Re: [gridengine users] Best way to restrict a user to a specific exec host?
Am 09.04.2019 um 21:08 schrieb Mun Johl: > Hi Reuti, > > One clarification question below ... > > On Tue, Apr 09, 2019 at 09:05 AM PDT, Reuti wrote: >>> Am 09.04.2019 um 17:43 schrieb Mun Johl : >>> >>> Hi Reuti, >>> >>> Thank you for your reply! >>> Please see my comments below. >>> >>> On Mon, Apr 08, 2019 at 10:27 PM PDT, Reuti wrote: Hi, > Am 09.04.2019 um 05:37 schrieb Mun Johl : > > Hi all, > > My company is hiring a contractor for some development work. As such, I > need to modify our grid configuration so that he only has access to a > single execution host. That particular host (let's call it serverA) > will not have all of our data disks mounted. > > NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise > Linux v6.8 . > > I'm not really sure how to proceed. I'm thinking of perhaps creating a > new queue which only resides on serverA. There is no need for an additional queue. You can add him to the xuser_lists of all oher queues. But a special queue with a limited number of slots might give the contractor more priority to check his develoment faster. Depends on personal taste whether this one is preferred. This queue could have a forced complex with a high urgency, which he always have to request (or you use JSV to add this to his job submissions). >>> >>> How would I proceed if I did not create an additional queue? You have >>> me intrigued. That is, if I add him to the xuser_lists of all queues, >>> he wouldn't be able to submit a job, would he? Perhaps I'm confused. >> >> All entries in the (cluster) queue definition allow a list of different >> characteristics (similar to David's setup in the recent post): >> >> $ qconf -sq all.q >> ... >> user_lists NONE,[development_machine=banned_users] >> xuser_lists NONE,[@ordinary_hosts=banned_users] > > I created a host group of servers only accessible by employees (not the > contractor). And then I created an ACL named "contractors" which > contains the contractor's username. > > So if I want to forbid the "contractors" from accessing the @EmpOnly > servers on a given queue, would I simply modify the following > xuser_lists line in the queue file as shown below? > > xuser_lists NONE,[@EmpOnly=contractors] Yes. If you don't want to do it in an editor, you can also use the command line: $ qconf -aattr queue xuser_lists contractors your_qname_here@@EmpOnly -- Reuti ___ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
Re: [gridengine users] Best way to restrict a user to a specific exec host?
Am 09.04.2019 um 21:08 schrieb Mun Johl: > Hi Reuti, > > One clarification question below ... > > On Tue, Apr 09, 2019 at 09:05 AM PDT, Reuti wrote: >>> Am 09.04.2019 um 17:43 schrieb Mun Johl : >>> >>> Hi Reuti, >>> >>> Thank you for your reply! >>> Please see my comments below. >>> >>> On Mon, Apr 08, 2019 at 10:27 PM PDT, Reuti wrote: Hi, > Am 09.04.2019 um 05:37 schrieb Mun Johl : > > Hi all, > > My company is hiring a contractor for some development work. As such, I > need to modify our grid configuration so that he only has access to a > single execution host. That particular host (let's call it serverA) > will not have all of our data disks mounted. > > NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise > Linux v6.8 . > > I'm not really sure how to proceed. I'm thinking of perhaps creating a > new queue which only resides on serverA. There is no need for an additional queue. You can add him to the xuser_lists of all oher queues. But a special queue with a limited number of slots might give the contractor more priority to check his develoment faster. Depends on personal taste whether this one is preferred. This queue could have a forced complex with a high urgency, which he always have to request (or you use JSV to add this to his job submissions). >>> >>> How would I proceed if I did not create an additional queue? You have >>> me intrigued. That is, if I add him to the xuser_lists of all queues, >>> he wouldn't be able to submit a job, would he? Perhaps I'm confused. >> >> All entries in the (cluster) queue definition allow a list of different >> characteristics (similar to David's setup in the recent post): >> >> $ qconf -sq all.q >> ... >> user_lists NONE,[development_machine=banned_users] >> xuser_lists NONE,[@ordinary_hosts=banned_users] > > I created a host group of servers only accessible by employees (not the > contractor). And then I created an ACL named "contractors" which > contains the contractor's username. > > So if I want to forbid the "contractors" from accessing the @EmpOnly > servers on a given queue, would I simply modify the following > xuser_lists line in the queue file as shown below? > > xuser_lists NONE,[@EmpOnly=contractors] > > Best regards, > > -- > Mun > ___ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
Re: [gridengine users] Best way to restrict a user to a specific exec host?
