Move DBD auth check for accounts into the plugin instead of only in the DBD

cb8e7a87 · Danny Auble · 60266e8f · cb8e7a87 · cb8e7a87
Commit cb8e7a87 authored 10 years ago by Danny Auble
--- a/src/plugins/accounting_storage/mysql/as_mysql_acct.c
+++ b/src/plugins/accounting_storage/mysql/as_mysql_acct.c
@@ -136,6 +136,24 @@ extern int as_mysql_add_accts(mysql_conn_t *mysql_conn, uint32_t uid,
 	if (check_connection(mysql_conn) != SLURM_SUCCESS)
 		return ESLURM_DB_CONNECTION;

+	if (!is_user_min_admin_level(mysql_conn, uid, SLURMDB_ADMIN_OPERATOR)) {
+		slurmdb_user_rec_t user;
+
+		memset(&user, 0, sizeof(slurmdb_user_rec_t));
+		user.uid = uid;
+
+		if (!is_user_any_coord(mysql_conn, &user)) {
+			error("Only admins/operators/coordinators "
+			      "can add accounts");
+			return ESLURM_ACCESS_DENIED;
+		}
+		/* If the user is a coord of any acct they can add
+		 * accounts they are only able to make associations to
+		 * these accounts if they are coordinators of the
+		 * parent they are trying to add to
+		 */
+	}
+
 	user_name = uid_to_string((uid_t) uid);
 	itr = list_iterator_create(acct_list);
 	while ((object = list_next(itr))) {
@@ -261,6 +279,11 @@ extern List as_mysql_modify_accts(mysql_conn_t *mysql_conn, uint32_t uid,
 	if (check_connection(mysql_conn) != SLURM_SUCCESS)
 		return NULL;

+	if (!is_user_min_admin_level(mysql_conn, uid, SLURMDB_ADMIN_OPERATOR)) {
+		errno = ESLURM_ACCESS_DENIED;
+		return NULL;
+	}
+
 	xstrcat(extra, "where deleted=0");
 	if (acct_cond->assoc_cond
 	    && acct_cond->assoc_cond->acct_list
@@ -399,6 +422,11 @@ extern List as_mysql_remove_accts(mysql_conn_t *mysql_conn, uint32_t uid,
 	if (check_connection(mysql_conn) != SLURM_SUCCESS)
 		return NULL;

+	if (!is_user_min_admin_level(mysql_conn, uid, SLURMDB_ADMIN_OPERATOR)) {
+		errno = ESLURM_ACCESS_DENIED;
+		return NULL;
+	}
+
 	xstrcat(extra, "where deleted=0");
 	if (acct_cond->assoc_cond
 	    && acct_cond->assoc_cond->acct_list

--- a/src/slurmdbd/proc_req.c
+++ b/src/slurmdbd/proc_req.c
@@ -530,33 +530,6 @@ static int _add_accounts(slurmdbd_conn_t *slurmdbd_conn,
 	char *comment = NULL;

 	debug2("DBD_ADD_ACCOUNTS: called");
-	if ((*uid != slurmdbd_conf->slurm_user_id && *uid != 0)
-	    && assoc_mgr_get_admin_level(slurmdbd_conn->db_conn, *uid)
-	    < SLURMDB_ADMIN_OPERATOR) {
-		slurmdb_user_rec_t user;
-
-		memset(&user, 0, sizeof(slurmdb_user_rec_t));
-		user.uid = *uid;
-		if (assoc_mgr_fill_in_user(
-			    slurmdbd_conn->db_conn, &user, 1, NULL)
-		    != SLURM_SUCCESS) {
-			comment = "Your user has not been added to the accounting system yet.";
-			error("CONN:%u %s", slurmdbd_conn->newsockfd, comment);
-			rc = SLURM_ERROR;
-			goto end_it;
-		}
-		if (!user.coord_accts || !list_count(user.coord_accts)) {
-			comment = "Your user doesn't have privilege to perform this action";
-			error("CONN:%u %s", slurmdbd_conn->newsockfd, comment);
-			rc = ESLURM_ACCESS_DENIED;
-			goto end_it;
-		}
-		/* If the user is a coord of any acct they can add
-		 * accounts they are only able to make associations to
-		 * these accounts if they are coordinators of the
-		 * parent they are trying to add to
-		 */
-	}

 	if (slurmdbd_unpack_list_msg(&get_msg, slurmdbd_conn->rpc_version,
 				     DBD_ADD_ACCOUNTS, in_buffer) !=
@@ -569,6 +542,8 @@ static int _add_accounts(slurmdbd_conn_t *slurmdbd_conn,

 	rc = acct_storage_g_add_accounts(slurmdbd_conn->db_conn, *uid,
 					 get_msg->my_list);
+	if (rc == ESLURM_ACCESS_DENIED)
+		comment = "Your user doesn't have privilege to perform this action";
 end_it:
 	slurmdbd_free_list_msg(get_msg);
 	*out_buffer = make_dbd_rc_msg(slurmdbd_conn->rpc_version,
@@ -2092,18 +2067,6 @@ static int   _modify_accounts(slurmdbd_conn_t *slurmdbd_conn,

 	debug2("DBD_MODIFY_ACCOUNTS: called");

-	if ((*uid != slurmdbd_conf->slurm_user_id && *uid != 0)
-	    && assoc_mgr_get_admin_level(slurmdbd_conn->db_conn, *uid)
-	    < SLURMDB_ADMIN_OPERATOR) {
-		comment = "Your user doesn't have privilege to perform this action";
-		error("CONN:%u %s", slurmdbd_conn->newsockfd, comment);
-		*out_buffer = make_dbd_rc_msg(slurmdbd_conn->rpc_version,
-					      ESLURM_ACCESS_DENIED,
-					      comment, DBD_MODIFY_ACCOUNTS);
-
-		return ESLURM_ACCESS_DENIED;
-	}
-
 	if (slurmdbd_unpack_modify_msg(&get_msg, slurmdbd_conn->rpc_version,
 				       DBD_MODIFY_ACCOUNTS,
 				       in_buffer) != SLURM_SUCCESS) {
@@ -3040,18 +3003,6 @@ static int   _remove_accounts(slurmdbd_conn_t *slurmdbd_conn,

 	debug2("DBD_REMOVE_ACCOUNTS: called");

-	if ((*uid != slurmdbd_conf->slurm_user_id && *uid != 0)
-	    && assoc_mgr_get_admin_level(slurmdbd_conn->db_conn, *uid)
-	    < SLURMDB_ADMIN_OPERATOR) {
-		comment = "Your user doesn't have privilege to perform this action";
-		error("CONN:%u %s", slurmdbd_conn->newsockfd, comment);
-		*out_buffer = make_dbd_rc_msg(slurmdbd_conn->rpc_version,
-					      ESLURM_ACCESS_DENIED,
-					      comment, DBD_REMOVE_ACCOUNTS);
-
-		return ESLURM_ACCESS_DENIED;
-	}
-
 	if (slurmdbd_unpack_cond_msg(&get_msg, slurmdbd_conn->rpc_version,
 				     DBD_REMOVE_ACCOUNTS,
 				     in_buffer) != SLURM_SUCCESS) {