Module Name:
  pam_slurm

Authors:
  Chris Dunlap <cdunlap@llnl.gov>
  Jim Garlick  <garlick@llnl.gov>
  Moe Jette    <jette1@llnl.gov>

Management Groups Provided:
  account

System Dependencies:
  libslurm.so

Overview:
  Restricts access to compute nodes in a cluster using Slurm.

Recognized Arguments:
  debug; no_sys_info; no_warn; rsh_kludge; rlogin_kludge

Description:
  This module restricts access to compute nodes in a cluster where the
  Slurm workload manager is in use.  Access is granted to root, any user
  with an Slurm-launched job currently running on the node, or any user
  who has allocated resources on the node according to the Slurm database.

  The behavior of this module can be modified with the following flags:

    debug         - log debugging information to the system log file
    no_sys_info   - suppress system logging of "access granted for user ...",
                    access denied and other errors will still be logged
    no_warn       - suppress warning messages to the application
    rsh_kludge    - prevent truncation of first char from rsh error msg
    rlogin_kludge - prevent "staircase-effect" following rlogin error msg

Notes:
  This module will not work on systems where the hostname returned by the
     gethostname() differs from the Slurm node name.
  rsh_kludge - The rsh service under RH71 (rsh-0.17-2.5) truncates the first
     character of this message.  The rsh client sends 3 NUL-terminated ASCII
     strings: client-user-name, server-user-name, and command string.  The
     server then validates the user.  If the user is valid, it responds with a
     1-byte zero; otherwise, it responds with a 1-byte one followed by an ASCII
     error message and a newline.  RH's server is using the default PAM
     conversation function which doesn't prepend the message with a
     single-byte error code.  As a result, the client receives a string,
     interprets the first byte as a non-zero status, and treats the
     remaining string as an error message.  The rsh_kludge prepends a
     newline which will be interpreted by the rsh client as an error status.
  rlogin_kludge - The rlogin service under RH71 (rsh-0.17-2.5) does not perform
     a carriage-return after the PAM error message is displayed which results
     in the "staircase-effect" of the next message. The rlogin_kludge appends
     a carriage-return to prevent this.

Examples / Suggested Usage:
  Use of this module is recommended on any compute node where you want to
  limit access to just those users who are currently scheduled to run jobs.

  For /etc/pam.d/ style configurations where modules live in /lib/security/,
  add the following line to the PAM configuration file for the appropriate
  service(s) (eg, /etc/pam.d/system-auth):

    account    required     /lib/security/pam_slurm.so

  If you always want to allow access for an administrative group (eg, wheel),
  stack the pam_access module ahead of pam_slurm:

    account    sufficient   /lib/security/pam_access.so
    account    required     /lib/security/pam_slurm.so

  Then edit the pam_access configuration file (/etc/security/access.conf):

    +:wheel:ALL
    -:ALL:ALL

  When access is denied because the user does not have an active job running
  on the node, an error message is returned to the application:

    Access denied: user foo (uid=1313) has no active jobs.

  This message can be suppressed by specifying the "no_warn" argument in the
  PAM configuration file.
