Ticket 20773 - SLURMRESTD_SECURITY=disable_user_check is never required
Summary: SLURMRESTD_SECURITY=disable_user_check is never required
Status: RESOLVED FIXED
Alias: None
Product: Slurm
Classification: Unclassified
Component: slurmrestd (show other tickets)
Version: 24.11.x
Hardware: Linux Linux
: C - Contributions
Assignee: Nate Rini
QA Contact:
URL:
Depends on:
Blocks:
 
Reported: 2024-08-26 08:08 MDT by Rémi Palancher
Modified: 2024-08-28 15:17 MDT (History)
0 users

See Also:
Site: -Other-
Alineos Sites: ---
Atos/Eviden Sites: ---
Confidential Site: ---
Coreweave sites: ---
Cray Sites: ---
DS9 clusters: ---
HPCnow Sites: ---
HPE Sites: ---
IBM Sites: ---
NOAA SIte: ---
NoveTech Sites: ---
OCF Sites: ---
Recursion Pharma Sites: ---
SFW Sites: ---
SNIC sites: ---
Linux Distro: ---
Machine Name:
CLE Version:
Version Fixed: 24.05.4, 24.11.0rc1
Target Release: ---
DevPrio: ---
Emory-Cloud Sites: ---

Attachments
Patch to check not running as slurm after conf load in slurmrestd (1.98 KB, patch)
2024-08-26 08:08 MDT, Rémi Palancher 		Details | Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this ticket.
Description Rémi Palancher 2024-08-26 08:08:25 MDT 
Created attachment 38532 [details]
Patch to check not running as slurm after conf load in slurmrestd

Dear Slurm maintainers,

I recently discovered existence of environment variable SLURMRESTD_SECURITY=disable_user_check in slurmrestd manpage and I was surprised I never had to use it. More context in [1].

It seems that since [2] slurm user check is performed _before_ slurm configuration is loaded by slurmrestd, thus making slurm user check a no-op. With the patch attached (against Slurm 24.05.2), slurm user check is performed after conf load and SLURMRESTD_SECURITY=disable_user_check is required again.

Before the patch:

root@admin:~# env | grep SLURMRESTD
root@admin:~# scontrol show config | grep SlurmUser
SlurmUser               = slurm(64030)
root@admin:~# su slurm -s /bin/sh -c "/usr/sbin/slurmrestd -v unix:/tmp/slurmrestd.socket"
slurmrestd: accounting_storage/slurmdbd: init: Accounting storage SLURMDBD plugin loaded
slurmrestd: cred/munge: init: Munge credential signature plugin loaded

After the patch:

# su slurm -s /bin/sh -c "/usr/sbin/slurmrestd -v unix:/tmp/slurmrestd.socket"
slurmrestd: accounting_storage/slurmdbd: init: Accounting storage SLURMDBD plugin loaded
slurmrestd: cred/munge: init: Munge credential signature plugin loaded
slurmrestd: fatal: slurmrestd should not be run as SlurmUser
# SLURMRESTD_SECURITY=disable_user_check su slurm -s /bin/sh -c "/usr/sbin/slurmrestd -v unix:/tmp/slurmrestd.socket"
slurmrestd: accounting_storage/slurmdbd: init: Accounting storage SLURMDBD plugin loaded
slurmrestd: cred/munge: init: Munge credential signature plugin loaded

[1] https://github.com/rackslab/Slurm-web/discussions/315
[2] https://github.com/SchedMD/slurm/commit/0a07c53c69a4dc468545998974e7e8a15a768c01
Comment 8 Nate Rini 2024-08-28 15:17:20 MDT 
Thank you for your contribution. It will be included in the upcoming Slurm-24.05.4 release:
> https://github.com/SchedMD/slurm/commit/019ab8f5a17d80b73b94c1a517c89164b86a9766