|
Workspace Management Service
lcmaps_poolindex internals
There are currently 3 subcommands to lcmaps_poolindex:
-return_poolindex "DN" [attr1] [attr2] [...]
-unlease_poolindex "urlencoded_index"
-unquarantine "local_acct" | "urlencoded_index"
lcmaps_poolindex CURRENT
Overarching flow:
- -return_poolindex
No setuid options currently (no matter what the SETUID define statements are, runs as globus)
- args parsed
- pass args on to LCMAPS
- communicate result by stdout/exit-code
- -unlease_dnattr
Not used! Here for demonstration only. Should remove before release and force caller to keep track of poolindex unless LCMAPS has a dry-run. Problem currently is that a lease is secured even if there wasn't one to begin with. Our GT4 code does not call this. But perhaps this interface will be useful sometime down the road and it will be there in CVS.
- args parsed
- Find the poolindex by securing a lease via LCMAPS (!!) -return_poolindex
- Calls internal functionality that -unlease_poolindex uses.
- -unlease_poolindex
Note, for setuid to work via dropping/elevating, the script itself has to have the setuid bit set (and program owned by root) and we must use the non-POSIX but widely deployed Linux seteuid(). Otherwise, once you setuid there is no 'coming back'.
- if RUN_EXPIRY_SETUID is defined, first thing that happens is that the effective ID is set to the real ID (which for us would usually be the globus user) and not root.
- The account is quarantined
- unlink poolindex is called, which returns the UID of the poolaccount
- If EXPIRY_PROG is not defined, DONE
- If DO_QUARANTINE is defined, leaves the quarantine
- If not, removes the temporary quarantine
- If EXPIRY_PROG is defined, runs the expire pooluser callout
- Sanity checks on the program are performed
- $EXPIRY_PROG is run
- If RUN_EXPIRY_SETUID is defined, executes as that UID
- If not, executes as globus
- If $EXPIRY_PROG returns success:
- If DO_QUARANTINE is defined, leaves the quarantine
- If not, removes the temporary quarantine
- If $EXPIRY_PROG returns failure:
- Leaves temporary quarantine in place, poolaccount is unleasable
- -unquarantine
unlinks quarantine file, no setuid possible (no matter what the SETUID define statements are, runs as globus)
|
|