[slurm-dev] Re: Authentication and invoking slurm commands from web app

Ryan Cox Thu, 02 Oct 2014 08:43:36 -0700

What keys are you talking about? Are you referring to the scriptgenerator that Moe linked to? It's on github as LGPL with no keys ofany kind: https://github.com/BYUHPC/BYUJobScriptGenerator. It onlycreates a script but doesn't submit it. We could easily add thatcapability for our own site but we haven't gotten around to it sincecopy-paste then "sbatch thefilename" isn't exactly hard.

Unfortunately a lot of our internal stuff isn't available as open sourcesince it's way too tied to internal systems. Utilization graphs arepretty easy. You can get some information directly from the databasebut we prefer to have more advanced information available. Some of itinvolves running scontrol to periodically populate tables (we shouldhave used the perl API but we hadn't looked at it yet... oh well).

We also have a pretty substantial web services API which is also toointegrated into our systems to release it. Among many other things, itallows for querying information about all jobs, specific jobs, nodes,etc. Users can submit jobs and admins can modify node state, etc. Thekey for security is to have a good authentication method and have yourcommands only take well-sanitized input. In other words, if you want todo something like call "scontrol show job" directly, make sure that itaccepts one parameter from the user, an integer that you have verifiedis only an integer. Even then, bash may happen :)

Creating an API or doing something like that more directly on the webserver isn't a trivial task. You may want to look for existingsolutions like those mentioned by Lech and others, though I haven'tlooked at those myself. Having done this ourselves, I know that it cantake a long time to do it right.


Ryan


On 10/02/2014 08:20 AM, José Román Bilbao Castro wrote:

Re: [slurm-dev] Re: Authentication and invoking slurm commands fromweb appIt seems I was to fast... They don't seem to have open-sourced code.In fact, they ask for specific Keys for each implementation so Isuppose this is a closed project for their users only... :-(


2014-10-02 15:51 GMT+02:00 <je...@schedmd.com <mailto:je...@schedmd.com>>:


    Brigham Young University has developed a number of web interfaces
    to SLurm. See:
    https://marylou.byu.edu/documentation/slurm/script-generator
    https://marylou.byu.edu/utilization/

    Their Javascript tool to generate batch job scripts is here:
    https://github.com/BYUHPC/BYUJobScriptGenerator





    Quoting José Román Bilbao Castro <jrbc...@idiria.com
    <mailto:jrbc...@idiria.com>>:

        Thanks Lech,

        That is something to start with. The problem is that I plan to add
        submission in the future and don't want to start something
        that will have
        to be changed too much with time. So I would prefer to be able
        to firstly
        execute any slurm command from my webserver and for any user...

        Regards,

        Jose

        2014-10-02 15:28 GMT+02:00 Lech Nieroda
        <lech.nier...@uni-koeln.de <mailto:lech.nier...@uni-koeln.de>>:

            Hello José,

            you might be interested in ubmod or its successor open
            xdmod. It's a
            system that queries SLURM regularly, writes the data into
            its own database
            and makes it available via webserver. You'd probably have
            to implement
            proper security measures for user  management.

            Regards,
            Lech

            (sent from mobile)
            Am 02.10.2014 14:38 schrieb
            =?ISO-8859-1?Q?Jos=E9_Rom=E1n_Bilbao_Castro?= <
            jrbc...@idiria.com <mailto:jrbc...@idiria.com>>:

             Thanks Brian,

            So you propose to have something like an intermediate
            database that maps
            web portal users to system users and make all calls
            internally from the
            webserver, right?. I just wanted to avoid the intermediate
            step for
            simplicity, but it seems to be a bad practice.

            So, regarding the second step... what is the safest and
            more logical
            manner of invoking slurm commands from the webserver?. I
            mean, at the end I
            must pass some credentials for the right user... Or should
            I have a tomcat
            user that belongs to the sudo group and call invoke
            commands as another
            user?. I am totally lost and need some thread to start
            pulling from it.

            Thanks again,

            Jose


            2014-10-02 13:23 GMT+02:00 Brian B. <for...@gmail.com
            <mailto:for...@gmail.com>>:

                Hello Jose,

                It is never a good idea to have the public facing
                credentials be the same
                as the private credentials. That is if your public
                facing server is
                compromised your internal system is compromised. The
                limited cases where
                direct internal access are needed (e.g. SSH) should be
                handled by hardened
                servers.

                Allowing users to input executable commands on a
                webpage is also not a
                good security practice. This is essentially how the
                shellshock bug works.

                This is just my take on things but I would suggest
                building a different
                system.

                --
                Regards,
                Brian

                On Oct 2, 2014, at 06:40, José Román Bilbao Castro
                <jrbc...@idiria.com <mailto:jrbc...@idiria.com>>
                wrote:

                Hi all,

                First of all, this is my very first message to the
                list and don't even
                know if this is the proper place to port this message.

