From: Daniel KouĊ™il Date: Thu, 8 Apr 2010 12:01:04 +0000 (+0000) Subject: Support for READ_ALL, PURGE and GET_STATISTICS HHactions X-Git-Tag: glite-lb-glite-LB_R_3_2_10_1~9 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=c49423ca2f988439879f09ab8cef353c34869668;p=jra1mw.git Support for READ_ALL, PURGE and GET_STATISTICS HHactions --- diff --git a/org.glite.lb.server/src/authz_policy.c b/org.glite.lb.server/src/authz_policy.c index 4aa707e..bbc5492 100644 --- a/org.glite.lb.server/src/authz_policy.c +++ b/org.glite.lb.server/src/authz_policy.c @@ -29,6 +29,8 @@ struct action_name action_names[] = { { LOG_GENERAL_EVENTS, "LOG_GENERAL_EVENTS" }, { GET_STATISTICS, "GET_STATISTICS" }, { REGISTER_JOBS, "REGISTER_JOBS" }, + { READ_ALL, "READ_ALL" }, + { PURGE, "PURGE" }, }; static int num_actions = diff --git a/org.glite.lb.server/src/authz_policy.h b/org.glite.lb.server/src/authz_policy.h index 7566059..c335fb3 100644 --- a/org.glite.lb.server/src/authz_policy.h +++ b/org.glite.lb.server/src/authz_policy.h @@ -31,6 +31,8 @@ typedef enum { LOG_GENERAL_EVENTS = 1 << 4, GET_STATISTICS = 1 << 5, REGISTER_JOBS = 1 << 6, + READ_ALL = 1 << 7, + PURGE = 1 << 8, } authz_action; typedef struct action_name { diff --git a/org.glite.lb.server/src/bkserverd.c b/org.glite.lb.server/src/bkserverd.c index b92363d..54fc17c 100644 --- a/org.glite.lb.server/src/bkserverd.c +++ b/org.glite.lb.server/src/bkserverd.c @@ -303,7 +303,7 @@ static void usage(char *me) static int wait_for_open(edg_wll_Context,const char *); static int decrement_timeout(struct timeval *, struct timeval, struct timeval); static int asyn_gethostbyaddr(char **, char **, const struct sockaddr *, int, struct timeval *, int ); -static int add_root(edg_wll_Context, char *); +static int add_root(edg_wll_Context, char *, authz_action); static int parse_limits(char *, int *, int *, int *); static int check_mkdir(const char *); @@ -472,7 +472,7 @@ int main(int argc, char *argv[]) case 'X': notif_ilog_socket_path = strdup(optarg); break; case 'Y': notif_ilog_file_prefix = strdup(optarg); break; case 'i': strcpy(pidfile,optarg); pidfile_forced = 1; break; - case 'R': add_root(ctx, optarg); break; + case 'R': add_root(ctx, optarg, ADMIN_ACCESS); break; case 'F': glite_common_log(LOG_CATEGORY_CONTROL, LOG_PRIORITY_FATAL, "%s: Option --super-users-file is deprecated, specify policy using --policy instead"); return 1; @@ -728,7 +728,8 @@ int main(int argc, char *argv[]) { glite_common_log(LOG_CATEGORY_CONTROL, LOG_PRIORITY_INFO, "Server identity: %s", mycred->name); server_subject = strdup(mycred->name); - add_root(ctx, server_subject); + add_root(ctx, server_subject, READ_ALL); + add_root(ctx, server_subject, PURGE); } else { glite_common_log(LOG_CATEGORY_CONTROL, LOG_PRIORITY_WARN, "Server running unauthenticated"); @@ -1884,20 +1885,20 @@ static int asyn_gethostbyaddr(char **name, char **service, const struct sockaddr return err; } -static int add_root(edg_wll_Context ctx, char *root) +static int add_root(edg_wll_Context ctx, char *root, authz_action action) { struct _edg_wll_authz_attr attr; struct _edg_wll_authz_rule rule; - attr.value = root; attr.id = ATTR_SUBJECT; if (strncmp(root, "FQAN:", 5) == 0){ root += 5; attr.id = ATTR_FQAN; } + attr.value = root; rule.attrs = &attr; rule.attrs_num = 1; - edg_wll_add_authz_rule(ctx, &authz_policy, ADMIN_ACCESS, &rule); + edg_wll_add_authz_rule(ctx, &authz_policy, action, &rule); return 0; } diff --git a/org.glite.lb.server/src/jobstat.c b/org.glite.lb.server/src/jobstat.c index aa967e2..49bdba4 100644 --- a/org.glite.lb.server/src/jobstat.c +++ b/org.glite.lb.server/src/jobstat.c @@ -107,6 +107,8 @@ check_jobstat_authz(edg_wll_Context ctx, edg_wll_ResetError(ctx); princ.name = ctx->peerName; princ.fqans = ctx->fqans; + if (check_authz_policy(&ctx->authz_policy, &princ, READ_ALL)) + return 1; if (check_authz_policy(&ctx->authz_policy, &princ, STATUS_FOR_MONITORING)) { *flags |= STATUS_FOR_MONITORING; return 1; diff --git a/org.glite.lb.server/src/srv_purge.c b/org.glite.lb.server/src/srv_purge.c index c40f28c..bbc2de7 100644 --- a/org.glite.lb.server/src/srv_purge.c +++ b/org.glite.lb.server/src/srv_purge.c @@ -48,6 +48,7 @@ limitations under the License. #include "db_supp.h" #include "jobstat.h" #include "il_notification.h" +#include "authz_policy.h" #define DUMP_FILE_STORAGE "/tmp/" @@ -247,9 +248,12 @@ int edg_wll_PurgeServer(edg_wll_Context ctx,const edg_wll_PurgeRequest *request, struct timeval tp; edg_wll_JobStat stat; purge_ctx_t prg; + struct _edg_wll_GssPrincipal_data princ; + princ.name = ctx->peerName; + princ.fqans = ctx->fqans; - if (!ctx->noAuth) { + if (!ctx->noAuth && !check_authz_policy(&ctx->authz_policy, &princ, PURGE)) { edg_wll_SetError(ctx,EPERM,"only superusers may purge"); goto abort; } diff --git a/org.glite.lb.server/src/stats.c b/org.glite.lb.server/src/stats.c index 8457313..4319c7e 100644 --- a/org.glite.lb.server/src/stats.c +++ b/org.glite.lb.server/src/stats.c @@ -35,6 +35,7 @@ limitations under the License. #include "glite/jobid/strmd5.h" #include "stats.h" +#include "authz_policy.h" static int stats_inc_counter(edg_wll_Context,const edg_wll_JobStat *,edg_wll_Stats *); static int stats_record_duration(edg_wll_Context,const edg_wll_JobStat *,const edg_wll_JobStat *,edg_wll_Stats *); @@ -306,12 +307,16 @@ int edg_wll_StateRateServer( char *sig = NULL; time_t afrom,ato; long match; + struct _edg_wll_GssPrincipal_data princ; + + princ.name = ctx->peerName; + princ.fqans = ctx->fqans; edg_wll_ResetError(ctx); switch (ctx->count_statistics) { case 0: return edg_wll_SetError(ctx,ENOSYS,NULL); - case 1: if (!ctx->noAuth) return edg_wll_SetError(ctx,EPERM,NULL); + case 1: if (!ctx->noAuth && !check_authz_policy(&ctx->authz_policy, &princ, GET_STATISTICS)) return edg_wll_SetError(ctx,EPERM,NULL); break; case 2: break; default: abort();