Commit 6f6b2417 authored by Mike Hibler's avatar Mike Hibler
Browse files

Add ISOLATEADMINS code to limit exports of filesystems (currently with a

hardwired setting, should be a config variable).  If experiment swapper is
an admin, only admin homedirs are exported to the experiment nodes.  If
swapper is not an admin, only non-admin homedirs are exported.

This is really a half-assed measure, stopping short of requiring that projects
have only admin or non-admin users.  If we take that step, this code won't
be needed.

Also, sort list of nodes by increasing IP address (w00t!)  Helps make the
output more predictable for diffs.
parent f4cd4bae
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2007 University of Utah and the Flux Group.
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -39,6 +39,15 @@ my $scratchdir = "@FSDIR_SCRATCH@";
my $DISABLED = "@DISABLE_EXPORTS_SETUP@";
my $WINSUPPORT = @WINSUPPORT@;
# XXX should be config variable
my $ISOLATEADMIN= 0;
# XXX for TESTMODE: output to stdout
my $TOSTDOUT = 0;
if ($TOSTDOUT) {
$TESTMODE = 1;
}
# Note no -n option. We redirect stdin from the new exports file below.
my $SSH = "$TB/bin/sshtb -l root -host $FSNODE";
my $PROG = "$TB/sbin/exports_setup.proxy";
......@@ -115,6 +124,11 @@ if (!$TESTMODE) {
if ($WINSUPPORT) {
open(SMBMAP, ">$smbconftail") || fatal("Couldn't open $smbconftail\n");
}
} elsif ($TOSTDOUT) {
open(MAP, ">/dev/stdout") || fatal("Couldn't open /dev/stdout\n");
if ($WINSUPPORT) {
open(SMBMAP, ">/dev/stdout") || fatal("Couldn't open /dev/stdout\n");
}
} else {
open(MAP, ">/dev/null") || fatal("Couldn't open /dev/null\n");
if ($WINSUPPORT) {
......@@ -142,11 +156,13 @@ if ($WINSUPPORT) {
# VIRTNODE HACK: Virtual nodes are special, so do not export. (isvirtnode).
#
$nodes_result =
DBQueryFatal("select r.node_id,r.pid,r.eid,e.gid,i.IP from reserved as r ".
DBQueryFatal("select r.node_id,r.pid,r.eid,e.gid,i.IP,u.admin ".
"from reserved as r ".
"left join experiments as e on r.pid=e.pid and r.eid=e.eid ".
"left join nodes on r.node_id=nodes.node_id ".
"left join node_types on node_types.type=nodes.type ".
"left join interfaces as i on r.node_id=i.node_id ".
"left join users as u on e.swapper_idx=u.uid_idx ".
" where i.IP!='NULL' and ".
" i.role='" . TBDB_IFACEROLE_CONTROL() . "' ".
" and nodes.role='testnode' ".
......@@ -160,6 +176,7 @@ my %lastfslist = ();
my @lastsmbshares = ();
my $lastpid = "";
my $lastgid = "";
my $lastadmin = "";
my @mountpoints = fsinit();
......@@ -177,6 +194,7 @@ while (@row = $nodes_result->fetchrow_array) {
my $eid = $row[2];
my $gid = $row[3];
my $ip = $row[4];
my $admin = $row[5];
my %fslist = ();
my @dirlist = ();
my @smbshares = ();
......@@ -184,12 +202,13 @@ while (@row = $nodes_result->fetchrow_array) {
# Sanity check - don't try this if any of the above are not defined - we
# may end up with a bad line in exports
if ((!defined($node_id)) || (!defined($pid)) || (!defined($eid)) ||
(!defined($gid)) || (!defined($ip))) {
(!defined($gid)) || (!defined($admin)) || (!defined($ip))) {
print "WARNING: exports_setup: Skipping database row with undefined values\n";
next;
}
if ($lastpid eq $pid && $lastgid eq $gid) {
if ($lastpid eq $pid && $lastgid eq $gid &&
(!$ISOLATEADMIN || $lastadmin eq $admin)) {
# If this is for the same proj and group again, don't requery the db
# and don't recompute everything.
......@@ -200,6 +219,7 @@ while (@row = $nodes_result->fetchrow_array) {
$lastpid=$pid;
$lastgid=$gid;
$lastadmin=$admin;
# Construct a list of directories accessible from this node.
# First the project and group directories.
......@@ -231,12 +251,21 @@ while (@row = $nodes_result->fetchrow_array) {
# Determine the users that can access this node, and add those
# users' directories to the list.
# XXX needs to be fixed for shared experiments?
#
# Note that if we are isolating admins, only those users with
# the same admin status as the swapper are allowed.
my $adminclause = "";
if ($ISOLATEADMIN) {
$adminclause = "u.admin=$admin and ";
}
$users_result =
DBQueryFatal("select distinct g.uid from group_membership as g ".
"left join users as u on u.uid_idx=g.uid_idx ".
"where g.pid='$pid' and g.gid='$gid' and ".
" (g.trust!='none' and ".
" u.webonly=0 and ".
" $adminclause ".
" u.status='" . USERSTATUS_ACTIVE() . "')");
while (@usersrow = $users_result->fetchrow_array) {
......@@ -308,11 +337,19 @@ while (@row = $nodes_result->fetchrow_array) {
}
}
# just cuz
sub sortbyip {
my @ao = split('\.', $a);
my @bo = split('\.', $b);
return ($ao[0] <=> $bo[0] || $ao[1] <=> $bo[1] ||
$ao[2] <=> $bo[2] || $ao[3] <=> $bo[3]);
}
#
# Now spit out each group!
#
foreach my $str ( keys(%ipgroups) ) {
my @iplist = @{ $ipgroups{$str} };
my @iplist = sort sortbyip @{ $ipgroups{$str} };
print MAP "$str -maproot=root @iplist\n";
}
......@@ -325,7 +362,7 @@ close(MAP);
#
if ($WINSUPPORT) {
foreach my $share ( keys(%globalsmbshares) ) {
my @iplist = @{ $globalsmbshares{$share}->{iplist} };
my @iplist = sort sortbyip @{ $globalsmbshares{$share}->{iplist} };
my $path = $globalsmbshares{$share}->{path};
print SMBMAP "[$share]\n";
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment