[slurm-users] Users able to submit jobs when they don't exist

Loris Bennett loris.bennett at fu-berlin.de
Fri Sep 14 06:34:10 MDT 2018


Hi Tim,

Tim Bishop <tim-lists at bishnet.net> writes:

> Hi all,
>
> New member to the list, and we've only been using Slurm for a few
> months. Everything is working well but I have some questions about user
> management.
>
> Our setup is that users are managed via LDAP. They exist on all compute
> nodes and on the submission node, but not on the controller (possibly an
> oversight). I've seen two problems here;
>
> 1. squeue shows jobs running as "nobody". I'm thinking this might be
> because users don't exist on the controller? Presumably there needs to
> be a UID->name mapping happening.
>
> 2. We have users on the submission node (it's used for other things too)
> that don't exist anywhere else within the Slurm cluster and they can
> still submit jobs. I'd have expected them to fail because the user
> doesn't exist, however they just run under the UID.
>
> Old code [1] has a pwuid call which appears to generate a failure if a
> user can't be found. But maybe this disappeared during some later
> refactoring?
>
> I have accounting set up but haven't dug much in to this. I've just read
> through the recent thread "Create users" and it looks like I need to be
> creating users within Slurm and then use AccountingStorageEnforce to
> ensure only users that exist in the accounting database can run jobs.
> Does that look like the right approach? There's some useful stuff in
> that thread about automating user creation too.

Yes, you're on the right track.  You have to use 'sacctmgr' to create
users that Slurm should know about, potentially within a hierarchy which
reflects your organisation.

Ole Holm Nielsen has some interesting tools here:

  https://github.com/OleHolmNielsen/Slurm_tools/tree/master/slurmaccounts

As mentioned, we on the other hand add users via a wrapper around
'sacctmgr' when we set users up.  This is just one step in a framework
which also informs the user and the PI via email that the access has
been granted.  The "create-Slurm-user-on-first-submit" approach Paul
Edmon describes also seems interesting.

Cheers,

Loris

> Thanks for your input.
>
> Tim.
>
> [1] - https://github.com/SchedMD/slurm/blob/5eea178ddad47c55007e32c08a89d89bd783ebad/src/slurmd/job.c#L108
-- 
Dr. Loris Bennett (Mr.)
ZEDAT, Freie Universit├Ąt Berlin         Email loris.bennett at fu-berlin.de



More information about the slurm-users mailing list