[gold-users] Authorization Issue of gold.

Scott Jackson scottmo at adaptivecomputing.com
Mon May 2 14:49:43 MDT 2011


I suppose I have another theory then. Check on who owns the grmalloc (and other) command. Is it owned by root or golduser? What are the permissions?

When you run grmalloc, it runs Gold::Bank->delete which runs Gold::Base->delete. Gold::Base->delete tries to remove all dependent associations (such as ReservationAllocations related to the allocations being deleted).

It does this by building up a new Gold::Request which it does not specify an actor for, so it must be taking the default actor as in:

 _actor  => $arg{actor}  || (getpwuid($<))[0],    # SCALAR

This should be the read uid of the process (the uid you came from if you're running setuid).

Hmmmm... my theory is weakening. What is the uid of golduser? It wouldn't be 0 (zero) would it?

Please show me the output of "ls -l `which grmalloc`" and "id golduser".

Also, please send the gold.log and goldd.log capturing the failed grmalloc at TRACE level.

Thanks,

Scott

----- Original Message -----
> From: "Dheeraj KV" <kvdheeraj at indiatimes.com>
> To: "Gold Users Mailing List" <gold-users at supercluster.org>
> Cc: scottmo at adaptivecomputing.com
> Sent: Friday, April 29, 2011 12:51:51 AM
> Subject: Re: [gold-users] Authorization Issue of gold.
> Hi
> 
> Super user is already golduser. Still the command doesn't work.
> Command executes successfully only if root is a SystemAdmin.
> If you have any other solution please help us.
> 
> Regards
> Dheeraj K V
> 
> 
> 
> ----- Original Message -----
> From: Scott Jackson <scottmo at adaptivecomputing.com>
> To: Gold Users Mailing List <gold-users at supercluster.org>
> Sent: Fri, 29 Apr 2011 02:46:54 +0530 (IST)
> Subject: Re: [gold-users] Authorization Issue of gold.
> 
> Dheeraj,
> 
> Change your goldd.conf to specify super.user = golduser . Then restart
> goldd.
> Certain actions in gold call other actions with elevated privileges.
> It uses the configured super.user value as the user to run the
> subcommands as.
> 
> Let me know if this does not work.
> 
> Thanks,
> 
> Scott
> 
> ----- Original Message -----
> > From: "Dheeraj KV" <kvdheeraj at indiatimes.com>
> > To: gold-users at supercluster.org
> > Sent: Thursday, April 28, 2011 2:25:19 AM
> > Subject: [gold-users] Authorization Issue of gold.
> > Hi
> > We have created a separate user named golduser and have given
> > permission for SystemAdmin and Scheduler. Instead of running a
> > command
> > as root, we want it to run as golduser.
> > The schema for g_role_user is given below:
> > mysql> select * from g_role_user;
> > +-------------+----------+-----------+-----------------+---------------------+--------------+------------------+
> > | g_role | g_name | g_deleted | g_creation_time |
> > | g_modification_time
> > | | g_request_id | g_transaction_id |
> > +-------------+----------+-----------+-----------------+---------------------+--------------+------------------+
> > | SystemAdmin | root | True | 1300428369 | 1303970222 | 728 | 455 |
> > | Scheduler | root | True | 1300428369 | 1303978237 | 946 | 597 |
> > | Anonymous | ANY | False | 1300428369 | 1300428369 | 0 | 0 |
> > | OVERRIDE | ANY | False | 1300428369 | 1300428369 | 257 | 257 |
> > | SystemAdmin | golduser | False | 1303715186 | 1303715186 | 319 |
> > | 323
> > | |
> > | Scheduler | golduser | False | 1303975821 | 1303975821 | 932 | 590
> > | |
> > +-------------+----------+-----------+-----------------+---------------------+--------------+------------------+
> > and g_role_action is
> > mysql> select * from g_role_action;
