SUNDSTRO@FINABO.BITNET (07/31/87)
Can someone give me any pointers where to find a way to test by a program or commandprocedure if a process have been granted a specific identifier. I've tried to find it in the manuals (microVMS) but haven't (obviously i have looked in the wrong place). I would like to segregate some user's on a LAVC to some specific nodes (processors), by granting a user an identifier that allows him/her to use one or all nodes. The cluster has a common sysuaf-file. The simples way to do this is to create a file with ACL's and then try to access it, but I would like to do it directly from DCL or from a program. Or is there a other way to do it without separate SYSUAF-files? Thanks in advance Hans Sundstrom Bitnet/Earn: SUNDSTRO@FINABO Abo Akademi Heat Engineering Lab. Finland
OBERMAN@LLL-ICDC.ARPA ("Kevin Oberman, 422-6955, L-156") (07/31/87)
>Can someone give me any pointers where to find a way to test by a >program or commandprocedure if a process have been granted a specific >identifier. I've tried to find it in the manuals (microVMS) but >haven't (obviously i have looked in the wrong place). > >I would like to segregate some user's on a LAVC to some specific >nodes (processors), by granting a user an identifier that allows >him/her to use one or all nodes. The cluster has a common >sysuaf-file. > >The simples way to do this is to create a file with ACL's and then >try to access it, but I would like to do it directly from DCL or >from a program. Or is there a other way to do it without separate >SYSUAF-files? The following code should do the job. (It's not very long.) R. Kevin Oberman Lawrence Livermore National Laboratory arpa: oberman@lll-icdc.arpa (415) 422-6955 Disclaimer: Neither my employer nor myself can take resposibility for the accuracy of this information. I believe it is correct, but if it's not I can only say "Sorry". I'm a rotten typist and a worse speller, so forgive any silly errors. $ ! CHECK_CPU.COM $ Create CONFIRM_CPU.FOR $ DECK/DOLLAR C DECLARE SYSTEM SERVICE RELATED SYMBOLS INTEGER*4 SYS$GETSYIW INTEGER*4 SYS$GETJPIW INTEGER*4 SYS$ASCTOID INTEGER*4 STATUS C C C EXTERNAL DECLARATION IS AN ALTERNATIVE TO INCLUDING $SYIDEF EXTERNAL SYI$_NODENAME EXTERNAL JPI$_UIC EXTERNAL SS$_NORMAL EXTERNAL SS$_NOSUCHID C C C DEFINE ITEM LIST STRUCTURE STRUCTURE /ITMLST/ UNION MAP INTEGER*2 BUFLEN INTEGER*2 ITMCOD INTEGER*4 BUFADR INTEGER*4 RETADR END MAP MAP INTEGER*4 END_LIST END MAP END UNION END STRUCTURE C C C DEFINE I/O STATUS BLOCK STRUCTURE STRUCTURE /IOSBLK/ INTEGER*4 STS,RESERVED END STRUCTURE C C C DEFINE UIC AND HOLDER IDENTIFIER STRUCTURE /HOLDER/ INTEGER*4 UIC,RESERVED END STRUCTURE C C C DEFINE NODE NAME AS TEXT STRING STRUCTURE /NODE_STRING/ INTEGER*4 LENGTH,ADDRESS END STRUCTURE C C C DECLARE $GETSYIW ITEM LIST AND I/O STATUS BLOCK AND HOLDER RECORD /ITMLST/ GETSYI_LIST(2) RECORD /IOSBLK/ IOSB RECORD /HOLDER/ HOLDER RECORD /NODE_STRING/ NODE_NAME_STRING C C C DECLARE VARIABLES USED IN $GETSYIW ITEM LIST CHARACTER*15 NODENAME INTEGER*2 UIC_LEN INTEGER*4 ID,THIS_ID INTEGER*4 CONTEXT C C C INITIALIZE ITEM LIST FOR GETTING THE CLUSTER NODE NAME GETSYI_LIST(1).BUFLEN = 15 GETSYI_LIST(1).ITMCOD = %LOC(SYI$_NODENAME) GETSYI_LIST(1).BUFADR = %LOC(NODENAME) GETSYI_LIST(1).RETADR = %LOC(NODE_NAME_STRING.LENGTH) GETSYI_LIST(2).END_LIST = 0 C C C GET THE NODENAME STATUS = SYS$GETSYIW(,,,GETSYI_LIST,IOSB,,) C ZERO LENGTH STRING - NO CLUSTER NAME - CALL IT AUTOMATIC SUCCESS IF ( NODE_NAME_STRING.LENGTH .EQ. 0 ) CALL EXIT(%LOC(SS$_NORMAL)) C C C FINISH SETTING UP THE NODE NAME STRING DESCIPTOR NODE_NAME_STRING.ADDRESS = %LOC(NODENAME) C C C MAP THE NODE NAME INTO A RIGHTS IDENTIFIER STATUS = SYS$ASCTOID(NODE_NAME_STRING,ID,) C ID = 0 ==> NO SUCH ID - CALL IT AUTOMATIC SUCCESS IF (ID .EQ. 0) CALL EXIT(%LOC(SS$_NORMAL)) C C C INITIALIZE THE ITEM LIST FOR GETTING THE UIC GETSYI_LIST(1).BUFLEN = 4 GETSYI_LIST(1).ITMCOD = %LOC(JPI$_UIC) GETSYI_LIST(1).BUFADR = %LOC(HOLDER.UIC) GETSYI_LIST(1).RETADR = %LOC(UIC_LEN) GETSYI_LIST(2).END_LIST = 0 C C C GET THE UIC STATUS = SYS$GETJPIW(,,,GETSYI_LIST,IOSB,,) C C C NOW SEARCH FOR CPU NAME IN THE USERS LIST OF IDS 100 STATUS = SYS$FIND_HELD(HOLDER,THIS_ID,,CONTEXT) C TESTING CONTEXT IS CORRECT ONLY BECAUSE IT WORKS IF (CONTEXT .EQ. 0) CALL EXIT(%LOC(SS$_NOSUCHID)) IF (THIS_ID .NE. ID) GOTO 100 CALL EXIT(%LOC(SS$_NORMAL)) END $ EOD $ Check CONFIRM_CPU.FOR $ If CHECKSUM$CHECKSUM .eqs. "1627664138" Then GoTo OK $ Write SYS$OUTPUT "Checksum error. CONFIRM_CPU.FOR may be corrupt! $ Exit $OK: $ Write SYS$OUTPUT "CONFIRM_CPU.FOR has been created." $ Exit
