Commit 1fe966df authored by Leigh Stoller's avatar Leigh Stoller

Some bits and pieces that grant members of the emulab-ops project

some additional privs; allowed to view/edit node logs and histories of
all nodes, plus some others.
parent f3ddc9b9
......@@ -140,6 +140,7 @@ define("TBDB_IFACEROLE_JAIL", "jail");
define("TBDB_IFACEROLE_FAKE", "fake");
define("TBDB_IFACEROLE_GW", "gw");
define("TBDB_IFACEROLE_OTHER", "other");
define("TBDB_IFACEROLE_OUTER_CONTROL", "outer_ctrl");
# Node states that the web page cares about.
define("TBDB_NODESTATE_ISUP", "ISUP");
......@@ -444,7 +445,7 @@ function TBCheckGroupTrustConsistency($user, $pid, $gid, $newtrust, $fail)
else {
#
# Setting default group.
# Don't verify anything (yet.)
# Do not verify anything (yet.)
#
$projtrustisroot = $newtrustisroot;
}
......@@ -462,14 +463,14 @@ function TBCheckGroupTrustConsistency($user, $pid, $gid, $newtrust, $fail)
$ogid = $row[1];
#
# Get what the user's trust level is in the
# Get what the users trust level is in the
# current subgroup we're looking at.
#
$grptrustisroot =
TBTrustConvert( $grptrust ) > $TBDB_TRUST_USER ? 1 : 0;
#
# If user's trust level is higher in the default group than in the
# If users trust level is higher in the default group than in the
# subgroup we are looking at, this is wrong.
#
if ($projtrustisroot > $grptrustisroot) {
......@@ -481,8 +482,8 @@ function TBCheckGroupTrustConsistency($user, $pid, $gid, $newtrust, $fail)
if (strcmp($pid, $gid)) {
#
# Iff we're modifying a subgroup,
# Make sure that the trust we're setting is as
# Iff we are modifying a subgroup,
# Make sure that the trust we are setting is as
# rootful as the trust we already have set in
# every other subgroup.
#
......@@ -594,6 +595,7 @@ function TBNodeAccessCheck($uid, $node_id, $access_type)
global $TBDB_TRUST_USER;
global $TBDB_TRUST_GROUPROOT;
global $TBDB_TRUST_LOCALROOT;
global $TBOPSPID;
$mintrust;
if ($access_type < $TB_NODEACCESS_MIN ||
......@@ -608,6 +610,14 @@ function TBNodeAccessCheck($uid, $node_id, $access_type)
"where r.node_id='$node_id'");
if (mysql_num_rows($query_result) == 0) {
#
# If the current user is in the emulab-ops project and has sufficient
# privs, then he can muck with free nodes as if he were an admin type.
#
if ($uid == GETUID() && OPSGUY()) {
return(TBMinTrust(TBGrpTrust($uid, $TBOPSPID, $TBOPSPID),
$TBDB_TRUST_LOCALROOT));
}
return 0;
}
$row = mysql_fetch_array($query_result);
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# Copyright (c) 2000-2002, 2005 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
......@@ -35,7 +35,7 @@ if (!isset($log_id) ||
#
# Only Admins can delete log entries.
#
if (! $isadmin) {
if (! ($isadmin || OPSGUY())) {
USERERROR("You do not have permission to delete log entries!", 1);
}
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# Copyright (c) 2000-2002, 2005 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
......@@ -41,7 +41,7 @@ if (!isset($log_entry) ||
#
# Only Admins can enter log entries.
#
if (! $isadmin) {
if (! ($isadmin || OPSGUY())) {
USERERROR("You do not have permission to enter log entries!", 1);
}
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# Copyright (c) 2000-2002, 2005 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
......@@ -34,9 +34,10 @@ else {
}
#
# Only Admins can enter log entries.
# Only Admins can enter log entries. Or members of emulab-ops project
# if the node is free or reserved to emulab-ops.
#
if (! $isadmin) {
if (! ($isadmin || OPSGUY())) {
USERERROR("You do not have permission to enter log entries!", 1);
}
......
......@@ -459,7 +459,8 @@ while ($row = mysql_fetch_array($query_result)) {
echo "<tr>";
# Admins get a link to expand the node.
if ($isadmin) {
if ($isadmin ||
(OPSGUY() && (!$pid || $pid == $TBOPSPID))) {
echo "<td><A href='shownode.php3?node_id=$node_id'>$node_id</a> " .
(!strcmp($node_id, $phys_nodeid) ? "" :
"(<A href='shownode.php3?node_id=$phys_nodeid'>$phys_nodeid</a>)")
......
