From: Daniel KouĊ™il Date: Mon, 28 Feb 2011 15:19:40 +0000 (+0000) Subject: A human-readable from of jobs ACLs X-Git-Tag: glite-lb-client-java_R_1_1_1_1~9 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=b65a2af3b4714626b20b3878591eda546aa2f879;p=jra1mw.git A human-readable from of jobs ACLs --- diff --git a/org.glite.lb.client/examples/job_status.c b/org.glite.lb.client/examples/job_status.c index 145f618..f07fcf6 100644 --- a/org.glite.lb.client/examples/job_status.c +++ b/org.glite.lb.client/examples/job_status.c @@ -304,6 +304,7 @@ static void printstat(edg_wll_JobStat stat, int level) printf("%sexpectUpdate : %d\n", ind, stat.expectUpdate); printf("%sexpectFrom : %s\n", ind, stat.expectFrom); printf("%sacl : %s\n", ind, stat.acl); + printf("%saccess rights : \n%s", ind, stat.access_rights); printf("%spayload_running: %d\n", ind, stat.payload_running); if (stat.possible_destinations) { printf("%spossible_destinations : \n", ind); diff --git a/org.glite.lb.client/src/EventAttrNames.pl b/org.glite.lb.client/src/EventAttrNames.pl index d752cba..8963265 100644 --- a/org.glite.lb.client/src/EventAttrNames.pl +++ b/org.glite.lb.client/src/EventAttrNames.pl @@ -57,7 +57,6 @@ OPERATION OWNER PARENT - PAYLOAD_OWNER PERMISSION PERMISSION_TYPE PID @@ -115,4 +114,5 @@ WORKER_NODE FAILURE_REASON WMS_DN + PAYLOAD_OWNER /; diff --git a/org.glite.lb.client/src/StatusAttrNames.pl b/org.glite.lb.client/src/StatusAttrNames.pl index 9812c2c..67b8d50 100644 --- a/org.glite.lb.client/src/StatusAttrNames.pl +++ b/org.glite.lb.client/src/StatusAttrNames.pl @@ -59,7 +59,6 @@ NETWORK_SERVER OWNER PARENT_JOB - PAYLOAD_OWNER PAYLOAD_RUNNING PBS_DEST_HOST PBS_ERROR_DESC @@ -111,4 +110,6 @@ OSB_TRANSFER CREAM_FAILURE_REASON CREAM_ID + PAYLOAD_OWNER + ACCESS_RIGHTS /; diff --git a/org.glite.lb.server/interface/lb_authz.h b/org.glite.lb.server/interface/lb_authz.h index a3b9d0b..9295d0c 100644 --- a/org.glite.lb.server/interface/lb_authz.h +++ b/org.glite.lb.server/interface/lb_authz.h @@ -94,6 +94,8 @@ edg_wll_get_server_policy(); int edg_wll_get_fqans(edg_wll_Context ctx, struct vomsdata *voms_info, char ***fqans); +int +edg_wll_acl_print(edg_wll_Context ctx, edg_wll_Acl a, char **policy); #ifdef __cplusplus } diff --git a/org.glite.lb.server/src/jobstat.c b/org.glite.lb.server/src/jobstat.c index c62b2d4..1f01e6a 100644 --- a/org.glite.lb.server/src/jobstat.c +++ b/org.glite.lb.server/src/jobstat.c @@ -181,6 +181,7 @@ int edg_wll_JobStatusServer( } if (acl) { + edg_wll_acl_print(ctx, acl, &stat->access_rights); stat->acl = strdup(acl->string); edg_wll_FreeAcl(acl); acl = NULL; diff --git a/org.glite.lb.server/src/lb_authz.c b/org.glite.lb.server/src/lb_authz.c index 09a25f7..ab20cdb 100644 --- a/org.glite.lb.server/src/lb_authz.c +++ b/org.glite.lb.server/src/lb_authz.c @@ -995,3 +995,176 @@ edg_wll_get_server_policy() { return &authz_policy; } + +static GRSTgaclEntry * +find_entry(edg_wll_Context ctx, GRSTgaclAcl *acl, GRSTgaclPerm perm, + enum edg_wll_ChangeACLPermission_type perm_type) +{ + GRSTgaclEntry *entry; + + if (acl == NULL) { + edg_wll_SetError(ctx, EINVAL, "Parsing ACL"); + return NULL; + } + + for (entry = acl->firstentry; entry != NULL; entry = entry->next) { + if (perm_type == EDG_WLL_CHANGEACL_ALLOW && entry->allowed == perm) + return entry; + if (perm_type == EDG_WLL_CHANGEACL_DENY && entry->denied == perm) + return entry; + + } + return NULL; +} + +static int +aux_add_cred(edg_wll_Context ctx, + GRSTgaclAcl *aux, + GRSTgaclPerm perm, + enum edg_wll_ChangeACLPermission_type perm_type, + GRSTgaclCred *cred) +{ + GRSTgaclEntry *e; + int ret; + + if (cred == NULL) + return edg_wll_SetError(ctx, ENOMEM, "Empty ACL to parse"); + + e = find_entry(ctx, aux, perm, perm_type); + if (e == NULL) { + e = GRSTgaclEntryNew(); + if (e == NULL) { + ret = edg_wll_SetError(ctx, ENOMEM, "Parsing ACL entry"); + goto end; + } + ret = GRSTgaclAclAddEntry(aux, e); + if (ret == 0) { + GRSTgaclEntryFree(e); + ret = edg_wll_SetError(ctx, ENOMEM, "Parsing ACL"); + goto end; + } + switch (perm_type) { + case EDG_WLL_CHANGEACL_ALLOW: + GRSTgaclEntryAllowPerm(e, perm); + break; + case EDG_WLL_CHANGEACL_DENY: + GRSTgaclEntryDenyPerm(e, perm); + break; + default: + edg_wll_SetError(ctx, EINVAL, "Wrong permission type"); + goto end; + } + } + + ret = GRSTgaclEntryAddCred(e, cred); + if (ret == 0) { + ret = edg_wll_SetError(ctx, EINVAL, "Creating ACL entry"); + goto end; + } + + ret = 0; + +end: + return ret; +} + +static int +output_authz_rule(edg_wll_Context ctx, + GRSTgaclAcl *aux, + enum edg_wll_ChangeACLPermission permission, + char **out) +{ + GRSTgaclPerm perm; + GRSTgaclEntry *allowed, *denied; + GRSTgaclCred *cred; + char *s = NULL, *dec = NULL; + + if (out == NULL) + return edg_wll_SetError(ctx,EINVAL,"Error outputing ACL"); + + perm = perm_lb2gacl(permission); + if (perm == GRST_PERM_NONE) + return edg_wll_SetError(ctx,EINVAL,"Unknown permission for ACL"); + + allowed = find_entry(ctx, aux, perm, EDG_WLL_CHANGEACL_ALLOW); + denied = find_entry(ctx, aux, perm, EDG_WLL_CHANGEACL_DENY); + if (allowed || denied) { + asprintf(&s, "%s:\n", edg_wll_ChangeACLPermissionToString(permission)); + if (allowed) { + asprintf(&s, "%s\tallowed: ", s); + for (cred = allowed->firstcred; cred; cred = cred->next) { + dec = GRSThttpUrlDecode(cred->auri); + asprintf(&s, "%s%s%s\n", + s, + (cred == allowed->firstcred) ? "" : "\t\t ", + dec); + free(dec); + } + } + if (denied) { + asprintf(&s, "%s\tdenied: ", s); + for (cred = denied->firstcred; cred; cred = cred->next) { + dec = GRSThttpUrlDecode(cred->auri); + asprintf(&s, "%s%s%s\n", + s, + (cred == denied->firstcred) ? "" : "\t\t", + dec); + free(dec); + } + } + asprintf(out, "%s%s", + (*out == NULL) ? "" : *out, + s); + free(s); + } + return 0; +} + +/* The auxiliary GACL ACL below is used just as an convenient container easying the parsing. The + structure is not used for any controling access */ +int +edg_wll_acl_print(edg_wll_Context ctx, edg_wll_Acl a, char **policy) +{ + GRSTgaclEntry *entry; + GRSTgaclAcl *aux = NULL; + GRSTgaclAcl *acl; + char *pol = NULL; + int ret; + + if (a == NULL || a->value == NULL) + edg_wll_SetError(ctx, EINVAL, "ACL not set"); + acl = a->value; + + aux = GRSTgaclAclNew(); + if (aux == NULL) + return edg_wll_SetError(ctx, ENOMEM, "Creating ACLs"); + + for (entry = acl->firstentry; entry != NULL; entry = entry->next) { + if (entry->allowed != 0) + aux_add_cred(ctx, aux, entry->allowed, EDG_WLL_CHANGEACL_ALLOW, entry->firstcred); + if (entry->denied != 0) + aux_add_cred(ctx, aux, entry->denied, EDG_WLL_CHANGEACL_DENY, entry->firstcred); + } + + ret = output_authz_rule(ctx, aux, EDG_WLL_CHANGEACL_READ, &pol); + if (ret) + goto end; + + ret = output_authz_rule(ctx, aux, EDG_WLL_CHANGEACL_TAG, &pol); + if (ret) + goto end; + + ret = 0; + *policy = pol; + pol = NULL; + +end: + if (pol) + free(pol); + /* prevent from free()ing allocated memory not allocated by us */ + for (entry = aux->firstentry; entry != NULL; entry = entry->next) + entry->firstcred = NULL; + GRSTgaclAclFree(aux); + + return ret; +} diff --git a/org.glite.lb.types/status.T b/org.glite.lb.types/status.T index d859a55..d64f2ad 100644 --- a/org.glite.lb.types/status.T +++ b/org.glite.lb.types/status.T @@ -104,6 +104,7 @@ cclassad jdl_classad Unparsed JDL classad jobid isb_transfer Input sandbox corresponding to the job jobid osb_transfer Output sandbox corresponding to the job string payload_owner Owner of the actual job payload (e.g., for pilot jobs) +string access_rights List of access rights (human readable variant of acl) _pad_ 55