                I am facing a simple project that should allow a slurm
                user to monitor
                his jobs running on a slurm server. I have been
                looking at the Slurm
                authentication API but I cannot find anything useful
                for me as this seems
                to be applied to users already logged in the system.
                My question is where
                to start looking at (technologies, web development
                frameworks, etc...) to
                be able to enter a user/password on the web browser
                that coincides with
                that of the Linux user, send the credentials to the
                server, execute a slurm
                command on behalf of that user and print results back...

                May be this is a very complex question, but I have not
                much experience in
                web development and how it should be done to link
                slurm commands execution,
                specific user authorization, etc...

                Thanks in advance,

                Jose

                --


                *José Román Bilbao Castro*

                Ingeniero Consultor
                +34 901009188 <tel:%2B34%20901009188>

                *jrbc...@idiria.com <mailto:jrbc...@idiria.com>
                <jrbc...@idiria.com
                <mailto:jrbc...@idiria.com>>**http://www.idiria.com
                <http://www.idiria.com/>* <*http://
                <http://%20%20/>www.idiria.com/ <http://www.idiria.com/>
                <http://www.idiria.com/>*>


                --
                Idiria Sociedad Limitada - Aviso legal

                Este mensaje, su contenido y cualquier fichero
                transmitido con él está
                dirigido únicamente a su destinatario y es
                confidencial. Por ello, se
                informa a quien lo reciba por error ó tenga
                conocimiento del mismo sin ser
                su destinatario, que la información contenida en él es
                reservada y su uso
                no autorizado, por lo que en tal caso le rogamos nos
                lo comunique por la
                misma  vía o por teléfono (+ 34 690207492
                <tel:%28%2B%2034%20690207492>), así como que se
                abstenga de
                reproducir el mensaje mediante cualquier medio o
                remitirlo o entregarlo a
                otra persona, procediendo a su borrado de manera
                inmediata.

                Idiria Sociedad Limitada se reserva las acciones
                legales que le

correspondan contra todo tercero que acceda de formailegítima al

                contenido de cualquier mensaje externo procedente del
                mismo.

                Para información y consultas visite nuestra web
                http://www.idiria.com



                Idiria Sociedad Limitada - Disclaimer
                This message, its content and any file attached
                thereto is for the
                intended recipient only and is confidential. If you
                have received this
                e-mail in error or had access to it, you should note
                that the information
                in it is private and any use thereof is unauthorised.
                In such an event
                please notify us by e-mail or by telephone (+ 34
                690207492 <tel:%28%2B%2034%20690207492>). Any
                reproduction of this e-mail by whatsoever means and
                any transmission or
                dissemination thereof to other persons is prohibited.
                It should be deleted
                immediately from your system.

                Idiria Sociedad Limitada reserves the right to take
                legal action against
                any persons unlawfully gaining access to the content
                of any external
                message it has emitted.

                For additional information, please visit our website
                http://www.idiria.com






            --


            *José Román Bilbao Castro*

            Ingeniero Consultor
            +34 901009188 <tel:%2B34%20901009188>

            *jrbc...@idiria.com <mailto:jrbc...@idiria.com>
            <jrbc...@idiria.com
            <mailto:jrbc...@idiria.com>>**http://www.idiria.com
            <http://www.idiria.com/>* <*http://
            <http://%20%20/>www.idiria.com/ <http://www.idiria.com/>
            <http://www.idiria.com/>*>


            --
            Idiria Sociedad Limitada - Aviso legal

            Este mensaje, su contenido y cualquier fichero transmitido
            con él está
            dirigido únicamente a su destinatario y es confidencial.
            Por ello, se
            informa a quien lo reciba por error ó tenga conocimiento
            del mismo sin ser
            su destinatario, que la información contenida en él es
            reservada y su uso
            no autorizado, por lo que en tal caso le rogamos nos lo
            comunique por la
            misma  vía o por teléfono (+ 34 690207492
            <tel:%28%2B%2034%20690207492>), así como que se abstenga de
            reproducir el mensaje mediante cualquier medio o remitirlo
            o entregarlo a
            otra persona, procediendo a su borrado de manera inmediata.

            Idiria Sociedad Limitada se reserva las acciones legales
            que le

correspondan contra todo tercero que acceda de formailegítima al

            contenido de cualquier mensaje externo procedente del mismo.

            Para información y consultas visite nuestra web
            http://www.idiria.com



            Idiria Sociedad Limitada - Disclaimer
            This message, its content and any file attached thereto is
            for the
            intended recipient only and is confidential. If you have
            received this
            e-mail in error or had access to it, you should note that
            the information
            in it is private and any use thereof is unauthorised. In
            such an event
            please notify us by e-mail or by telephone (+ 34 690207492
            <tel:%28%2B%2034%20690207492>). Any
            reproduction of this e-mail by whatsoever means and any
            transmission or
            dissemination thereof to other persons is prohibited. It
            should be deleted
            immediately from your system.

