Commit 4a7f4feb authored by Leigh Stoller's avatar Leigh Stoller

Add a project field to restrict the set of accounts returned to

experiments created in that project. For now, we are going to set this
on the Cloudlab project to prevent 500 users from being created on
those experiments, since thats where most people coming from the trusted
signer live.
parent 9baaae4c
......@@ -4350,6 +4350,7 @@ CREATE TABLE `projects` (
`manager_urn` varchar(128) default NULL,
`genesis` enum('emulab','aptlab','cloudlab','phantomnet') NOT NULL default 'emulab',
`portal` enum('emulab','aptlab','cloudlab','phantomnet') default NULL,
`experiment_accounts` enum('none','swapper') default NULL,
PRIMARY KEY (`pid_idx`),
UNIQUE KEY `pid` (`pid`),
KEY `unix_gid` (`unix_gid`),
......
use strict;
use libdb;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
if (!DBSlotExists("projects", "experiment_accounts")) {
DBQueryFatal("alter table projects add " .
" `experiment_accounts` enum('none','swapper') ".
" default NULL");
}
return 0;
}
# Local Variables:
# mode:perl
# End:
......@@ -2661,6 +2661,7 @@ COMMAND_PROTOTYPE(doaccounts)
int nrows, gidint;
int tbadmin, didwidearea = 0, nodetypeprojects = 0;
int didnonlocal = 0;
int swapper_only = 0;
if (! tcp) {
error("ACCOUNTS: %s: Cannot give account info out over UDP!\n",
......@@ -2717,6 +2718,25 @@ COMMAND_PROTOTYPE(doaccounts)
mysql_free_result(res);
}
/*
* See if a per-project restriction on the accounts that are
* created.
*/
res = mydb_query("select experiment_accounts from projects "
"where pid='%s' and experiment_accounts is not null",
1, reqp->pid);
if (res) {
if ((int)mysql_num_rows(res) != 0) {
row = mysql_fetch_row(res);
if (row[0]) {
if (strcmp(row[0], "swapper") == 0) {
swapper_only = 1;
}
}
}
mysql_free_result(res);
}
/*
* We need the unix GID and unix name for each group in the project.
*/
......@@ -2974,7 +2994,7 @@ COMMAND_PROTOTYPE(doaccounts)
char *passwdfield = (!reqp->islocal && reqp->isdedicatedwa) ?
"'*'" : "u.usr_pswd";
strcpy(adminclause, "");
#ifdef ISOLATEADMINS
#ifdef ISOaLATEADMINS
sprintf(adminclause, "and u.admin=%d", reqp->swapper_isadmin);
#endif
/*
......@@ -3240,6 +3260,14 @@ COMMAND_PROTOTYPE(doaccounts)
if (reqp->genisliver_idx && reqp->isnonlocal_pid &&
!didnonlocal && !isleader)
goto skipkeys;
/*
* Watch for a swapper only project flag.
*/
if (swapper_only && !isleader &&
strcmp(reqp->swapper, row[0])) {
goto skipkeys;
}
if (gidint == -1) {
gidint = auxgids[--gcount];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment