[gridengine users] Best way to restrict a user to a specific exec host?

Mun Johl mun.johl at kazan-networks.com
Tue Apr 9 15:43:16 UTC 2019


Hi Reuti,

Thank you for your reply!
Please see my comments below.

On Mon, Apr 08, 2019 at 10:27 PM PDT, Reuti wrote:
> Hi,
> 
> > Am 09.04.2019 um 05:37 schrieb Mun Johl <mun.johl at kazan-networks.com>:
> >
> > Hi all,
> >
> > My company is hiring a contractor for some development work.  As such, I
> > need to modify our grid configuration so that he only has access to a
> > single execution host.  That particular host (let's call it serverA)
> > will not have all of our data disks mounted.
> >
> > NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise Linux v6.8 .
> >
> > I'm not really sure how to proceed.  I'm thinking of perhaps creating a
> > new queue which only resides on serverA.
> 
> There is no need for an additional queue. You can add him to the xuser_lists of all oher queues. But a special queue with a limited number of slots might give the contractor more priority to check his develoment faster. Depends on personal taste whether this one is preferred. This queue could have a forced complex with a high urgency, which he always have to request (or you use JSV to add this to his job submissions).

How would I proceed if I did not create an additional queue?  You have
me intrigued.  That is, if I add him to the xuser_lists of all queues,
he wouldn't be able to submit a job, would he?  Perhaps I'm confused.

> >  We would ask the contractor to
> > specify this new queue for his jobs.  Furthermore, I would add the
> > contractor to the xuser_lists of all other queues.
> >
> > Does that sound reasonable
> 
> Yes.
> 
> 
> > or is there an easier method for
> > accomplishing this task within SGE?
> >
> > IF it makes sense to proceed in this manner, what is the easiest way to
> > add the username of the contractor to the xuser_lists parameter?  Can I
> > simply add his username?  Or do I need to create a new access list for him?
> 
> Yes.
> 
> $ qconf -au john_doe banned_users

Okay, so to confirm: I create the banned_users ACL and add that ACL to
all queues for which john_joe is banned.  Correct?

Thanks again for your time and knowledge!

Best regards,

-- 
Mun


> > Any and all examples of how to implement this type of configuration
> > would be greatly appreciated since I am not an SGE expert by any stretch
> > of the imagination.
> >
> > By the way, would the contractor only need an account on serverA in
> > order to utilize SGE?  Or would he need an account on the grid master as
> > well?
> 
> Are you not using a central user administration by NIS or LDAP?
> 
> AFAICS he needs an entry only on the execution host (and on the submission host of course).
> 
> -- Reuti



More information about the users mailing list