about research toolkit development

Workspace Management Service

lcmaps_poolindex internals

There are currently 3 subcommands to lcmaps_poolindex:

-return_poolindex   "DN" [attr1] [attr2] [...]
-unlease_poolindex  "urlencoded_index"
-unquarantine       "local_acct" | "urlencoded_index"

lcmaps_poolindex CURRENT

Overarching flow:

  • -return_poolindex

    No setuid options currently (no matter what the SETUID define statements are, runs as globus)

    1. args parsed
    2. pass args on to LCMAPS
    3. communicate result by stdout/exit-code

  • -unlease_dnattr

    Not used! Here for demonstration only. Should remove before release and force caller to keep track of poolindex unless LCMAPS has a dry-run. Problem currently is that a lease is secured even if there wasn't one to begin with. Our GT4 code does not call this. But perhaps this interface will be useful sometime down the road and it will be there in CVS.

    1. args parsed
    2. Find the poolindex by securing a lease via LCMAPS (!!) -return_poolindex
    3. Calls internal functionality that -unlease_poolindex uses.

  • -unlease_poolindex

    Note, for setuid to work via dropping/elevating, the script itself has to have the setuid bit set (and program owned by root) and we must use the non-POSIX but widely deployed Linux seteuid(). Otherwise, once you setuid there is no 'coming back'.

    1. if RUN_EXPIRY_SETUID is defined, first thing that happens is that the effective ID is set to the real ID (which for us would usually be the globus user) and not root.
    2. The account is quarantined
    3. unlink poolindex is called, which returns the UID of the poolaccount
    4. If EXPIRY_PROG is not defined, DONE
      • If DO_QUARANTINE is defined, leaves the quarantine
      • If not, removes the temporary quarantine
    5. If EXPIRY_PROG is defined, runs the expire pooluser callout
      • Sanity checks on the program are performed
      • $EXPIRY_PROG is run
        • If RUN_EXPIRY_SETUID is defined, executes as that UID
        • If not, executes as globus
      • If $EXPIRY_PROG returns success:
        • If DO_QUARANTINE is defined, leaves the quarantine
        • If not, removes the temporary quarantine
      • If $EXPIRY_PROG returns failure:
        • Leaves temporary quarantine in place, poolaccount is unleasable

  • -unquarantine

    unlinks quarantine file, no setuid possible (no matter what the SETUID define statements are, runs as globus)