Authorization Policy
Slurm-web offers the possibility to manage permissions to access data with fine-grain role-based access control (RBAC) authorization policy. The authorization policy is enforced at agent level. In multi-clusters mode, policies can be different on all clusters.
Slurm-web permissions are independent of Slurm permissions (ex: privatedata, coordinators, operators, etc…). For example, users can have the permission to view reservations in Slurm-web but not in Slurm and vice-versa. Users can even have permissions in Slurm-web without any permission on Slurm cluster.
Slurm-web agent component is installed with a default vendor authorization
policy defined in file /usr/share/slurm-web/conf/policy.ini. This
default policy gives anonymous users some permissions and authenticated users
a bit more permissions.
| Do not edit this default vendor authorization policy, or your changes will be lost on next Slurm-web upgrades! |
A site specific policy can be defined in configuration file
/etc/slurm-web/policy.ini. When this file is created, the default
vendor policy is ignored.
File Format
The authorization policy is an INI file with different sections described below.
Roles Members
The file must have one [roles] section to define roles and their memberships.
In this section:
-
Keys are arbitrary name of roles,
-
Values are comma separated list of users and groups associated to this role. The groups names must be prefixed by
@. Special valueALLcan be used to designate all authenticated users.
A special role name is anonymous. When this role is defined, it is
automatically assigned to all users when authentication is disabled on Slurm-web
gateway. The key of this special role does not have to be associated to a
value.
Arbitrary number of roles can be defined.
Roles Permissions
Sections must be defined for every roles defined in [roles] section. All these
sections must have an actions key. The value assigned to this key is the
comma-separated list of actions granted to the role.
Examples
Show simple example
[roles]
user=@biology
admin=njones
[user]
actions=stats-view,jobs-view,jobs-view-past,nodes-view
[admin]
actions=partitions-view,qos-view,accounts-view,reservations-view,associations-view
This policy defines two roles:
-
user for members of biology group. This role has permission on
stats-view,jobs-view,jobs-view-pastandnodes-viewactions. -
admin for njones user. This role has permission on
partitions-view,qos-view,accounts-view,reservations-viewandassociations-viewactions.
User njones who is also member of biology group is granted both user and admin roles, she has access to everything:

Another user in biology group can only view jobs and nodes:

Access to the cluster is denied to all other users:

Show full example
[roles]
# Enable anonymous role with basic views
anonymous
# All authenticated users have the user role
user=ALL
# Admin role for it group members
admin=@it,jdoe
[anonymous]
actions=stats-view
[user]
actions=stats-view,jobs-view,jobs-view-past,accounts-view
[admin]
actions=nodes-view,partitions-view,qos-view,reservations-view
Anonymous role is enabled in this authorization policy. It is assigned to all
users when authentication is disabled in Slurm-web gateway. This role is only
granted the stats-view action.
Two other roles are defined in this authorization policy:
-
user role is assigned to all users authenticated on LDAP directory. This role gives permissions on
stats-view,jobs-view,jobs-view-pastandaccounts-viewactions. -
admin role is assigned to all members of it LDAP group and jdoe individual user. Users with this role haves permissions on
nodes-view,partitions-view,qos-viewandreservations-viewactions.
Members of it group and jdoe inherit both user and admin roles with the union of all granted actions.
Show example to restrict users to their own jobs
[roles]
user=ALL
[user]
actions=stats-view,jobs-view-own,jobs-view-past-own,nodes-view
Authenticated users with the user role can access the Jobs menu and see only
their own active and terminated jobs. The jobs-view-own and
jobs-view-past-own actions restrict job lists and details to the
current user. Users with jobs-view or jobs-view-past still see all users'
jobs for the corresponding scope.
Available Actions
This table describes the list of actions that can be assigned to roles:
| Action | Description |
|---|---|
stats-view |
View general cluster statistics in home dashboard and clusters list. |
view-stats |
Deprecated. Use stats-view instead. |
jobs-view |
Get Jobs entry in main menu and permission to view all users jobs in queue and all jobs details. |
view-jobs |
Deprecated. Use jobs-view instead. |
jobs-view-own |
Get Jobs entry in main menu and permission to view only the current user’s own jobs in queue and own job details. |
jobs-view-past |
Permission to view all users past jobs and query finished jobs from Slurm accounting. |
jobs-view-past-own |
Permission to view only the current user’s own terminated jobs from Slurm accounting. |
nodes-view |
Get Resources entry in main menu and permission to view the list of compute nodes in cluster with their status in Slurm. |
view-nodes |
Deprecated. Use nodes-view instead. |
partitions-view |
Permission to filter jobs and nodes by partition. |
view-partitions |
Deprecated. Use partitions-view instead. |
qos-view |
Get QOS entry in main menu and permission to view the list of defined QOS. |
view-qos |
Deprecated. Use qos-view instead. |
accounts-view |
Permission to filter jobs by account. |
view-accounts |
Deprecated. Use accounts-view instead. |
associations-view |
Get Accounts entry in main menu and permission to view the list of associations (accounts, users and limits). |
reservations-view |
Get Reservations entry in main menu and permission to view the list of defined reservations. |
view-reservations |
Deprecated. Use reservations-view instead. |
cache-view |
Access to cache information and metrics in settings panel. |
cache-reset |
Reset cache statistics in settings panel. |