Commit b66b0e79 authored by Leigh B. Stoller's avatar Leigh B. Stoller
Browse files

Add node type permission check to nalloc.

parent 3dbafb46
......@@ -140,6 +140,7 @@ use Exporter;
TBSaveExpLogFiles TBExptWorkDir TBExptUserDir TBExptLogDir
TBExptDestroy TBIPtoNodeID TBNodeBootReset TBNodeStateWait
TBLeaderMailList ExpGroup TBExptSetSwapUID TBExptSetThumbNail
TBNodeAllocCheck
TBExptRemoveVirtualState TBExptBackupVirtualState
TBExptRestoreVirtualState
......@@ -956,6 +957,59 @@ sub TBImageIDAccessCheck($$$)
TBMinTrust(TBGrpTrust($uid, $pid, $pid), PROJMEMBERTRUST_GROUPROOT);
}
#
# Determine if a node can be allocated to a project.
#
# Usage: TBNodeAllocCheck($pid, $node_id)
# returns 0 if not allowed or error.
# returns 1 if allowed.
#
sub TBNodeAllocCheck($$)
{
my ($pid, $node_id) = @_;
#
# Admins do whatever they want!
#
if (TBAdmin()) {
return 1;
}
#
# Hmm. The point of this join is to find rows in the permissions table
# with the corresponding type of the node. If no rows come back, its
# a non-existent node! If the values are NULL, then there are no rows
# with that type/class, and thus the type/class is free to be allocated
# by anyone. Otherwise we get the list of projects that are allowed,
# and so we have to look at those.
#
$query_result =
DBQueryFatal("select distinct p.* from nodes as n ".
"left join node_types as nt on n.type=nt.type ".
"left join nodetypeXpid_permissions as p on ".
" (p.type=nt.type or p.type=nt.class) ".
"where node_id='$node_id'");
if (!$query_result->numrows) {
print STDERR "TBNodeAllocCheck: No such node $node_id!\n";
return 0;
}
my ($ptype,$ppid) = $query_result->fetchrow_array();
# No rows, or a pid match.
if (!defined($ptype) || $ppid eq $pid) {
return 1;
}
# Okay, must be rows in the permissions table. Check each pid for a match.
while (my ($ptype,$ppid) = $query_result->fetchrow_array()) {
if ($ppid eq $pid) {
return 1;
}
}
return 0;
}
#
# Return Project leader. First argument pid.
#
......
......@@ -62,6 +62,17 @@ if ($UID) {
}
}
#
# Before locking any tables, do a quick check to make sure the project
# is allowed to allocate the nodes, by type/class.
#
foreach my $n (@node_names) {
if (! TBNodeAllocCheck($pid, $n)) {
die("*** $0:\n".
" You are not allowed to allocate $n to project $pid!\n");
}
}
######################################################################
# Step 1 - Make a list of nodes to reserve
#
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment