Bug 107 - incomplete ACL checks for routing queues
: incomplete ACL checks for routing queues
Status: NEW
Product: TORQUE
pbs_server
: 2.5.x
: PC Linux
: P5 enhancement
Assigned To: Glen
:
:
:
  Show dependency treegraph
 
Reported: 2010-12-23 03:05 MST by thzeiser
Modified: 2010-12-23 03:05 MST (History)
1 user (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description thzeiser 2010-12-23 03:05:40 MST
The function svr_chkque() in server/svr_jobfunc.c does not execute all ACL
checks for routing queues; in particular the group ACL is only checked for
execution queues:
   * 1. If the queue is an Execution queue ...
      /* 1f. if enabled, check the queue's group ACL */

Thus, routing queues can only be restricted on the basis of *user* ACLs as user
ACLs are checked later as "5. if enabled, check the queue's user ACL" for any
queue type. 

To enable group ACLs (and acl_logic_or=true) also for routing queues, the check
"1f. if enabled, check the queue's group ACL" probably should be done for any
queue type. "5.5. if failed user and group acls, fail" also only makes sense if
"1f" is executed for any queue type (because otherwise failed_group_acl cannot
be set for any non-execution queue)