> > +--------------+-----------------------+---------+------------+-----------+-----------------+---------------------+--------------+------------------+
> > | g_role | g_object | g_name | g_instance | g_deleted |
> > | g_creation_time | g_modification_time | g_request_id |
> > | g_transaction_id |
> > +--------------+-----------------------+---------+------------+-----------+-----------------+---------------------+--------------+------------------+
> > | SystemAdmin | ANY | ANY | ANY | False | 1300428369 | 1300428369 |
> > | 0
> > | | 0 |
> > | Anonymous | ANY | Query | ANY | False | 1300428369 | 1300428369 |
> > | 0
> > | | 0 |
> > | Anonymous | Password | ANY | SELF | False | 1300428369 |
> > | 1300428369
> > | | 0 | 0 |
> > | Anonymous | Account | Balance | ANY | False | 1300428369 |
> > | 1300428369 | 243 | 243 |
> > | ProjectAdmin | Project | ANY | ADMIN | False | 1300428369 |
> > | 1300428369 | 245 | 245 |
> > | UserServices | Job | Refund | ANY | False | 1300428369 |
> > | 1300428369
> > | | 247 | 247 |
> > | UserServices | User | ANY | ANY | False | 1300428369 | 1300428369
> > | |
> > | 248 | 248 |
> > | UserServices | Machine | ANY | ANY | False | 1300428369 |
> > | 1300428369
> > | | 249 | 249 |
> > | UserServices | Project | ANY | ANY | False | 1300428369 |
> > | 1300428369
> > | | 250 | 250 |
> > | UserServices | ProjectUser | ANY | ANY | False | 1300428369 |
> > | 1300428369 | 251 | 251 |
> > | UserServices | ProjectMachine | ANY | ANY | False | 1300428369 |
> > | 1300428369 | 252 | 252 |
> > | Scheduler | Job | Charge | ANY | False | 1300428369 | 1300428369 |
> > | 254 | 254 |
> > | Scheduler | Job | Quote | ANY | False | 1300428369 | 1300428369 |
> > | 255 | 255 |
> > | Scheduler | Job | Reserve | ANY | False | 1300428369 | 1300428369
> > | |
> > | 256 | 256 |
> > | Scheduler | Reservation | Delete | ANY | False | 1300428369 |
> > | 1300428369 | 257 | 257 |
> > | OVERRIDE | Account | Balance | ANY | False | 1300428369 |
> > | 1300428369
> > | | 258 | 258 |
> > | Scheduler | ReservationAllocation | Delete | ANY | False |
> > | 1303978505 | 1303978505 | 952 | 605 |
> > +--------------+-----------------------+---------+------------+-----------+-----------------+---------------------+--------------+------------------+
> > 17 rows in set (0.00 sec)
> >
> > But when firing the below given command as golduser we are getting
> > the
> > error.
> > golduser at cmsn0 ~]$ grmalloc -i 4
> > root is not authorized to perform this function
> > (ReservationAllocation
> > Delete)
> >
> > We are using Gold version 2.1.12.2. and permission of gold commands
> > are
> > -rwxr-xr-x. 1 root root 6262 2011-03-18 11:36
> > /opt/gold/bin/grmaccount
> > -rwxr-xr-x. 1 root root 6608 2011-03-18 11:36 /opt/gold/bin/grmalloc
> > -rwxr-xr-x. 1 root root 6275 2011-03-18 11:36
> > /opt/gold/bin/grmmachine
> > -rwxr-xr-x. 1 root root 6275 2011-03-18 11:36
> > /opt/gold/bin/grmproject
> > -rwxr-xr-x. 1 root root 6525 2011-03-18 11:36 /opt/gold/bin/grmquote
> > -rwxr-xr-x. 1 root root 6816 2011-03-18 11:36 /opt/gold/bin/grmres
> > -rwxr-xr-x. 1 root root 6225 2011-03-18 11:36 /opt/gold/bin/grmuser
> >
> > Any kind of input is much appreciated.
> >
> > Thanks
> > Dheeraj K V
> >
> >
> >
> > _______________________________________________
> > gold-users mailing list
> > gold-users at supercluster.org
> > http://www.supercluster.org/mailman/listinfo/gold-users
> _______________________________________________
> gold-users mailing list
> gold-users at supercluster.org
> http://www.supercluster.org/mailman/listinfo/gold-users


More information about the gold-users mailing list