[slurm-users] Accounting: Default Associations for Unknown Accounts

Thu Dec 20 23:50:26 MST 2018

I have a script that does more or less what is suggested.  I also took an idea from elsewhere to add accounts for the department (primary GID), assign shares to that account, and make the members of the department draw their usage from the parent account.  It does then allow other ways to adjust the shares – the source that I read did that according to the $$ contributed to the back-end by the various departments.

I can share the script once I have cleaned it up.

BUT I found that it doesn’t currently work in a cron job, although it works fine interactively.  The issue is getting the list of AD groups, where I use ‘net ads group’ and that doesn’t work without a valid login to AD, and I haven’t yet solved that.  It can be done with ldapsearch but that requires a hard-coded username and password, so requires a special AD account that has no login rights and raises security issues anyhow, but is a solution widely used in other scripts we have to find if users are members of a group.  ‘net ads group’ I found was way faster and simpler.

Essentially I have an AD group <cluster>_<partition> and if the script finds new members, it creates the account.  I haven’t yet developed the inverse script but that is just a problem of having time.

I am looking at using keytab to solve the Kerberos ticket but I haven’t cracked it yet.

William Brown

Rothamsted Research

From: slurm-users <slurm-users-bounces at lists.schedmd.com> On Behalf Of Sam Hawarden
Sent: 20 December 2018 23:36
To: Slurm User Community List <slurm-users at lists.schedmd.com>
Subject: Re: [slurm-users] Accounting: Default Associations for Unknown Accounts

Hi there,

I use the following cron job that runs every night to add new users:

#!/bin/bash

function usersInGrp {

    echo -n $(getent group "$*" | cut -d':' -f 4- | awk -F',' '$1=$1')

}

for user in $(usersInGrp 'cluster.users'; usersInGrp 'ALT_DOMAIN1+cluster.users'; usersInGrp 'ALT_DOMAIN2+cluster.users')

do

    # Check for existing account.

    if [ "$(sacctmgr -nP show user $user | awk -F'|' '{print $2}')" == "" ];

    then

        # User has no default account. Add one.

        sacctmgr add user $user DefaultAccount=nullAccount

    fi

done

There's also a relatively simple inverse script to remove users who are no longer in the group.

Regards,

   Sam

  _____  

Sam Hawarden

Assistant Research Fellow

Pathology Department

Dunedin School of Medicine

sam.hawarden(at)otago.ac.nz

DDI: +64 (0)3 470 3455

Mb: +64 (0)21 898 895

Rm 228 Hercus Building

  _____  

From: slurm-users <slurm-users-bounces at lists.schedmd.com <mailto:slurm-users-bounces at lists.schedmd.com> > on behalf of Fulcomer, Samuel <samuel_fulcomer at brown.edu <mailto:samuel_fulcomer at brown.edu> >
Sent: Friday, 21 December 2018 12:02
To: Slurm User Community List
Subject: Re: [slurm-users] Accounting: Default Associations for Unknown Accounts 

Yes, in a way. In thinking about this for Brown (we haven't implemented it, yet), we've the idea of having a Linux cron job periodically query the group membership of the AD group granted access to the HPC resource, and adding any new users to the SLURM accounting database. 

We're at the point of using AD for ssh/login authentication via sssd, but still maintain an cluster/internal NIS database for pwent and cluster-specific group info (i.e., only the login gateways do AD authentication). Our SLURM associations are updated automatically when the NIS account is created or modified (via webmin).

On Thu, Dec 20, 2018 at 5:46 PM Ulf <mopp at gmx.net <mailto:mopp at gmx.net> > wrote:

Hello,

we think about switch to SLURM. Currently we grant access to the cluster using a active directory group, everyone in this group is allowed to run jobs.

So the users are not known to the SLURM accounting database.

Is it possible to automatically add every new user to an default account without manually adding the user with "sacctmgr add user user123 Account=test".

Regards

Ulf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20181221/9cfc7dcf/attachment.html>