glite_common_log(LOG_CATEGORY_CONTROL, LOG_PRIORITY_FATAL,
                                 "%s: Option --super-users-file is deprecated, specify policy using --policy instead");
                           return 1;
@@ -728,7 +728,8 @@ int main(int argc, char *argv[])
                 {
                         glite_common_log(LOG_CATEGORY_CONTROL, LOG_PRIORITY_INFO, "Server identity: %s", mycred->name);
                         server_subject = strdup(mycred->name);
-                       add_root(ctx, server_subject);
+                       add_root(ctx, server_subject, READ_ALL);
+                       add_root(ctx, server_subject, PURGE);
                 }
                 else {
                         glite_common_log(LOG_CATEGORY_CONTROL, LOG_PRIORITY_WARN, "Server running unauthenticated");
@@ -1884,20 +1885,20 @@ static int asyn_gethostbyaddr(char **name, char **service, const struct sockaddr
         return err;
  }
  
-static int add_root(edg_wll_Context ctx, char *root)
+static int add_root(edg_wll_Context ctx, char *root, authz_action action)
  {
         struct _edg_wll_authz_attr attr;
         struct _edg_wll_authz_rule rule;
  
-       attr.value = root;
         attr.id = ATTR_SUBJECT;
         if (strncmp(root, "FQAN:", 5) == 0){
                 root += 5;
                 attr.id = ATTR_FQAN;
         }
+       attr.value = root;
         rule.attrs = &attr;
         rule.attrs_num = 1;
-       edg_wll_add_authz_rule(ctx, &authz_policy, ADMIN_ACCESS, &rule);
+       edg_wll_add_authz_rule(ctx, &authz_policy, action, &rule);
  
         return 0;
  }
diff --git a/org.glite.lb.server/src/jobstat.c b/org.glite.lb.server/src/jobstat.c

index aa967e2..49bdba4 100644 (file)
--- a/org.glite.lb.server/src/jobstat.c
+++ b/org.glite.lb.server/src/jobstat.c
@@ -107,6 +107,8 @@ check_jobstat_authz(edg_wll_Context ctx,
         edg_wll_ResetError(ctx);
         princ.name = ctx->peerName;
         princ.fqans = ctx->fqans;
+       if (check_authz_policy(&ctx->authz_policy, &princ, READ_ALL))
+               return 1;
         if (check_authz_policy(&ctx->authz_policy, &princ, STATUS_FOR_MONITORING)) {
                 *flags |= STATUS_FOR_MONITORING;
                 return 1;
diff --git a/org.glite.lb.server/src/srv_purge.c b/org.glite.lb.server/src/srv_purge.c

index c40f28c..bbc2de7 100644 (file)
--- a/org.glite.lb.server/src/srv_purge.c
+++ b/org.glite.lb.server/src/srv_purge.c
@@ -48,6 +48,7 @@ limitations under the License.
  #include "db_supp.h"
  #include "jobstat.h"
  #include "il_notification.h"
+#include "authz_policy.h"
  
  
  #define DUMP_FILE_STORAGE                                      "/tmp/"
@@ -247,9 +248,12 @@ int edg_wll_PurgeServer(edg_wll_Context ctx,const edg_wll_PurgeRequest *request,
         struct timeval  tp;
         edg_wll_JobStat stat;
         purge_ctx_t prg;
+       struct _edg_wll_GssPrincipal_data princ;
  
+       princ.name = ctx->peerName;
+        princ.fqans = ctx->fqans;
  
-       if (!ctx->noAuth) {
+       if (!ctx->noAuth && !check_authz_policy(&ctx->authz_policy, &princ, PURGE)) {
                 edg_wll_SetError(ctx,EPERM,"only superusers may purge");
                 goto abort;
         }
diff --git a/org.glite.lb.server/src/stats.c b/org.glite.lb.server/src/stats.c

index 8457313..4319c7e 100644 (file)
--- a/org.glite.lb.server/src/stats.c
+++ b/org.glite.lb.server/src/stats.c
@@ -35,6 +35,7 @@ limitations under the License.
  #include "glite/jobid/strmd5.h"
  
  #include "stats.h"
+#include "authz_policy.h"
  static int stats_inc_counter(edg_wll_Context,const edg_wll_JobStat *,edg_wll_Stats *);
  static int stats_record_duration(edg_wll_Context,const edg_wll_JobStat *,const edg_wll_JobStat *,edg_wll_Stats *);
  
@@ -306,12 +307,16 @@ int edg_wll_StateRateServer(
         char    *sig = NULL;
         time_t  afrom,ato;
         long    match;
+       struct _edg_wll_GssPrincipal_data princ;
+
+        princ.name = ctx->peerName;
+        princ.fqans = ctx->fqans;
  
         edg_wll_ResetError(ctx);
  
         switch (ctx->count_statistics) {
                 case 0: return edg_wll_SetError(ctx,ENOSYS,NULL);
-               case 1: if (!ctx->noAuth) return edg_wll_SetError(ctx,EPERM,NULL);
+               case 1: if (!ctx->noAuth && !check_authz_policy(&ctx->authz_policy, &princ, GET_STATISTICS)) return edg_wll_SetError(ctx,EPERM,NULL);
                         break;
                 case 2: break;
                 default: abort();
author	Daniel Kouřil <kouril@ics.muni.cz>
	Thu, 8 Apr 2010 12:01:04 +0000 (12:01 +0000)
committer	Daniel Kouřil <kouril@ics.muni.cz>
	Thu, 8 Apr 2010 12:01:04 +0000 (12:01 +0000)
org.glite.lb.server/src/authz_policy.c		patch \| blob \| blame \| history
org.glite.lb.server/src/authz_policy.h		patch \| blob \| blame \| history
org.glite.lb.server/src/bkserverd.c		patch \| blob \| blame \| history
org.glite.lb.server/src/jobstat.c		patch \| blob \| blame \| history
org.glite.lb.server/src/srv_purge.c		patch \| blob \| blame \| history
org.glite.lb.server/src/stats.c		patch \| blob \| blame \| history