[torquedev] [Bug 107] New: incomplete ACL checks for routing queues

bugzilla-daemon at supercluster.org bugzilla-daemon at supercluster.org
Thu Dec 23 03:05:41 MST 2010


http://www.clusterresources.com/bugzilla/show_bug.cgi?id=107

           Summary: incomplete ACL checks for routing queues
           Product: TORQUE
           Version: 2.5.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: pbs_server
        AssignedTo: glen.beane at gmail.com
        ReportedBy: thzeiser at gmail.com
                CC: torquedev at supercluster.org
   Estimated Hours: 0.0


The function svr_chkque() in server/svr_jobfunc.c does not execute all ACL
checks for routing queues; in particular the group ACL is only checked for
execution queues:
   * 1. If the queue is an Execution queue ...
      /* 1f. if enabled, check the queue's group ACL */

Thus, routing queues can only be restricted on the basis of *user* ACLs as user
ACLs are checked later as "5. if enabled, check the queue's user ACL" for any
queue type. 

To enable group ACLs (and acl_logic_or=true) also for routing queues, the check
"1f. if enabled, check the queue's group ACL" probably should be done for any
queue type. "5.5. if failed user and group acls, fail" also only makes sense if
"1f" is executed for any queue type (because otherwise failed_group_acl cannot
be set for any non-execution queue)

-- 
Configure bugmail: http://www.clusterresources.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the torquedev mailing list