Ticket 20773

Summary: SLURMRESTD_SECURITY=disable_user_check is never required
Product: Slurm Reporter: Rémi Palancher <remi+schedmd>
Component: slurmrestdAssignee: Nate Rini <nate>
Status: RESOLVED FIXED QA Contact:
Severity: C - Contributions    
Priority: ---    
Version: 24.11.x   
Hardware: Linux   
OS: Linux   
Site: -Other- Alineos Sites: ---
Atos/Eviden Sites: --- Confidential Site: ---
Coreweave sites: --- Cray Sites: ---
DS9 clusters: --- HPCnow Sites: ---
HPE Sites: --- IBM Sites: ---
NOAA SIte: --- NoveTech Sites: ---
Nvidia HWinf-CS Sites: --- OCF Sites: ---
Recursion Pharma Sites: --- SFW Sites: ---
SNIC sites: --- Linux Distro: ---
Machine Name: CLE Version:
Version Fixed: 24.05.4, 24.11.0rc1 Target Release: ---
DevPrio: --- Emory-Cloud Sites: ---
Attachments: Patch to check not running as slurm after conf load in slurmrestd

Description Rémi Palancher 2024-08-26 08:08:25 MDT 
Created attachment 38532 [details]
Patch to check not running as slurm after conf load in slurmrestd

Dear Slurm maintainers,

I recently discovered existence of environment variable SLURMRESTD_SECURITY=disable_user_check in slurmrestd manpage and I was surprised I never had to use it. More context in [1].

It seems that since [2] slurm user check is performed _before_ slurm configuration is loaded by slurmrestd, thus making slurm user check a no-op. With the patch attached (against Slurm 24.05.2), slurm user check is performed after conf load and SLURMRESTD_SECURITY=disable_user_check is required again.

Before the patch:

root@admin:~# env | grep SLURMRESTD
root@admin:~# scontrol show config | grep SlurmUser
SlurmUser               = slurm(64030)
root@admin:~# su slurm -s /bin/sh -c "/usr/sbin/slurmrestd -v unix:/tmp/slurmrestd.socket"
slurmrestd: accounting_storage/slurmdbd: init: Accounting storage SLURMDBD plugin loaded
slurmrestd: cred/munge: init: Munge credential signature plugin loaded

After the patch:

# su slurm -s /bin/sh -c "/usr/sbin/slurmrestd -v unix:/tmp/slurmrestd.socket"
slurmrestd: accounting_storage/slurmdbd: init: Accounting storage SLURMDBD plugin loaded
slurmrestd: cred/munge: init: Munge credential signature plugin loaded
slurmrestd: fatal: slurmrestd should not be run as SlurmUser
# SLURMRESTD_SECURITY=disable_user_check su slurm -s /bin/sh -c "/usr/sbin/slurmrestd -v unix:/tmp/slurmrestd.socket"
slurmrestd: accounting_storage/slurmdbd: init: Accounting storage SLURMDBD plugin loaded
slurmrestd: cred/munge: init: Munge credential signature plugin loaded

[1] https://github.com/rackslab/Slurm-web/discussions/315
[2] https://github.com/SchedMD/slurm/commit/0a07c53c69a4dc468545998974e7e8a15a768c01
Comment 8 Nate Rini 2024-08-28 15:17:20 MDT 
Thank you for your contribution. It will be included in the upcoming Slurm-24.05.4 release:
> https://github.com/SchedMD/slurm/commit/019ab8f5a17d80b73b94c1a517c89164b86a9766