Enabling PAM with TORQUE
TORQUE is able to take advantage of the authentication services provided through Pluggable Authentication Modules (PAM) to help administrators manage access to compute nodes by users. The PAM module available in TORQUE is located in the PAM security directory. This module, when used in conjunction with other PAM modules, restricts access to the compute node unless the user has a job currently running on the node.
To enable TORQUE PAM configure TORQUE using the --with-pam option. Using --with-pam is sufficient but if your PAM security modules are not in the default /lib/security or /lib64/security directory, you can specify the location using --with-pam=<DIR> where <DIR> is the directory where you want the modules to be installed. When TORQUE is installed the files pam_pbssimpleauth.la and pam_pbssimpleauth.so appear in /lib/security, /lib64/security, or the directory designated on the configuration line.
PAM is very flexible and policies vary greatly from one site to another. The following example restricts users trying to access a node using SSH. Administrators need to assess their own installations and decide how to apply the TORQUE PAM restrictions.
After installing TORQUE with PAM enabled, add the following two lines to /etc/pam.c/sshd:
account required pam_pbssimpleauth.so
account required pam_access.so
In /etc/security/access.conf make sure all users who access the compute node are added to the configuration. This is an example which allows the users root, george, allen, and michael access.
-:ALL EXCEPT root george allen michael torque:ALL
With this configuration, if user george has a job currently running on the compute node, george can use ssh to login to the node. If there are currently no jobs running, george is disconnected when attempting to login.
TORQUE PAM is good at keeping users out who do not have jobs running on a compute node. However, it does not have the ability to force a user to log out once they are in. To accomplish this use epilogue or prologue scripts to force users off the system.
Legacy TORQUE PAM configuration
There is an alternative PAM configuration for TORQUE that has been available since 2006. It can be found in the contrib/pam_authuser directory of the source tree. Adaptive Computing does not currently support this method but the instructions are given here for those who are currently using it and for those who wish to use it.
For systems requiring dedicated access to compute nodes (for example, users with sensitive data), TORQUE prologue and epilogue scripts provide a vehicle to leverage the authentication provided by linux-PAM modules. (See Prologue and epilogue scripts for more information.)
To allow only users with running jobs (and root) to access compute nodes
The prologue* scripts are Perl scripts that add the user of the job to /etc/authuser. The epilogue* scripts then remove the first occurrence of the user from /etc/authuser. File locking is employed in all scripts to eliminate the chance of race conditions. There is also some commented code in the epilogue* scripts, which, if uncommented, kills all processes owned by the user (using pkill), provided that the user doesn't have another valid job on the same node.
prologue and epilogue scripts were added to the pam_authuser tarball in version 2.1 of TORQUE.
Related topics