Hi Reuti, One clarification question below ... On Tue, Apr 09, 2019 at 09:05 AM PDT, Reuti wrote: > > Am 09.04.2019 um 17:43 schrieb Mun Johl : > > > > Hi Reuti, > > > > Thank you for your reply! > > Please see my comments below. > > > > On Mon, Apr 08, 2019 at 10:27 PM PDT, Reuti wrote: > >> Hi, > >> > >>> Am 09.04.2019 um 05:37 schrieb Mun Johl : > >>> > >>> Hi all, > >>> > >>> My company is hiring a contractor for some development work. As such, I > >>> need to modify our grid configuration so that he only has access to a > >>> single execution host. That particular host (let's call it serverA) > >>> will not have all of our data disks mounted. > >>> > >>> NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise > >>> Linux v6.8 . > >>> > >>> I'm not really sure how to proceed. I'm thinking of perhaps creating a > >>> new queue which only resides on serverA. > >> > >> There is no need for an additional queue. You can add him to the > >> xuser_lists of all oher queues. But a special queue with a limited number > >> of slots might give the contractor more priority to check his develoment > >> faster. Depends on personal taste whether this one is preferred. This > >> queue could have a forced complex with a high urgency, which he always > >> have to request (or you use JSV to add this to his job submissions). > > > > How would I proceed if I did not create an additional queue? You have > > me intrigued. That is, if I add him to the xuser_lists of all queues, > > he wouldn't be able to submit a job, would he? Perhaps I'm confused. > > All entries in the (cluster) queue definition allow a list of different > characteristics (similar to David's setup in the recent post): > > $ qconf -sq all.q > ... > user_lists NONE,[development_machine=banned_users] > xuser_lists NONE,[@ordinary_hosts=banned_users] I created a host group of servers only accessible by employees (not the contractor). And then I created an ACL named "contractors" which contains the contractor's username. So if I want to forbid the "contractors" from accessing the @EmpOnly servers on a given queue, would I simply modify the following xuser_lists line in the queue file as shown below? xuser_lists NONE,[@EmpOnly=contractors] Best regards, -- Mun ___ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
Re: [gridengine users] Best way to restrict a user to a specific exec host?
Hi Reuti, On Tue, Apr 09, 2019 at 09:05 AM PDT, Reuti wrote: > > Am 09.04.2019 um 17:43 schrieb Mun Johl : > > > > Hi Reuti, > > > > Thank you for your reply! > > Please see my comments below. > > > > On Mon, Apr 08, 2019 at 10:27 PM PDT, Reuti wrote: > >> Hi, > >> > >>> Am 09.04.2019 um 05:37 schrieb Mun Johl : > >>> > >>> Hi all, > >>> > >>> My company is hiring a contractor for some development work. As such, I > >>> need to modify our grid configuration so that he only has access to a > >>> single execution host. That particular host (let's call it serverA) > >>> will not have all of our data disks mounted. > >>> > >>> NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise > >>> Linux v6.8 . > >>> > >>> I'm not really sure how to proceed. I'm thinking of perhaps creating a > >>> new queue which only resides on serverA. > >> > >> There is no need for an additional queue. You can add him to the > >> xuser_lists of all oher queues. But a special queue with a limited number > >> of slots might give the contractor more priority to check his develoment > >> faster. Depends on personal taste whether this one is preferred. This > >> queue could have a forced complex with a high urgency, which he always > >> have to request (or you use JSV to add this to his job submissions). > > > > How would I proceed if I did not create an additional queue? You have > > me intrigued. That is, if I add him to the xuser_lists of all queues, > > he wouldn't be able to submit a job, would he? Perhaps I'm confused. > > All entries in the (cluster) queue definition allow a list of different > characteristics (similar to David's setup in the recent post): > > $ qconf -sq all.q > ... > user_lists NONE,[development_machine=banned_users] > xuser_lists NONE,[@ordinary_hosts=banned_users] > > to keep him away from certain machines only. You don't need both entries, it > depends whether there are machines for development use only, for ordinary > users only, and a pool of machines for mixed use. Sure, one would it rename > to "contractor_team" and not "banned_users", if it's used in "user_lists" too. Oh, I think I understand that now. You are putting a finer level of control on each queue and configuring said queue for which user(s) can access which host(s). Clever. > >>> We would ask the contractor to > >>> specify this new queue for his jobs. Furthermore, I would add the > >>> contractor to the xuser_lists of all other queues. > >>> > >>> Does that sound reasonable > >> > >> Yes. > >> > >> > >>> or is there an easier method for > >>> accomplishing this task within SGE? > >>> > >>> IF it makes sense to proceed in this manner, what is the easiest way to > >>> add the username of the contractor to the xuser_lists parameter? Can I > >>> simply add his username? Or do I need to create a new access list for > >>> him? > >> > >> Yes. > >> > >> $ qconf -au john_doe banned_users > > > > Okay, so to confirm: I create the banned_users ACL and add that ACL to > > all queues for which john_joe is banned. Correct? > > > > Thanks again for your time and knowledge! > > Either this or create a hostlist to shorten the number of machines for the > above setup. Understood. > === > > Even a forced complex could be bound this way to a hostgroup only: > > $ qconf -sq all.q > ... > complex_valuesNONE,[@ ordinary_hosts =contractor=TRUE] > > and the BOOL complex "contractor" with a high urgency. This is starting to make my head hurt ;) But I believe you have armed me with enough information for me to move forward with the requisite configuration changes. Thank you and best regards, -- Mun > -- Reuti > > > > Best regards, > > > > -- > > Mun > > > > > >>> Any and all examples of how to implement this type of configuration > >>> would be greatly appreciated since I am not an SGE expert by any stretch > >>> of the imagination. > >>> > >>> By the way, would the contractor only need an account on serverA in > >>> order to utilize SGE? Or would he need an account on the grid master as > >>> well? > >> > >> Are you not using a central user administration by NIS or LDAP? > >> > >> AFAICS he needs an entry only on the execution host (and on the submission > >> host of course). > >> > >> -- Reuti ___ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
Re: [gridengine users] Best way to restrict a user to a specific exec host?
> Am 09.04.2019 um 17:43 schrieb Mun Johl : > > Hi Reuti, > > Thank you for your reply! > Please see my comments below. > > On Mon, Apr 08, 2019 at 10:27 PM PDT, Reuti wrote: >> Hi, >> >>> Am 09.04.2019 um 05:37 schrieb Mun Johl : >>> >>> Hi all, >>> >>> My company is hiring a contractor for some development work. As such, I >>> need to modify our grid configuration so that he only has access to a >>> single execution host. That particular host (let's call it serverA) >>> will not have all of our data disks mounted. >>> >>> NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise Linux >>> v6.8 . >>> >>> I'm not really sure how to proceed. I'm thinking of perhaps creating a >>> new queue which only resides on serverA. >> >> There is no need for an additional queue. You can add him to the xuser_lists >> of all oher queues. But a special queue with a limited number of slots might >> give the contractor more priority to check his develoment faster. Depends on >> personal taste whether this one is preferred. This queue could have a forced >> complex with a high urgency, which he always have to request (or you use JSV >> to add this to his job submissions). > > How would I proceed if I did not create an additional queue? You have > me intrigued. That is, if I add him to the xuser_lists of all queues, > he wouldn't be able to submit a job, would he? Perhaps I'm confused. All entries in the (cluster) queue definition allow a list of different characteristics (similar to David's setup in the recent post): $ qconf -sq all.q … user_lists NONE,[development_machine=banned_users] xuser_lists NONE,[@ordinary_hosts=banned_users] to keep him away from certain machines only. You don't need both entries, it depends whether there are machines for development use only, for ordinary users only, and a pool of machines for mixed use. Sure, one would it rename to "contractor_team" and not "banned_users", if it's used in "user_lists" too. > >>> We would ask the contractor to >>> specify this new queue for his