All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit b66b0e79 authored by Leigh B. Stoller's avatar Leigh B. Stoller

Add node type permission check to nalloc.

parent 3dbafb46
......@@ -140,6 +140,7 @@ use Exporter;
TBSaveExpLogFiles TBExptWorkDir TBExptUserDir TBExptLogDir
TBExptDestroy TBIPtoNodeID TBNodeBootReset TBNodeStateWait
TBLeaderMailList ExpGroup TBExptSetSwapUID TBExptSetThumbNail
TBNodeAllocCheck
TBExptRemoveVirtualState TBExptBackupVirtualState
TBExptRestoreVirtualState
......@@ -956,6 +957,59 @@ sub TBImageIDAccessCheck($$$)
TBMinTrust(TBGrpTrust($uid, $pid, $pid), PROJMEMBERTRUST_GROUPROOT);
}
#
# Determine if a node can be allocated to a project.
#
# Usage: TBNodeAllocCheck($pid, $node_id)
# returns 0 if not allowed or error.
# returns 1 if allowed.
#
sub TBNodeAllocCheck($$)
{
my ($pid, $node_id) = @_;
#
# Admins do whatever they want!
#
if (TBAdmin()) {
return 1;
}
#
# Hmm. The point of this join is to find rows in the permissions table
# with the corresponding type of the node. If no rows come back, its
# a non-existent node! If the values are NULL, then there are no rows
# with that type/class, and thus the type/class is free to be allocated
# by anyone. Otherwise we get the list of projects that are allowed,
# and so we have to look at those.
#
$query_result =
DBQueryFatal("select distinct p.* from nodes as n ".
"left join node_types as nt on n.type=nt.type ".
"left join nodetypeXpid_permissions as p on ".
" (p.type=nt.type or p.type=nt.class) ".
"where node_id='$node_id'");
if (!$query_result->numrows) {
print STDERR "TBNodeAllocCheck: No such node $node_id!\n";
return 0;
}
my ($ptype,$ppid) = $query_result->fetchrow_array();
# No rows, or a pid match.
if (!defined($ptype) || $ppid eq $pid) {
return 1;
}
# Okay, must be rows in the permissions table. Check each pid for a match.
while (my ($ptype,$ppid) = $query_result->fetchrow_array()) {
if ($ppid eq $pid) {
return 1;
}
}
return 0;
}
#
# Return Project leader. First argument pid.
#
......
......@@ -62,6 +62,17 @@ if ($UID) {
}
}
#
# Before locking any tables, do a quick check to make sure the project
# is allowed to allocate the nodes, by type/class.
#
foreach my $n (@node_names) {
if (! TBNodeAllocCheck($pid, $n)) {
die("*** $0:\n".
" You are not allowed to allocate $n to project $pid!\n");
}
}
######################################################################
# Step 1 - Make a list of nodes to reserve
#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment