All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit cde7de5a authored by Leigh B Stoller's avatar Leigh B Stoller

Change the CM to allow an admin override on extending slices that include

pre-reserved or sched-reserved nodes. I do this by adding a privilege to
the credential we create in APT_Instance::Extend(), so technically anyone
can do this, but I also send email to the local tbops list when it happens,
so we will see abuse right away.
parent eb9f95f0
......@@ -1415,9 +1415,9 @@ sub Terminate($)
#
# Ask to extend.
#
sub Extend($$)
sub Extend($$$)
{
my ($self, $new_expires) = @_;
my ($self, $new_expires, $this_user) = @_;
my $credentials;
my $method;
my @params;
......@@ -1441,8 +1441,12 @@ sub Extend($$)
$new_expires, {});
}
else {
my @privs = ();
if ($this_user->IsAdmin()) {
@privs = ("control", "admin");
}
my ($slice_credential, $speaksfor_credential) =
APT_Geni::GenCredentials($slice, $geniuser, undef, 1);
APT_Geni::GenCredentials($slice, $geniuser, \@privs, 1);
return undef
if (!defined($slice_credential));
......
......@@ -1590,7 +1590,7 @@ sub RunStitcher()
$aggobj->SetManifest($manifest);
print "Forcing correct slice expiration\n";
my $response = $aggobj->Extend($slice->ExpirationGMT());
my $response = $aggobj->Extend($slice->ExpirationGMT(), $this_user);
if (!defined($response) ||
$response->code() != GENIRESPONSE_SUCCESS) {
$aggobj->SetStatus("failed");
......
......@@ -1162,6 +1162,7 @@ sub DoExtend()
{
my $force = 0;
my $lockdown = 0;
my $errcode = -1;
usage()
if (!@ARGV);
......@@ -1190,10 +1191,12 @@ sub DoExtend()
#
# Lock the slice in case it is doing something else, like taking
# a disk image.
# a disk image. This happens all the time, users are silly. Lets
# stop the email about it.
#
if ($slice->Lock()) {
fatal("Slice is busy, cannot lock it");
print STDERR "Experiment is busy, cannot lock it. Try again later.\n";
exit(GENIRESPONSE_BUSY);
}
# Save in case of error.
my $oldexpires = $slice->expires();
......@@ -1214,7 +1217,7 @@ sub DoExtend()
my $domain = $sliver->domain();
my $errmsg;
my $response = $sliver->Extend($new_expires);
my $response = $sliver->Extend($new_expires, $this_user);
if (!defined($response)) {
$errmsg = "Internal error calling Renew at $domain";
goto bad;
......@@ -1222,11 +1225,12 @@ sub DoExtend()
if ($response->code() != GENIRESPONSE_SUCCESS) {
# This is something the user should see.
if ($response->code() == GENIRESPONSE_REFUSED ||
$response->code() == GENIRESPONSE_SERVER_UNAVAILABLE ||
$response->code() == GENIRESPONSE_BUSY) {
print STDERR $response->output() . "\n";
# For web interface.
$webtask->output($response->output());
$webtask->Exited(1);
$webtask->Exited($response->code());
return 1;
}
$errmsg = "Failed to extend slice at $domain: ".
......@@ -1255,9 +1259,13 @@ sub DoExtend()
#
# Check the exit codes.
#
foreach my $code (@return_codes) {
foreach my $agg (@agglist) {
my $code = shift(@return_codes);
if ($code) {
print STDERR "Some slivers could not be extended\n";
$agg->webtask()->Refresh();
print STDERR "Some slivers could not be extended.\n";
$errcode = $agg->webtask()->exitcode();
goto bad;
}
}
......@@ -1278,7 +1286,7 @@ sub DoExtend()
# Reset back to original expiration, sorry.
$slice->SetExpiration($oldexpires);
$slice->UnLock();
exit(-1);
exit($errcode);
}
#
......@@ -1374,6 +1382,7 @@ sub DoRefresh()
my $code = shift(@return_codes);
if ($code) {
$agg->webtask()->Refresh();
$errmsg = "Some slivers could not be refreshed";
if ($agg->webtask()->output()) {
$errmsg .= ": " . $agg->webtask()->output();
......@@ -2101,6 +2110,7 @@ sub DoLinktest()
#
foreach my $agg (@agglist) {
my $code = shift(@return_codes);
$agg->webtask()->Refresh();
if ($code) {
$errmsg = "Could not $action linktest on some slivers";
if ($agg->webtask()->output()) {
......@@ -2298,6 +2308,7 @@ sub DoUpdateKeys()
#
foreach my $agg (@agglist) {
my $code = shift(@return_codes);
$agg->webtask()->Refresh();
if ($code) {
$errmsg = "Could not update keys on some slivers";
if ($agg->webtask()->output()) {
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2008-2015 University of Utah and the Flux Group.
# Copyright (c) 2008-2016 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -4792,14 +4792,33 @@ sub RenewSliverAux($$$)
if (defined($pnode->reserved_pid()) &&
$pnode->reserved_pid() ne $slice_experiment->pid()) {
$slice->UnLock();
return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
"Refused cause $pnodeid is pre-reserved");
if ($credential->HasActualPrivilege("admin")) {
SENDMAIL($TBOPS, "Admin override on pre-reserved node!",
"Admin override on pre-reserved node $pnodeid\n".
"while extending $slice\n",
$TBOPS);
print STDERR "Admin override on pre-reserved node $pnodeid!\n";
}
else {
$slice->UnLock();
return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
"Refused cause $pnodeid is pre-reserved.");
}
}
if (defined($pnode->NextReservation())) {
$slice->UnLock();
return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
"Refused cause $pnodeid is sched-reserved");
if ($credential->HasActualPrivilege("admin")) {
SENDMAIL($TBOPS, "Admin override on sched-reserved node!",
"Admin override on sched-reserved node $pnodeid\n".
"while extending $slice\n",
$TBOPS);
print STDERR "Admin override on sched-reserved ".
"node $pnodeid!\n";
}
else {
$slice->UnLock();
return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
"Refused cause $pnodeid is sched-reserved.");
}
}
}
......
......@@ -56,6 +56,7 @@ $geni_response_codes =
"No Mapping Possible",
);
define("GENIRESPONSE_BADARGS", 1);
define("GENIRESPONSE_REFUSED", 7);
define("GENIRESPONSE_TIMEDOUT", 8);
define("GENIRESPONSE_VLAN_UNAVAILABLE", 24);
define("GENIRESPONSE_INSUFFICIENT_BANDWIDTH", 25);
......
......@@ -466,7 +466,7 @@ function Do_RequestExtension()
$seconds = 3600 * 24 * $granted;
$retval = SUEXEC("nobody", "nobody",
"webmanage_instance extend $uuid $seconds",
SUEXEC_ACTION_CONTINUE);
SUEXEC_ACTION_IGNORE);
}
if ($retval == 0) {
......@@ -526,10 +526,17 @@ function Do_RequestExtension()
$instance->BumpExtensionCount($granted);
}
elseif ($retval > 0) {
#
# This is an important error, tell tbops.
#
if ($retval == GENIRESPONSE_REFUSED) {
SUEXECERROR(SUEXEC_ACTION_CONTINUE);
}
SPITAJAX_ERROR(1, $suexec_output);
goto bad;
}
else {
SUEXECERROR(SUEXEC_ACTION_CONTINUE);
SPITAJAX_ERROR(-1, "Internal Error. Please try again later");
goto bad;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment