Ticket 9113

Summary:	Restrict partition to a specific set of users
Product:	Slurm	Reporter:	Simran <simran>
Component:	Configuration	Assignee:	Felip Moll <felip.moll>
Status:	RESOLVED INFOGIVEN	QA Contact:
Severity:	4 - Minor Issue
Priority:	---	CC:	felip.moll
Version:	19.05.1
Hardware:	Linux
OS:	Linux
Site:	Genentech (Roche)	Alineos Sites:	---
Atos/Eviden Sites:	---	Confidential Site:	---
Coreweave sites:	---	Cray Sites:	---
DS9 clusters:	---	HPCnow Sites:	---
HPE Sites:	---	IBM Sites:	---
NOAA SIte:	---	OCF Sites:	---
Recursion Pharma Sites:	---	SFW Sites:	---
SNIC sites:	---	Linux Distro:	---
Machine Name:		CLE Version:
Version Fixed:		Target Release:	---
DevPrio:	---	Emory-Cloud Sites:	---

Description Simran 2020-05-26 18:39:40 MDT

Hello,

I have a need to restrict some partitions to only a small set of users (ex: large gpu instances).  What is the best way to achieve this without using unix groups:

All users can submit to partition x
Only user x,y,z can submit to partition y and z

Could this be achieved using QOS/Associations.

Thanks,
-Simran

Comment 1 Simran 2020-05-26 19:05:59 MDT

Found the AllowAccounts option in slurm.conf.  This will work for me but I just need to move the users to the appropriate bank accounts and limit usage to specific partitions using those bank accounts.

Please feel free to close this ticket or let me know if there is a better way to achieve this.

Thanks,
-Simran

Comment 2 Felip Moll 2020-05-27 05:43:58 MDT

You have several options.

I vote for 1 or 3.

1. You can use AllowAccounts, then you have to add a new Slurm account with the required users.

Cons: Accounting will be charged into this new account.

Note: you don't need to *move* users from one account to another as you say in comment 1, you just need to create a new account and new associations for each user.

sacctmgr add account=specialpart
sacctmgr add user jack account=specialpart

This will add a new association of user jack with account=specialpart. The older association will still be there (sacctmgr show assoc -pn).

2. You can use AllowGroups, then you have to add a new Unix group with the required users.

Cons: You need to modify and maintain unix groups.

3. You can create a QoS and assign it to a user or account. Then make use of AllowQoS in the partition.

Cons: You need to maintain QoS assigned to users.. it's not really a cons.

4. You can assign partitions to users and enforce Associations. Then a user will be only able to submit
to its defined partitions.

Cons: Difficult to maintain and is the opposite to what you want. You need to modify all users to be able
to submit only to specific partitions, then add more partitions or leave the field blank for the special users.

AccountingStorageEnforce=associations (at least) set in slurm.conf

sacctmgr delete user jack  <-- remove previous association which allowed all partitions (you may lost accounting)
sacctmgr add user jack partition=test <-- add association with restriction
sacctmgr delete user jack partition=test <-- remove specific association

If there's already a user jack without partition= set, he will still be able to submit to all partitions unless
you remove its previous association.

4. Finally you can develop and use a Job Submit LUA pugin which gives you way more flexibility but may be
harder to maintain.

You can read about submission plugin in the slurm.conf man page in the JobSubmitPlugins paragraph.

Example:

function slurm_job_submit(job_desc, part_list, submit_uid)

    if (job_desc.partition ~= nil)
    then	
        if (string.match(job_desc.partition,"restricted"))
    	then
               allowed = uid_is_allowed(submit_uid)  //you should implement this
    		if (allowed == false)
		then
                        slurm.user_msg("uid %u not allowed in partition restricted", submit_uid)
                        return slurm.ERROR
                end
    	end
    end	

return slurm.SUCCESS


I am marking this issue as resolved, please don't hesitate to mark it as OPEN again if more questions arise.