Commit cde7de5a authored by Leigh Stoller's avatar Leigh Stoller

Change the CM to allow an admin override on extending slices that include

pre-reserved or sched-reserved nodes. I do this by adding a privilege to
the credential we create in APT_Instance::Extend(), so technically anyone
can do this, but I also send email to the local tbops list when it happens,
so we will see abuse right away.
parent eb9f95f0
......@@ -1415,9 +1415,9 @@ sub Terminate($)
#
# Ask to extend.
#
sub Extend($$)
sub Extend($$$)
{
my ($self, $new_expires) = @_;
my ($self, $new_expires, $this_user) = @_;
my $credentials;
my $method;
my @params;
......@@ -1441,8 +1441,12 @@ sub Extend($$)
$new_expires, {});
}
else {
my @privs = ();
if ($this_user->IsAdmin()) {
@privs = ("control", "admin");
}
my ($slice_credential, $speaksfor_credential) =
APT_Geni::GenCredentials($slice, $geniuser, undef, 1);
APT_Geni::GenCredentials($slice, $geniuser, \@privs, 1);
return undef
if (!defined($slice_credential));
......
......@@ -1590,7 +1590,7 @@ sub RunStitcher()
$aggobj->SetManifest($manifest);
print "Forcing correct slice expiration\n";
my $response = $aggobj->Extend($slice->ExpirationGMT());
my $response = $aggobj->Extend($slice->ExpirationGMT(), $this_user);
if (!defined($response) ||
$response->code() != GENIRESPONSE_SUCCESS) {
$aggobj->SetStatus("failed");
......
......@@ -1162,6 +1162,7 @@ sub DoExtend()
{
my $force = 0;
my $lockdown = 0;
my $errcode = -1;
usage()
if (!@ARGV);
......@@ -1190,10 +1191,12 @@ sub DoExtend()
#
# Lock the slice in case it is doing something else, like taking
# a disk image.
# a disk image. This happens all the time, users are silly. Lets
# stop the email about it.
#
if ($slice->Lock()) {
fatal("Slice is busy, cannot lock it");
print STDERR "Experiment is busy, cannot lock it. Try again later.\n";
exit(GENIRESPONSE_BUSY);
}
# Save in case of error.
my $oldexpires = $slice->expires();
......@@ -1214,7 +1217,7 @@ sub DoExtend()
my $domain = $sliver->domain();
my $errmsg;
my $response = $sliver->Extend($new_expires);
my $response = $sliver->Extend($new_expires, $this_user);
if (!defined($response)) {
$errmsg = "Internal error calling Renew at $domain";
goto bad;
......@@ -1222,11 +1225,12 @@ sub DoExtend()
if ($response->code() != GENIRESPONSE_SUCCESS) {
# This is something the user should see.
if ($response->code() == GENIRESPONSE_REFUSED ||
$response->code() == GENIRESPONSE_SERVER_UNAVAILABLE ||
$response->code() == GENIRESPONSE_BUSY) {
print STDERR $response->output() . "\n";
# For web interface.
$webtask->output($response->output());
$webtask->Exited(1);
$webtask->Exited($response->code());
return 1;
}
$errmsg = "Failed to extend slice at $domain: ".
......@@ -1255,9 +1259,13 @@ sub DoExtend()
#
# Check the exit codes.
#
foreach my $code (@return_codes) {
foreach my $agg (@agglist) {
my $code = shift(@return_codes);
if ($code) {
print STDERR "Some slivers could not be extended\n";
$agg->webtask()->Refresh();
print STDERR "Some slivers could not be extended.\n";
$errcode = $agg->webtask()->exitcode();
goto bad;
}
}
......@@ -1278,7 +1286,7 @@ sub DoExtend()
# Reset back to original expiration, sorry.
$slice->SetExpiration($oldexpires);
$slice->UnLock();
exit(-1);
exit($errcode);
}
#
......@@ -1374,6 +1382,7 @@ sub DoRefresh()
my $code = shift(@return_codes);
if ($code) {
$agg->webtask()->Refresh();
$errmsg = "Some slivers could not be refreshed";
if ($agg->webtask()->output()) {
$errmsg .= ": " . $agg->webtask()->output();
......@@ -2101,6 +2110,7 @@ sub DoLinktest()
#
foreach my $agg (@agglist) {
my $code = shift(@return_codes);
$agg->webtask()->Refresh();
if ($code) {
$errmsg = "Could not $action linktest on some slivers";
if ($agg->webtask()->output()) {
......@@ -2298,6 +2308,7 @@ sub DoUpdateKeys()
#
foreach my $agg (@agglist) {
my $code = shift(@return_codes);
$agg->webtask()->Refresh();
if ($code) {
$errmsg = "Could not update keys on some slivers";
if ($agg->webtask()->output()) {
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2008-2015 University of Utah and the Flux Group.
# Copyright (c) 2008-2016 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -4792,14 +4792,33 @@ sub RenewSliverAux($$$)
if (defined($pnode->reserved_pid()) &&
$pnode->reserved_pid() ne $slice_experiment->pid()) {
$slice->UnLock();
return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
"Refused cause $pnodeid is pre-reserved");
if ($credential->HasActualPrivilege("admin")) {
SENDMAIL($TBOPS, "Admin override on pre-reserved node!",
"Admin override on pre-reserved node $pnodeid\n".
"while extending $slice\n",
$TBOPS);
print STDERR "Admin override on pre-reserved node $pnodeid!\n";
}
else {
$slice->UnLock();
return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
"Refused cause $pnodeid is pre-reserved.");
}
}
if (defined($pnode->NextReservation())) {
$slice->UnLock();
return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
"Refused cause $pnodeid is sched-reserved");
if ($credential->HasActualPrivilege("admin")) {
SENDMAIL($TBOPS, "Admin override on sched-reserved node!",
"Admin override on sched-reserved node $pnodeid\n".
"while extending $slice\n",
$TBOPS);
print STDERR "Admin override on sched-reserved ".
"node $pnodeid!\n";
}
else {
$slice->UnLock();
return GeniResponse->Create(GENIRESPONSE_REFUSED, undef,
"Refused cause $pnodeid is sched-reserved.");
}
}
}
......
......@@ -56,6 +56,7 @@ $geni_response_codes =
"No Mapping Possible",
);
define("GENIRESPONSE_BADARGS", 1);
define("GENIRESPONSE_REFUSED", 7);
define("GENIRESPONSE_TIMEDOUT", 8);
define("GENIRESPONSE_VLAN_UNAVAILABLE", 24);
define("GENIRESPONSE_INSUFFICIENT_BANDWIDTH", 25);
......
......@@ -466,7 +466,7 @@ function Do_RequestExtension()
$seconds = 3600 * 24 * $granted;
$retval = SUEXEC("nobody", "nobody",
"webmanage_instance extend $uuid $seconds",
SUEXEC_ACTION_CONTINUE);
SUEXEC_ACTION_IGNORE);
}
if ($retval == 0) {
......@@ -526,10 +526,17 @@ function Do_RequestExtension()
$instance->BumpExtensionCount($granted);
}
elseif ($retval > 0) {
#
# This is an important error, tell tbops.
#
if ($retval == GENIRESPONSE_REFUSED) {
SUEXECERROR(SUEXEC_ACTION_CONTINUE);
}
SPITAJAX_ERROR(1, $suexec_output);
goto bad;
}
else {
SUEXECERROR(SUEXEC_ACTION_CONTINUE);
SPITAJAX_ERROR(-1, "Internal Error. Please try again later");
goto bad;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment