All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 2aeb12f0 authored by Kirk Webb's avatar Kirk Webb

Node restrictions enforcement - web interface

This check-in hits the web interface side of the node restrictions.
Users may not access the console or see the root password for nodes in a
restricted state (e.g. "blackbox" or "useronly").
parent 797f83dd
......@@ -185,6 +185,7 @@ class Node
function cd_version() {return $this->field("cd_version"); }
function boot_errno() {return $this->field("boot_errno"); }
function reserved_pid() {return $this->field("reserved_pid"); }
function taint_states() {return $this->field("taint_states"); }
#
# Access Check, determines if $user can access $this record.
......@@ -465,6 +466,27 @@ class Node
return ($row["t"]>$stalesec);
}
#
# Check to see if node is tainted.
#
function IsTainted($instate = "") {
$tstates = $this->taint_states();
# No taint states set on this node?
if (!isset($tstates) || !$tstates) {
return 0;
}
# Any taint will do if nothing was passed in to check.
if (!$instate) {
return 1;
}
foreach (explode(",", $tstates) as $taint) {
if (strcmp($instate, $taint) == 0) {
return 1;
}
}
return 0;
}
#
# Show node record.
#
......@@ -556,6 +578,7 @@ class Node
$downtime = $row["down"];
$uuid = $row["node_uuid"];
$mac = $row["mac"];
$taint_states = $row["taint_states"];
if (!$def_boot_cmd_line)
$def_boot_cmd_line = " ";
......@@ -960,6 +983,12 @@ class Node
<td class=left>$uuid</td>
</tr>\n";
}
if ($taint_states) {
echo "<tr>
<td>Taint States:</td>
<td class=left>$taint_states</td>
</tr>\n";
}
#
# Show battery stuff
......@@ -1134,10 +1163,15 @@ class Node
#
# Spit out node attributes
#
# Don't emit root password if node is tainted with "useronly" or
# "blackbox".
$noroot = $noperm || $this->IsTainted("useronly") ||
$this->IsTainted("blackbox");
$query_result =
DBQueryFatal("select attrkey,attrvalue from node_attributes ".
"where node_id='$node_id' ".
($noperm ? "and attrkey!='root_password'" : ""));
($noroot ? "and attrkey!='root_password'" : ""));
if (!$short && mysql_num_rows($query_result)) {
echo "<tr>
......
......@@ -68,11 +68,17 @@ else {
# Admin users can look at any node, but normal users can only control
# nodes in their own experiments.
#
# Do not allow console access for certain node taint states.
#
# XXX is MODIFYINFO the correct one to check? (probably)
#
if (!$isadmin && !isset($key) &&
!$node->AccessCheck($this_user, $TB_NODEACCESS_READINFO)) {
USERERROR("You do not have permission to tip to node $node_id!", 1);
if (!$isadmin && !isset($key)) {
if (!$node->AccessCheck($this_user, $TB_NODEACCESS_READINFO)) {
USERERROR("You do not have permission to tip to node $node_id!", 1);
}
if ($node->IsTainted("useronly") || $node->IsTainted("blackbox")) {
USERERROR("Node $node_id is in a restricted state - console access denied.", 1);
}
}
# Array of arguments
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment