From 1d04a8b09d859c8480671f30eecdc5c75e3701a5 Mon Sep 17 00:00:00 2001
From: Danny Auble <da@schedmd.com>
Date: Fri, 19 Dec 2014 11:51:57 -0800
Subject: [PATCH] Move DBD auth check for WCKey operations into the plugin
instead of only in the DBD. We also make it possible for Operators to manage
WCKeys instead of just admins.
---
.../accounting_storage/mysql/as_mysql_wckey.c | 8 +++++
src/slurmdbd/proc_req.c | 35 ++-----------------
2 files changed, 11 insertions(+), 32 deletions(-)
diff --git a/src/plugins/accounting_storage/mysql/as_mysql_wckey.c b/src/plugins/accounting_storage/mysql/as_mysql_wckey.c
index 839a79d1d4a..1362a31868b 100644
--- a/src/plugins/accounting_storage/mysql/as_mysql_wckey.c
+++ b/src/plugins/accounting_storage/mysql/as_mysql_wckey.c
@@ -504,6 +504,9 @@ extern int as_mysql_add_wckeys(mysql_conn_t *mysql_conn, uint32_t uid,
if (check_connection(mysql_conn) != SLURM_SUCCESS)
return ESLURM_DB_CONNECTION;
+ if (!is_user_min_admin_level(mysql_conn, uid, SLURMDB_ADMIN_OPERATOR))
+ return ESLURM_ACCESS_DENIED;
+
user_name = uid_to_string((uid_t) uid);
itr = list_iterator_create(wckey_list);
while ((object = list_next(itr))) {
@@ -737,6 +740,11 @@ extern List as_mysql_remove_wckeys(mysql_conn_t *mysql_conn,
if (check_connection(mysql_conn) != SLURM_SUCCESS)
return NULL;
+ if (!is_user_min_admin_level(mysql_conn, uid, SLURMDB_ADMIN_OPERATOR)) {
+ errno = ESLURM_ACCESS_DENIED;
+ return NULL;
+ }
+
(void) _setup_wckey_cond_limits(wckey_cond, &extra);
if (wckey_cond->cluster_list && list_count(wckey_cond->cluster_list))
diff --git a/src/slurmdbd/proc_req.c b/src/slurmdbd/proc_req.c
index 1224ed3cdd0..f0492aae0cf 100644
--- a/src/slurmdbd/proc_req.c
+++ b/src/slurmdbd/proc_req.c
@@ -838,14 +838,6 @@ static int _add_wckeys(slurmdbd_conn_t *slurmdbd_conn,
char *comment = NULL;
debug2("DBD_ADD_WCKEYS: called");
- if ((*uid != slurmdbd_conf->slurm_user_id && *uid != 0)
- && assoc_mgr_get_admin_level(slurmdbd_conn->db_conn, *uid)
- < SLURMDB_ADMIN_SUPER_USER) {
- comment = "Your user doesn't have privilege to perform this action";
- error("CONN:%u %s", slurmdbd_conn->newsockfd, comment);
- rc = ESLURM_ACCESS_DENIED;
- goto end_it;
- }
if (slurmdbd_unpack_list_msg(&get_msg, slurmdbd_conn->rpc_version,
DBD_ADD_WCKEYS, in_buffer) !=
@@ -1644,6 +1636,9 @@ static int _get_wckeys(slurmdbd_conn_t *slurmdbd_conn,
debug2("DBD_GET_WCKEYS: called");
+ /* We have to check this here, and not in the plugin. There
+ * are places in the plugin that a non-admin can call this and
+ * it be ok. */
if ((*uid != slurmdbd_conf->slurm_user_id && *uid != 0)
&& assoc_mgr_get_admin_level(slurmdbd_conn->db_conn, *uid)
< SLURMDB_ADMIN_OPERATOR) {
@@ -2509,18 +2504,6 @@ static int _modify_wckeys(slurmdbd_conn_t *slurmdbd_conn,
debug2("DBD_MODIFY_WCKEYS: called");
- if ((*uid != slurmdbd_conf->slurm_user_id && *uid != 0)
- && assoc_mgr_get_admin_level(slurmdbd_conn->db_conn, *uid)
- < SLURMDB_ADMIN_SUPER_USER) {
- comment = "Your user doesn't have privilege to perform this action";
- error("CONN:%u %s", slurmdbd_conn->newsockfd, comment);
- *out_buffer = make_dbd_rc_msg(slurmdbd_conn->rpc_version,
- ESLURM_ACCESS_DENIED,
- comment, DBD_MODIFY_WCKEYS);
-
- return ESLURM_ACCESS_DENIED;
- }
-
if (slurmdbd_unpack_modify_msg(&get_msg, slurmdbd_conn->rpc_version,
DBD_MODIFY_WCKEYS,
in_buffer) != SLURM_SUCCESS) {
@@ -3346,18 +3329,6 @@ static int _remove_wckeys(slurmdbd_conn_t *slurmdbd_conn,
debug2("DBD_REMOVE_WCKEYS: called");
- if ((*uid != slurmdbd_conf->slurm_user_id && *uid != 0)
- && assoc_mgr_get_admin_level(slurmdbd_conn->db_conn, *uid)
- < SLURMDB_ADMIN_SUPER_USER) {
- comment = "Your user doesn't have privilege to perform this action";
- error("CONN:%u %s", slurmdbd_conn->newsockfd, comment);
- *out_buffer = make_dbd_rc_msg(slurmdbd_conn->rpc_version,
- ESLURM_ACCESS_DENIED,
- comment, DBD_REMOVE_WCKEYS);
-
- return ESLURM_ACCESS_DENIED;
- }
-
if (slurmdbd_unpack_cond_msg(&get_msg, slurmdbd_conn->rpc_version,
DBD_REMOVE_WCKEYS,
in_buffer) != SLURM_SUCCESS) {
--
GitLab