Restricting User Access via SLURM
Making it so users can only ssh into the nodes they have reserved is built into SLURM. I had a hard time finding all the steps in one place, here’s what I did.
Using centos 7.x you’ll need to edit two files (both in the compute node image a.k.a vnfs):
- $CHROOT/etc/pam.d/password-auth
- $CHROOT/etc/security/access.conf
Where $CHROOT is the location to your image. Edit the files like so:
Edit $CHROOT/etc/pam.d/password-auth:
account required pam_unix.so
account required pam_slurm.so # Add this line, below pam_unix.so, but above everything else
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
Edit $CHROOT/etc/security/access.conf:
# All other users should be denied to get access from all sources.
+ : root : ALL # Uncomment or add this line at the bottom of the file
- : ALL : ALL # Uncomment or add this line at the bottom of the file
Now rebuild and apply your image/vnfs to the nodes. (Not covered here.)
Test it out:
[sr@sms ~]$ ssh compute-1
Access denied: user sr (uid=1) has no active jobs on this node.
Connection closed by 192.168.x.x
[sr@sms ~]$ salloc -n 1
salloc: Granted job allocation 71
[sr@sms ~]$ squeue
JOBID PARTITION NAME USER ST TIME NODES NODELIST(REASON)
71 shared bash sr R 0:04 1 compute-1
[sr@sms ~]$ ssh compute-1
[sr@compute-1 ~]$ # Note we can log in now!
[sr@compute-1 ~]$ exit
logout
Connection to knl-36 closed.
[sr@sms ~]$ scancel 71
salloc: Job allocation 71 has been revoked.