            Idiria Sociedad Limitada reserves the right to take legal
            action against
            any persons unlawfully gaining access to the content of
            any external
            message it has emitted.

            For additional information, please visit our website
            http://www.idiria.com







        --


        *José Román Bilbao Castro*

        Ingeniero Consultor
        +34 901009188 <tel:%2B34%20901009188>

        *jrbc...@idiria.com <mailto:jrbc...@idiria.com>
        <jrbc...@idiria.com
        <mailto:jrbc...@idiria.com>>**http://www.idiria.com
        <http://www.idiria.com/>* <*http://
        <http://%20%20/>www.idiria.com/ <http://www.idiria.com/>
        <http://www.idiria.com/>*>


        --
        Idiria Sociedad Limitada - Aviso legal

        Este mensaje, su contenido y cualquier fichero transmitido con
        él está
        dirigido únicamente a su destinatario y es confidencial. Por
        ello, se
        informa a quien lo reciba por error ó tenga conocimiento del
        mismo sin ser
        su destinatario, que la información contenida en él es
        reservada y su uso
        no autorizado, por lo que en tal caso le rogamos nos lo
        comunique por la
        misma  vía o por teléfono (+ 34 690207492
        <tel:%28%2B%2034%20690207492>), así como que se abstenga de
        reproducir el mensaje mediante cualquier medio o remitirlo o
        entregarlo a
        otra persona, procediendo a su borrado de manera inmediata.

        Idiria Sociedad Limitada se reserva las acciones legales que le
        correspondan contra todo tercero que acceda de forma ilegítima al
        contenido de cualquier mensaje externo procedente del mismo.

        Para información y consultas visite nuestra web
        http://www.idiria.com



        Idiria Sociedad Limitada - Disclaimer
        This message, its content and any file attached thereto is for
        the intended
        recipient only and is confidential. If you have received this
        e-mail in
        error or had access to it, you should note that the
        information in it is
        private and any use thereof is unauthorised. In such an event
        please notify
        us by e-mail or by telephone (+ 34 690207492
        <tel:%28%2B%2034%20690207492>). Any reproduction of this
        e-mail by whatsoever means and any transmission or
        dissemination thereof to
        other persons is prohibited. It should be deleted immediately
        from your
        system.

        Idiria Sociedad Limitada reserves the right to take legal
        action against
        any persons unlawfully gaining access to the content of any
        external
        message it has emitted.

        For additional information, please visit our website
        http://www.idiria.com

--Morris "Moe" Jette

    CTO, SchedMD LLC




--

*
José Román Bilbao Castro*

Ingeniero Consultor
+34 901009188
_jrbc...@idiria.com <mailto:jrbc...@idiria.com>

__http://www.idiria.com <http://www.idiria.com/>_ <_http://<http://%20%20/>www.idiria.com/ <http://www.idiria.com/>_>


--
Idiria Sociedad Limitada - Aviso legal

Este mensaje, su contenido y cualquier fichero transmitido con él estádirigido únicamente a su destinatario y es confidencial. Por ello, seinforma a quien lo reciba por error ó tenga conocimiento del mismo sinser su destinatario, que la información contenida en él es reservada ysu uso no autorizado, por lo que en tal caso le rogamos nos locomunique por la misma vía o por teléfono (+ 34 690207492), así comoque se abstenga de reproducir el mensaje mediante cualquier medio oremitirlo o entregarlo a otra persona, procediendo a su borrado demanera inmediata.

Idiria Sociedad Limitada se reserva las acciones legales que lecorrespondan contra todo tercero que acceda de forma ilegítima alcontenido de cualquier mensaje externo procedente del mismo.

Para información y consultas visite nuestra web http://www.idiria.com<http://www.idiria.com/>




Idiria Sociedad Limitada - Disclaimer

This message, its content and any file attached thereto is for theintended recipient only and is confidential. If you have received thise-mail in error or had access to it, you should note that theinformation in it is private and any use thereof is unauthorised. Insuch an event please notify us by e-mail or by telephone (+ 34690207492). Any reproduction of this e-mail by whatsoever means andany transmission or dissemination thereof to other persons isprohibited. It should be deleted immediately from your system.

Idiria Sociedad Limitada reserves the right to take legal actionagainst any persons unlawfully gaining access to the content of anyexternal message it has emitted.

For additional information, please visit our websitehttp://www.idiria.com <http://www.idiria.com/>


--
Ryan Cox
Operations Director
Fulton Supercomputing Lab
Brigham Young University

[slurm-dev] Re: Authentication and invoking slurm commands from web app

Reply via email to