RMANGALD@CLARKU.BITNET (08/03/87)
Listmember Hans Sundstrom (sundstro@finabo.bitnet) writes: > Can someone give me any pointers where to find a way to test by >a program or command procedure if a process has been granted a specific >identifier. I've tried to find it in the manuals (microVMS) but haven't >(obviously I have looked in the wrong place). > > I would like to segregate some user's on a LAVC to some specific >nodes (processors), by granting a user an identifier that allows him/her >to use one or all nodes. The cluster has a common SYSUAF. > > The simplest way to do this is to create a file with ACL's and >then try to access it, but I would like to do it directly from DCL or >from a program. Or is there a other way to do it without separate >SYSUAF? -------------------------------- Hans: There is a DCL lexical function called F$IDENTIFIER, which may be what you are looking for. I don't know much about it, so I can't give any further details; sorry if you already knew about it. -------------------------------- Rahul Mangaldas (rmangaldas@clarku.bitnet) Box 1311, Clark University 950 Main Street Worcester, MA 01610-1477
8004SLB@mucsd.UUCP (Sandy) (08/04/87)
Here is another program that we use on our VAXCluster to restrict one of the nodes to a given set of users. Users who are allowed to access the VAX have the identifier ENGVAX granted to their username with authorize or a program we've written here that allows authorized non-privileged users to grant and revoke identifiers for which they are responsible to/from other users. In SYLOGIN, if the current node is the one that has restrictions, this program is run. If the user has OPER privilege or holds the ENGVAX identifier, the program exits quietly. If not, the user is given a terse error message and logged off the system. This program is a bit different from a previous program in that the identifer is checked immediately and may have been granted by a privileged program as opposed to searching the rights data base for the identifier. To change this program for an identifier with a name other than ENGVAX, simply change the one line at label AIDENT:. Here's the code: Sandy Berger Marquette University Computer Services Division Technical Services Milwaukee, WI UUCP: ...!seismo!uwvax!uwmcsd1!marque!mucsd!8004slb ARPA: marque!mucsd!8004slb@csd1.milw.wisc.edu ---------------------------CUT HERE------------------------------------ .TITLE CHKPRO - TEST FOR ACCESS TO ENGINEERING VAX ; ; Written by: Sanford L. Berger ; Marquette University ; Computer Services Division ; Technical Services ; Milwaukee, WI ; ; This program checks to see if the user currently holds the given identifier. ; If he does the program simply exits. If not, a message is given and the ; user is logged out. Users with OPER privilege are exempt from the ; identifier check. ; .LIBRARY /SYS$LIBRARY:LIB/ $ACEDEF $ARMDEF $CHPDEF $JPIDEF $PRVDEF .PSECT DATA,LONG,NOEXE BMES: .ASCID /You are not allowed to access this VAX./ ; ; Don't use the user's privileges in the $CHKPRO service. ; PRVS: .QUAD 0 ; ; Following is the ACL which we use in $CHKPRO. ; ACL: .BYTE 12 ; length of ACE .BYTE ACE$C_KEYID ; type of ACE .WORD 0 ; ACE flags .LONG ACE$M_READ ; ACE access flags IDENT: .BLKL 1 ; identifier to check for ; ACCESS: .LONG ARM$M_READ ; longword for read access ; ; Next is the item list for $CHKPRO. ; ITMLST: .WORD 4 .WORD CHP$_ACCESS ; read access .ADDRESS ACCESS .LONG 0 .WORD 8 .WORD CHP$_PRIV ; no privileges .ADDRESS PRVS .LONG 0 ACLEN: .WORD 12 .WORD CHP$_ACL ; use our generated ACL .ADDRESS ACL .LONG 0 .LONG CHP$_END ; end of item list ; CPRIV: .BLKQ 1 ; user's current privileges ; ; Item list for $GETJPI to get current privileges ; JPILST: .WORD 8 .WORD JPI$_CURPRIV .ADDRESS CPRIV .LONG 0 .LONG 0 ; ; Next is the identifier we are checking for. ; AIDENT: .ASCID /ENGVAX/ ; .PSECT INST,LONG,NOWRT .ENTRY START,^M<> $GETJPIW_S ITMLST=JPILST ; get user's privileges BBS #PRV$V_OPER,CPRIV,OK ; if OPER then exit $ASCTOID_S NAME=AIDENT,ID=IDENT ; convert identifier to binary $CHKPRO_S ITMLST=ITMLST ; check to see if ACL passes check BLBS R0,OK ; yes, he's got the identifier, exit PUSHAQ BMES CALLS #1,G^LIB$PUT_OUTPUT ; no, give him the message $DELPRC_S ; and do away with him OK: $EXIT_S .END START