Merge pull request #5961 from grondo/no-testexec

job-exec: do not allow guest access to the testexec implementation by default
flux-framework · May 13, 2024 · 1c626ca · 1c626ca
2 parents fb85782 + 58ca27a
commit 1c626ca
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 0 deletions.
diff --git a/doc/man5/flux-config-exec.rst b/doc/man5/flux-config-exec.rst
@@ -38,6 +38,10 @@ sdexec-properties
    (optional) A table of systemd properties to set for all jobs.  All values
    must be strings.  See SDEXEC PROPERTIES below.
 
+testexec
+   (options) A table of keys (see :ref:`testexec`) for configuring the
+   **job-exec** test execution implementation (used in mainly for testing).
+
 
 SDEXEC PROPERTIES
 =================
@@ -61,6 +65,15 @@ MemoryMin, MemoryLow
    described above.
 
 
+.. _testexec:
+
+TESTEXEC
+========
+
+allow-guests
+  Boolean value enables access to the testexec implementation from guest
+  users. By default, guests cannot use this implementation.
+
 EXAMPLES
 ========
 
@@ -77,6 +90,11 @@ EXAMPLES
    [exec.sdexec-properties]
    MemoryMax = "90%"
 
+::
+
+   [exec.testexec]
+   allow-guests = true
+
 
 RESOURCES
 =========

diff --git a/doc/test/spell.en.pws b/doc/test/spell.en.pws
@@ -911,3 +911,4 @@ transactional
 keypair
 unterminated
 upmi
+testexec
diff --git a/src/modules/job-exec/testexec.c b/src/modules/job-exec/testexec.c
@@ -59,6 +59,7 @@ struct testexec_ctx {
     flux_msg_handler_t *mh;  /* testexec RPC handler */
     flux_msg_handler_t *dh;  /* disconnect handler */
     zhashx_t *jobs;
+    bool allow_guests;
 };
 
 struct testconf {
@@ -218,6 +219,12 @@ static int testexec_init (struct jobinfo *job)
     }
     else if (!conf.enabled)
         return 0;
+    if (job->multiuser && !testexec_ctx->allow_guests) {
+        jobinfo_fatal_error (job,
+                             0,
+                             "guests may not use test exec implementation");
+        return -1;
+    }
     if (!(te = testexec_create (job, conf))) {
         jobinfo_fatal_error (job, errno, "failed to init test exec module");
         return -1;
@@ -488,6 +495,13 @@ static int testexec_config (flux_t *h,
         if (!(testexec_ctx = testexec_ctx_create (h)))
             return -1;
     }
+    if (flux_conf_unpack (conf,
+                          errp,
+                          "{s?{s?{s?b}}}",
+                          "exec",
+                           "testexec",
+                             "allow-guests", &testexec_ctx->allow_guests) < 0)
+        return -1;
     return 0;
 }
 

diff --git a/t/t2292-job-update-running.t b/t/t2292-job-update-running.t
@@ -54,6 +54,12 @@ job_manager_get_starttime() {
 	job_manager_get_R $1 | jq .R.execution.starttime
 }
 
+test_expect_success 'configure testexec to allow guest access' '
+	flux config load <<-EOF
+	[exec.testexec]
+	allow-guests = true
+	EOF
+'
 test_expect_success 'instance owner can adjust expiration of their own job' '
 	jobid=$(flux submit --wait-event=start -t5m sleep 300) &&
 	expiration=$(job_manager_get_expiration $jobid) &&

diff --git a/t/t2400-job-exec-test.t b/t/t2400-job-exec-test.t
@@ -6,13 +6,25 @@ test_description='Test flux job execution service in simulated mode'
 
 test_under_flux 1 job
 
+flux version | grep -q libflux-security && test_set_prereq FLUX_SECURITY
+
 flux setattr log-stderr-level 1
 
 RPC=${FLUX_BUILD_DIR}/t/request/rpc
 
 job_kvsdir()    { flux job id --to=kvs $1; }
 exec_eventlog() { flux kvs get -r $(job_kvsdir $1).guest.exec.eventlog; }
 
+submit_as_alternate_user()
+{
+        FAKE_USERID=42
+        flux run --dry-run "$@" | \
+          flux python ${SHARNESS_TEST_SRCDIR}/scripts/sign-as.py $FAKE_USERID \
+            >job.signed
+        FLUX_HANDLE_USERID=$FAKE_USERID \
+          flux job submit --flags=signed job.signed
+}
+
 test_expect_success 'job-exec: generate jobspec for simple test job' '
 	flux run \
 	    --setattr=system.exec.test.run_duration=0.0001s \
@@ -174,6 +186,24 @@ test_expect_success 'job-exec: critical-ranks RPC handles unexpected input' '
             test_must_fail flux python critical-ranks.py $id 0
         )
 '
+test_expect_success FLUX_SECURITY 'job-exec: guests denied access to test exec' '
+	jobid=$(submit_as_alternate_user \
+		--setattr=exec.test.run_duration=1s hostname) &&
+	flux job wait-event -Hvt 15s $jobid exception &&
+	flux job wait-event -Ht 15s $jobid exception >testexec-denied.out &&
+	grep "guests may not use test" testexec-denied.out
+'
+test_expect_success FLUX_SECURITY \
+	'job-exec: guest access to test exec can be configured' '
+	flux config load <<-EOF &&
+	[exec.testexec]
+	allow-guests = true
+	EOF
+	jobid=$(submit_as_alternate_user \
+		--setattr=exec.test.run_duration=0.1s hostname) &&
+	flux job wait-event -vHt 15s $jobid clean &&
+	flux job status -vvv $jobid
+'
 
 if ! grep 'release 7' /etc/centos-release >/dev/null 2>&1 \
    && ! grep 'release 7' /etc/redhat-release >/dev/null 2>&1

diff --git a/t/t2800-jobs-recursive.t b/t/t2800-jobs-recursive.t
@@ -45,6 +45,12 @@ test_expect_success 'start a recursive job' '
 			 flux queue idle") &&
 	flux job wait-event $id clean
 '
+test_expect_success 'allow guest user access to testexec' '
+	flux config load <<-EOF
+	[exec.testexec]
+	allow-guests = true
+	EOF
+'
 test_expect_success FLUX_SECURITY 'submit fake instance job as another user' '
 	submit_fake_user_instance
 '