jobs. Furthermore, I would add the >>> contractor to the xuser_lists of all other queues. >>> >>> Does that sound reasonable >> >> Yes. >> >> >>> or is there an easier method for >>> accomplishing this task within SGE? >>> >>> IF it makes sense to proceed in this manner, what is the easiest way to >>> add the username of the contractor to the xuser_lists parameter? Can I >>> simply add his username? Or do I need to create a new access list for him? >> >> Yes. >> >> $ qconf -au john_doe banned_users > > Okay, so to confirm: I create the banned_users ACL and add that ACL to > all queues for which john_joe is banned. Correct? > > Thanks again for your time and knowledge! Either this or create a hostlist to shorten the number of machines for the above setup. === Even a forced complex could be bound this way to a hostgroup only: $ qconf -sq all.q … complex_valuesNONE,[@ ordinary_hosts =contractor=TRUE] and the BOOL complex "contractor" with a high urgency. -- Reuti > Best regards, > > -- > Mun > > >>> Any and all examples of how to implement this type of configuration >>> would be greatly appreciated since I am not an SGE expert by any stretch >>> of the imagination. >>> >>> By the way, would the contractor only need an account on serverA in >>> order to utilize SGE? Or would he need an account on the grid master as >>> well? >> >> Are you not using a central user administration by NIS or LDAP? >> >> AFAICS he needs an entry only on the execution host (and on the submission >> host of course). >> >> -- Reuti ___ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
Re: [gridengine users] Best way to restrict a user to a specific exec host?
Hi Reuti, Thank you for your reply! Please see my comments below. On Mon, Apr 08, 2019 at 10:27 PM PDT, Reuti wrote: > Hi, > > > Am 09.04.2019 um 05:37 schrieb Mun Johl : > > > > Hi all, > > > > My company is hiring a contractor for some development work. As such, I > > need to modify our grid configuration so that he only has access to a > > single execution host. That particular host (let's call it serverA) > > will not have all of our data disks mounted. > > > > NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise Linux > > v6.8 . > > > > I'm not really sure how to proceed. I'm thinking of perhaps creating a > > new queue which only resides on serverA. > > There is no need for an additional queue. You can add him to the xuser_lists > of all oher queues. But a special queue with a limited number of slots might > give the contractor more priority to check his develoment faster. Depends on > personal taste whether this one is preferred. This queue could have a forced > complex with a high urgency, which he always have to request (or you use JSV > to add this to his job submissions). How would I proceed if I did not create an additional queue? You have me intrigued. That is, if I add him to the xuser_lists of all queues, he wouldn't be able to submit a job, would he? Perhaps I'm confused. > > We would ask the contractor to > > specify this new queue for his jobs. Furthermore, I would add the > > contractor to the xuser_lists of all other queues. > > > > Does that sound reasonable > > Yes. > > > > or is there an easier method for > > accomplishing this task within SGE? > > > > IF it makes sense to proceed in this manner, what is the easiest way to > > add the username of the contractor to the xuser_lists parameter? Can I > > simply add his username? Or do I need to create a new access list for him? > > Yes. > > $ qconf -au john_doe banned_users Okay, so to confirm: I create the banned_users ACL and add that ACL to all queues for which john_joe is banned. Correct? Thanks again for your time and knowledge! Best regards, -- Mun > > Any and all examples of how to implement this type of configuration > > would be greatly appreciated since I am not an SGE expert by any stretch > > of the imagination. > > > > By the way, would the contractor only need an account on serverA in > > order to utilize SGE? Or would he need an account on the grid master as > > well? > > Are you not using a central user administration by NIS or LDAP? > > AFAICS he needs an entry only on the execution host (and on the submission > host of course). > > -- Reuti ___ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
Re: [gridengine users] Best way to restrict a user to a specific exec host?
Hi, > Am 09.04.2019 um 05:37 schrieb Mun Johl : > > Hi all, > > My company is hiring a contractor for some development work. As such, I > need to modify our grid configuration so that he only has access to a > single execution host. That particular host (let's call it serverA) > will not have all of our data disks mounted. > > NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise Linux > v6.8 . > > I'm not really sure how to proceed. I'm thinking of perhaps creating a > new queue which only resides on serverA. There is no need for an additional queue. You can add him to the xuser_lists of all oher queues. But a special queue with a limited number of slots might give the contractor more priority to check his develoment faster. Depends on personal taste whether this one is preferred. This queue could have a forced complex with a high urgency, which he always have to request (or you use JSV to add this to his job submissions). > We would ask the contractor to > specify this new queue for his jobs. Furthermore, I would add the > contractor to the xuser_lists of all other queues. > > Does that sound reasonable Yes. > or is there an easier method for > accomplishing this task within SGE? > > IF it makes sense to proceed in this manner, what is the easiest way to > add the username of the contractor to the xuser_lists parameter? Can I > simply add his username? Or do I need to create a new access list for him? Yes. $ qconf -au john_doe banned_users > Any and all examples of how to implement this type of configuration > would be greatly appreciated since I am not an SGE expert by any stretch > of the imagination. > > By the way, would the contractor only need an account on serverA in > order to utilize SGE? Or would he need an account on the grid master as > well? Are you not using a central user administration by NIS or LDAP? AFAICS he needs an entry only on the execution host (and on the submission host of course). -- Reuti ___ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
[gridengine users] Best way to restrict a user to a specific exec host?
Hi all, My company is hiring a contractor for some development work. As such, I need to modify our grid configuration so that he only has access to a single execution host. That particular host (let's call it serverA) will not have all of our data disks mounted. NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise Linux v6.8 . I'm not really sure how to proceed. I'm thinking of perhaps creating a new queue which only resides on serverA. We would ask the contractor to specify this new queue for his jobs. Furthermore, I would add the contractor to the xuser_lists of all other queues. Does that sound reasonable or is there an easier method for accomplishing this task within SGE? IF it makes sense to proceed in this manner, what is the easiest way to add the username of the contractor to the xuser_lists parameter? Can I simply add his username? Or do I need to create a new access list for him? Any and all examples of how to implement this type of configuration would be greatly appreciated since I am not an SGE expert by any stretch of the imagination. By the way, would the contractor only need an account on serverA in order to utilize SGE? Or would he need an account on the grid master as well? Thank you very much in advance. Kind regards, -- Mun ___ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
[gridengine users] Best way to restrict a user to a specific exec host?
Hi all, My company is hiring a contractor for some development work. As such, I need to modify our grid configuration so that he only has access to a single execution host. That particular host (let's call it serverA) will not have all of our data disks mounted. NOTE: We are running SGE v8.1.9 on systems running Red Hat Enterprise Linux v6.8 . I'm not really sure how to proceed. I'm thinking of perhaps creating a new queue which only resides on serverA. We would ask the contractor to specify this new queue for his jobs. Furthermore, I would add the contractor to the xuser_lists of all other queues. Does that sound reasonable or is there an easier method for accomplishing this task within SGE? IF it makes sense to proceed in this manner, what is the easiest way to add the username of the contractor to the xuser_lists parameter? Can I simply add his username? Or do I need to create a new access list for him? Any and all examples of how to implement this type of configuration would be greatly appreciated since I am not an SGE expert by any stretch of the imagination. By the way, would the contractor only need an account on serverA in order to utilize SGE? Or would he need an account on the grid master as well? Thank you very much in advance. Kind regards, -- Mun ___ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users