Authorization Policy

Slurm-web offers the possibility to manage permissions to access data with fine-grain role-based access control (RBAC) authorization policy. The authorization policy is enforced at agent level. In multi-clusters mode, policies can be different on all clusters.

Slurm-web permissions are independent of Slurm permissions (ex: privatedata, coordinators, operators, etc…). For example, users can have the permission to view reservations in Slurm-web but not in Slurm and vice-versa. Users can even have permissions in Slurm-web without any permission on Slurm cluster.

Slurm-web agent component is installed with a default vendor authorization policy defined in file /usr/share/slurm-web/conf/policy.ini. This default policy gives anonymous users some permissions and authenticated users a bit more permissions.

Do not edit this default vendor authorization policy, or your changes will be lost on next Slurm-web upgrades!

A site specific policy can be defined in configuration file /etc/slurm-web/policy.ini. When this file is created, the default vendor policy is ignored.

File Format

The authorization policy is an INI file with different sections described below.

Roles Members

The file must have one [roles] section to define roles and their memberships. In this section:

Keys are arbitrary name of roles,
Values are comma separated list of LDAP users and groups associated to this role. The groups names must be prefixed by @. Special value ALL can be used to designate all users authenticated on LDAP directory.

A special role name is anonymous. When this role is defined, it is automatically assigned to all users when authentication is disabled on Slurm-web gateway. The key of this special role does not have to be associated to a value.

Arbitrary number of roles can be defined.

Roles Permissions

Sections must be defined for every roles defined in [roles] section. All these sections must have an actions key. The value assigned to this key is the comma-separated list of actions granted to the role.

Examples

Show simple example

[roles]
# Members of scientists have the user role
user=@rd,@it
# Members of it group have the the admin role
admin=@it

[user]
actions=view-stats,view-jobs,view-accounts

[admin]
actions=view-nodes,view-partitions,view-qos,view-reservations

Two roles are defined in this authorization policy:

user role is assigned to all members of rd and it LDAP groups. Users with this role have permissions on view-stats, view-jobs and view-accounts actions.
admin role is assigned to all members of it LDAP group. Users with this role haves permissions on view-nodes, view-partitions, view-qos and view-reservations actions.

Members of it group inherit both user and admin roles with the union of all granted actions.

Show full example

[roles]
# Enable anonymous role with basic views
anonymous
# All authenticated users have the user role
user=ALL
# Admin role for it group members
admin=@it,jdoe

[anonymous]
actions=view-stats

[user]
actions=view-stats,view-jobs,view-accounts

[admin]
actions=view-nodes,view-partitions,view-qos,view-reservations

Anonymous role is enabled in this authorization policy. It is assigned to all users when authentication is disabled in Slurm-web gateway. This role is only granted the view-stats action.

Two other roles are defined in this authorization policy:

user role is assigned to all users authenticated on LDAP directory. This role gives permissions on view-stats, view-jobs and view-accounts actions.
admin role is assigned to all members of it LDAP group and jdoe individual user. Users with this role haves permissions on view-nodes, view-partitions, view-qos and view-reservations actions.

Members of it group and jdoe inherit both user and admin roles with the union of all granted actions.

Available Actions

This table describes the list of actions that can be assigned to roles:

Action	Description
view-stats	View general cluster statistics in home dashboard and clusters list.
view-jobs	Get Jobs entry in main menu and permission to view all users jobs in queue and all jobs details.
view-nodes	Get Resources entry in main menu and permission to view the list of compute nodes in cluster with their status in Slurm.
view-partitions	Permission to filter jobs and nodes by partition.
view-qos	Get QOS entry in main menu and permission to view the list of defined QOS.
view-accounts	Permission to filter jobs by account.
view-reservations	Get Reservations entry in main menu and permission to view the list of defined reservations.

Action

Description

view-stats

View general cluster statistics in home dashboard and clusters list.

view-jobs

Get Jobs entry in main menu and permission to view all users jobs in queue and all jobs details.

view-nodes

Get Resources entry in main menu and permission to view the list of compute nodes in cluster with their status in Slurm.

view-partitions

Permission to filter jobs and nodes by partition.

view-qos

Get QOS entry in main menu and permission to view the list of defined QOS.

view-accounts

Permission to filter jobs by account.

view-reservations

Get Reservations entry in main menu and permission to view the list of defined reservations.