......@@ -143,18 +143,20 @@ if (($isadmin || TBNodeAccessCheck($uid, $node_id, $TB_NODEACCESS_READINFO)) &&
"telemetry");
}
if ($isadmin) {
if ($isadmin || OPSGUY()) {
WRITESUBMENUBUTTON("Show Node Log",
"shownodelog.php3?node_id=$node_id");
WRITESUBMENUBUTTON("Show Node History",
"shownodehistory.php3?node_id=$node_id");
}
if ($isadmin) {
WRITESUBMENUBUTTON("Free Node",
"freenode.php3?node_id=$node_id");
WRITESUBMENUBUTTON("Set Node Location",
"setnodeloc.php3?node_id=$node_id");
}
if ($isadmin || STUDLY()) {
if ($isadmin || STUDLY() || OPSGUY()) {
WRITESUBMENUBUTTON("Update Power State",
"powertime.php3?node_id=$node_id");
}
......
......@@ -19,7 +19,7 @@ $uid = GETLOGIN();
LOGGEDINORDIE($uid);
$isadmin = ISADMIN($uid);
if (!$isadmin) {
if (! ($isadmin || OPSGUY())) {
USERERROR("Cannot view node history.", 1);
}
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# Copyright (c) 2000-2002, 2005 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
......@@ -37,10 +37,9 @@ if (mysql_num_rows($query_result) == 0) {
}
#
# Admin users can look at any node, but normal users can only control
# nodes in their own experiments.
# Perm check.
#
if (! $isadmin) {
if (! ($isadmin || OPSGUY())) {
USERERROR("You do not have permission to view log for node $node_id!", 1);
}
......
......@@ -45,6 +45,7 @@ define("CHECKLOGIN_WEBONLY", 0x040000);
define("CHECKLOGIN_PLABUSER", 0x080000);
define("CHECKLOGIN_STUDLY", 0x100000);
define("CHECKLOGIN_WIKIONLY", 0x200000);
define("CHECKLOGIN_OPSGUY", 0x400000); # member of emulab-ops
#
# Constants for tracking possible login attacks.
......@@ -127,7 +128,7 @@ function GETUID() {
function CHECKLOGIN($uid) {
global $TBAUTHCOOKIE, $TBLOGINCOOKIE, $HTTP_COOKIE_VARS, $TBAUTHTIMEOUT;
global $CHECKLOGIN_STATUS, $CHECKLOGIN_UID, $CHECKLOGIN_NODETYPES;
global $CHECKLOGIN_WIKINAME;
global $CHECKLOGIN_WIKINAME, $TBOPSPID;
global $nocookieauth;
#
# If we already figured this out, do not duplicate work!
......@@ -153,7 +154,7 @@ function CHECKLOGIN($uid) {
DBQueryFatal("select NOW()>=u.pswd_expires,l.hashkey,l.timeout, ".
" status,admin,cvsweb,g.trust,adminoff,webonly, " .
" user_interface,n.type,u.stud,u.wikiname, ".
" u.wikionly " .
" u.wikionly,g.pid " .
" from users as u ".
"left join login as l on l.uid=u.uid ".
"left join group_membership as g on g.uid=u.uid ".
......@@ -171,6 +172,7 @@ function CHECKLOGIN($uid) {
# values and the pid. pid is a hack.
#
$trusted = 0;
$opsguy = 0;
while ($row = mysql_fetch_array($query_result)) {
$expired = $row[0];
......@@ -193,6 +195,11 @@ function CHECKLOGIN($uid) {
$wikiname = $row[12];
$wikionly = $row[13];
# Check for an ops guy.
$pid = $row[14];
if ($pid == $TBOPSPID) {
$opsguy = 1;
}
$CHECKLOGIN_NODETYPES[$type] = 1;
}
......@@ -319,6 +326,8 @@ function CHECKLOGIN($uid) {
$CHECKLOGIN_STATUS |= CHECKLOGIN_ACTIVE;
if (isset($wikiname) && $wikiname != "")
$CHECKLOGIN_WIKINAME = $wikiname;
if ($opsguy)
$CHECKLOGIN_STATUS |= CHECKLOGIN_OPSGUY;
#
# Set the magic enviroment variable, if appropriate, for the sake of
......@@ -441,6 +450,19 @@ function STUDLY() {
(CHECKLOGIN_LOGGEDIN|CHECKLOGIN_STUDLY));
}
function OPSGUY() {
global $CHECKLOGIN_STATUS;
if ($CHECKLOGIN_STATUS == CHECKLOGIN_NOSTATUS) {
$uid=GETUID();
TBERROR("OPSGUY: $uid is not logged in!", 1);
}
return (($CHECKLOGIN_STATUS &
(CHECKLOGIN_LOGGEDIN|CHECKLOGIN_OPSGUY)) ==
(CHECKLOGIN_LOGGEDIN|CHECKLOGIN_OPSGUY));
}
function WIKIONLY() {
global $CHECKLOGIN_STATUS;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment