[slurm-dev] Re: Authentication and invoking slurm commands from web app

[Brian B.]

Hello Jose,

It is never a good idea to have the public facing credentials be the same as 
the private credentials. That is if your public facing server is compromised 
your internal system is compromised. The limited cases where direct internal 
access are needed (e.g. SSH) should be handled by hardened servers. 

Allowing users to input executable commands on a webpage is also not a good 
security practice. This is essentially how the shellshock bug works. 

This is just my take on things but I would suggest building a different system. 

--
Regards,
Brian

> On Oct 2, 2014, at 06:40, José Román Bilbao Castro  wrote:
> 
> Hi all,
> 
> First of all, this is my very first message to the list and don't even know 
> if this is the proper place to port this message. 
> 
> I am facing a simple project that should allow a slurm user to monitor his 
> jobs running on a slurm server. I have been looking at the Slurm 
> authentication API but I cannot find anything useful for me as this seems to 
> be applied to users already logged in the system. My question is where to 
> start looking at (technologies, web development frameworks, etc...) to be 
> able to enter a user/password on the web browser that coincides with that of 
> the Linux user, send the credentials to the server, execute a slurm command 
> on behalf of that user and print results back... 
> 
> May be this is a very complex question, but I have not much experience in web 
> development and how it should be done to link slurm commands execution, 
> specific user authorization, etc... 
> 
> Thanks in advance,
> 
> Jose
> 
> -- 
> 
> José Román Bilbao Castro
> 
> Ingeniero Consultor
> +34 901009188
> jrbc...@idiria.com
> http://www.idiria.com 
> 
> --
> Idiria Sociedad Limitada - Aviso legal
> 
> Este mensaje, su contenido y cualquier fichero transmitido con él está 
> dirigido únicamente a su destinatario y es confidencial. Por ello, se informa 
> a quien lo reciba por error ó tenga conocimiento del mismo sin ser su 
> destinatario, que la información contenida en él es reservada y su uso no 
> autorizado, por lo que en tal caso le rogamos nos lo comunique por la misma  
> vía o por teléfono (+ 34 690207492), así como que se abstenga de reproducir 
> el mensaje mediante cualquier medio o remitirlo o entregarlo a otra persona, 
> procediendo a su borrado de manera inmediata. 
>  
> Idiria Sociedad Limitada se reserva las acciones legales que le correspondan 
> contra todo tercero que acceda de forma  ilegítima al contenido de cualquier 
> mensaje externo procedente del mismo. 
> 
> Para información y consultas visite nuestra web http://www.idiria.com 
> 
>  
> 
> Idiria Sociedad Limitada - Disclaimer
> This message, its content and any file attached thereto is for the intended 
> recipient only and is confidential. If you have received this e-mail in error 
> or had access to it, you should note that the information in it is private 
> and any use thereof is unauthorised. In such an event please notify us by 
> e-mail or by telephone (+ 34 690207492). Any reproduction of this e-mail by 
> whatsoever means and any transmission or dissemination thereof to other 
> persons is prohibited. It should be deleted immediately from your system.
> 
> Idiria Sociedad Limitada reserves the right to take legal action against any 
> persons unlawfully gaining access to the content of any external message it 
> has emitted.
> 
> For additional information, please visit our website http://www.idiria.com 
> 
>  
> 

[slurm-dev] Re: Authentication and invoking slurm commands from web app

[José Román Bilbao Castro]

Thanks Brian,

So you propose to have something like an intermediate database that maps
web portal users to system users and make all calls internally from the
webserver, right?. I just wanted to avoid the intermediate step for
simplicity, but it seems to be a bad practice.

So, regarding the second step... what is the safest and more logical manner
of invoking slurm commands from the webserver?. I mean, at the end I must
pass some credentials for the right user... Or should I have a tomcat user
that belongs to the sudo group and call invoke commands as another user?. I
am totally lost and need some thread to start pulling from it.

Thanks again,

Jose


2014-10-02 13:23 GMT+02:00 Brian B. :

> Hello Jose,
>
> It is never a good idea to have the public facing credentials be the same
> as the private credentials. That is if your public facing server is
> compromised your internal system is compromised. The limited cases where
> direct internal access are needed (e.g. SSH) should be handled by hardened
> servers.
>
> Allowing users to input executable commands on a webpage is also not a
> good security practice. This is essentially how the shellshock bug works.
>
> This is just my take on things but I would suggest building a different
> system.
>
> --
> Regards,
> Brian
>
> On Oct 2, 2014, at 06:40, José Román Bilbao Castro 
> wrote:
>
> Hi all,
>
> First of all, this is my very first message to the list and don't even
> know if this is the proper place to port this message.
>
> I am facing a simple project that should allow a slurm user to monitor his
> jobs running on a slurm server. I have been looking at the Slurm
> authentication API but I cannot find anything useful for me as this seems
> to be applied to users already logged in the system. My question is where
> to start looking at (technologies, web development frameworks, etc...) to
> be able to enter a user/password on the web browser that coincides with
> that of the Linux user, send the credentials to the server, execute a slurm
> command on behalf of that user and print results back...
>
> May be this is a very complex question, but I have not much experience in
> web development and how it should be done to link slurm commands execution,
> specific user authorization, etc...
>
> Thanks in advance,
>
> Jose
>
> --
>
>
> *José Román Bilbao Castro*
>
> Ingeniero Consultor
> +34 901009188
>
> *jrbc...@idiria.com **http://www.idiria.com
> * <*http:// www.idiria.com/
> *>
>
> --
> Idiria Sociedad Limitada - Aviso legal
>
> Este mensaje, su contenido y cualquier fichero transmitido con él está
> dirigido únicamente a su destinatario y es confidencial. Por ello, se
> informa a quien lo reciba por error ó tenga conocimiento del mismo sin ser
> su destinatario, que la información contenida en él es reservada y su uso
> no autorizado, por lo que en tal caso le rogamos nos lo comunique por la
> misma  vía o por teléfono (+ 34 690207492), así como que se abstenga de
> reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a
> otra persona, procediendo a su borrado de manera inmediata.
>
> Idiria Sociedad Limitada se reserva las acciones legales que le
> correspondan contra todo tercero que acceda de forma  ilegítima al
> contenido de cualquier mensaje externo procedente del mismo.
>
> Para información y consultas visite nuestra web http://www.idiria.com
>
>
>
> Idiria Sociedad Limitada - Disclaimer
> This message, its content and any file attached thereto is for the
> intended recipient only and is confidential. If you have received this
> e-mail in error or had access to it, you should note that the information
> in it is private and any use thereof is unauthorised. In such an event
> please notify us by e-mail or by telephone (+ 34 690207492). Any
> reproduction of this e-mail by whatsoever means and any transmission or
> dissemination thereof to other persons is prohibited. It should be deleted
> immediately from your system.
>
> Idiria Sociedad Limitada reserves the right to take legal action against
> any persons unlawfully gaining access to the content of any external
> message it has emitted.
>
> For additional information, please visit our website http://www.idiria.com
>
>
>
>
>


-- 


*José Román Bilbao Castro*

Ingeniero Consultor
+34 901009188

*jrbc...@idiria.com **http://www.idiria.com
* <*http:// www.idiria.com/
*>

--
Idiria Sociedad Limitada - Aviso legal

Este mensaje, su contenido y cualquier fichero transmitido con él está
dirigido únicamente a su destinatario y es confidencial. Por ello, se
informa a quien lo reciba por error ó tenga conocimiento del mismo sin ser
su destinatario, que la información contenida en él es reservada y su uso
no autorizado, por lo que en tal caso le rogamos nos lo comunique por la
misma  vía o por teléfono (+ 34 690207492), así como que se abstenga de
reproducir el 

[slurm-dev] Re: Authentication and invoking slurm commands from web app

[José Román Bilbao Castro]

Thanks Lech,

That is something to start with. The problem is that I plan to add
submission in the future and don't want to start something that will have
to be changed too much with time. So I would prefer to be able to firstly
execute any slurm command from my webserver and for any user...

Regards,

Jose

2014-10-02 15:28 GMT+02:00 Lech Nieroda :

> Hello José,
>
> you might be interested in ubmod or its successor open xdmod. It's a
> system that queries SLURM regularly, writes the data into its own database
> and makes it available via webserver. You'd probably have to implement
> proper security measures for user  management.
>
> Regards,
> Lech
>
> (sent from mobile)
> Am 02.10.2014 14:38 schrieb =?ISO-8859-1?Q?Jos=E9_Rom=E1n_Bilbao_Castro?= <
> jrbc...@idiria.com>:
>
>  Thanks Brian,
>
> So you propose to have something like an intermediate database that maps
> web portal users to system users and make all calls internally from the
> webserver, right?. I just wanted to avoid the intermediate step for
> simplicity, but it seems to be a bad practice.
>
> So, regarding the second step... what is the safest and more logical
> manner of invoking slurm commands from the webserver?. I mean, at the end I
> must pass some credentials for the right user... Or should I have a tomcat
> user that belongs to the sudo group and call invoke commands as another
> user?. I am totally lost and need some thread to start pulling from it.
>
> Thanks again,
>
> Jose
>
>
> 2014-10-02 13:23 GMT+02:00 Brian B. :
>
>> Hello Jose,
>>
>> It is never a good idea to have the public facing credentials be the same
>> as the private credentials. That is if your public facing server is
>> compromised your internal system is compromised. The limited cases where
>> direct internal access are needed (e.g. SSH) should be handled by hardened
>> servers.
>>
>> Allowing users to input executable commands on a webpage is also not a
>> good security practice. This is essentially how the shellshock bug works.
>>
>> This is just my take on things but I would suggest building a different
>> system.
>>
>> --
>> Regards,
>> Brian
>>
>> On Oct 2, 2014, at 06:40, José Román Bilbao Castro 
>> wrote:
>>
>> Hi all,
>>
>> First of all, this is my very first message to the list and don't even
>> know if this is the proper place to port this message.
>>
>> I am facing a simple project that should allow a slurm user to monitor
>> his jobs running on a slurm server. I have been looking at the Slurm
>> authentication API but I cannot find anything useful for me as this seems
>> to be applied to users already logged in the system. My question is where
>> to start looking at (technologies, web development frameworks, etc...) to
>> be able to enter a user/password on the web browser that coincides with
>> that of the Linux user, send the credentials to the server, execute a slurm
>> command on behalf of that user and print results back...
>>
>> May be this is a very complex question, but I have not much experience in
>> web development and how it should be done to link slurm commands execution,
>> specific user authorization, etc...
>>
>> Thanks in advance,
>>
>> Jose
>>
>> --
>>
>>
>> *José Román Bilbao Castro*
>>
>> Ingeniero Consultor
>> +34 901009188
>>
>> *jrbc...@idiria.com **http://www.idiria.com
>> * <*http:// www.idiria.com/
>> *>
>>
>> --
>> Idiria Sociedad Limitada - Aviso legal
>>
>> Este mensaje, su contenido y cualquier fichero transmitido con él está
>> dirigido únicamente a su destinatario y es confidencial. Por ello, se
>> informa a quien lo reciba por error ó tenga conocimiento del mismo sin ser
>> su destinatario, que la información contenida en él es reservada y su uso
>> no autorizado, por lo que en tal caso le rogamos nos lo comunique por la
>> misma  vía o por teléfono (+ 34 690207492), así como que se abstenga de
>> reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a
>> otra persona, procediendo a su borrado de manera inmediata.
>>
>> Idiria Sociedad Limitada se reserva las acciones legales que le
>> correspondan contra todo tercero que acceda de forma  ilegítima al
>> contenido de cualquier mensaje externo procedente del mismo.
>>
>> Para información y consultas visite nuestra web http://www.idiria.com
>>
>>
>>
>> Idiria Sociedad Limitada - Disclaimer
>> This message, its content and any file attached thereto is for the
>> intended recipient only and is confidential. If you have received this
>> e-mail in error or had access to it, you should note that the information
>> in it is private and any use thereof is unauthorised. In such an event
>> please notify us by e-mail or by telephone (+ 34 690207492). Any
>> reproduction of this e-mail by whatsoever means and any transmission or
>> dissemination thereof to other persons is prohibited. It should be deleted
>> immediately from your system.
>>
>> Idiria Sociedad Limitada reserves the right to take legal

[slurm-dev] Re: Authentication and invoking slurm commands from web app

[jette]

Brigham Young University has developed a number of web interfaces to  
SLurm. See:

https://marylou.byu.edu/documentation/slurm/script-generator
https://marylou.byu.edu/utilization/

Their Javascript tool to generate batch job scripts is here:
https://github.com/BYUHPC/BYUJobScriptGenerator




Quoting José Román Bilbao Castro :


Thanks Lech,

That is something to start with. The problem is that I plan to add
submission in the future and don't want to start something that will have
to be changed too much with time. So I would prefer to be able to firstly
execute any slurm command from my webserver and for any user...

Regards,

Jose

2014-10-02 15:28 GMT+02:00 Lech Nieroda :


Hello José,

you might be interested in ubmod or its successor open xdmod. It's a
system that queries SLURM regularly, writes the data into its own database
and makes it available via webserver. You'd probably have to implement
proper security measures for user  management.

Regards,
Lech

(sent from mobile)
Am 02.10.2014 14:38 schrieb =?ISO-8859-1?Q?Jos=E9_Rom=E1n_Bilbao_Castro?= <
jrbc...@idiria.com>:

 Thanks Brian,

So you propose to have something like an intermediate database that maps
web portal users to system users and make all calls internally from the
webserver, right?. I just wanted to avoid the intermediate step for
simplicity, but it seems to be a bad practice.

So, regarding the second step... what is the safest and more logical
manner of invoking slurm commands from the webserver?. I mean, at the end I
must pass some credentials for the right user... Or should I have a tomcat
user that belongs to the sudo group and call invoke commands as another
user?. I am totally lost and need some thread to start pulling from it.

Thanks again,

Jose


2014-10-02 13:23 GMT+02:00 Brian B. :


Hello Jose,

It is never a good idea to have the public facing credentials be the same
as the private credentials. That is if your public facing server is
compromised your internal system is compromised. The limited cases where
direct internal access are needed (e.g. SSH) should be handled by hardened
servers.

Allowing users to input executable commands on a webpage is also not a
good security practice. This is essentially how the shellshock bug works.

This is just my take on things but I would suggest building a different
system.

--
Regards,
Brian

On Oct 2, 2014, at 06:40, José Román Bilbao Castro 
wrote:

Hi all,

First of all, this is my very first message to the list and don't even
know if this is the proper place to port this message.

I am facing a simple project that should allow a slurm user to monitor
his jobs running on a slurm server. I have been looking at the Slurm
authentication API but I cannot find anything useful for me as this seems
to be applied to users already logged in the system. My question is where
to start looking at (technologies, web development frameworks, etc...) to
be able to enter a user/password on the web browser that coincides with
that of the Linux user, send the credentials to the server, execute a slurm
command on behalf of that user and print results back...

May be this is a very complex question, but I have not much experience in
web development and how it should be done to link slurm commands execution,
specific user authorization, etc...

Thanks in advance,

Jose

--


*José Román Bilbao Castro*

Ingeniero Consultor
+34 901009188

*jrbc...@idiria.com **http://www.idiria.com
* <*http:// www.idiria.com/
*>

--
Idiria Sociedad Limitada - Aviso legal

Este mensaje, su contenido y cualquier fichero transmitido con él está
dirigido únicamente a su destinatario y es confidencial. Por ello, se
informa a quien lo reciba por error ó tenga conocimiento del mismo sin ser
su destinatario, que la información contenida en él es reservada y su uso
no autorizado, por lo que en tal caso le rogamos nos lo comunique por la
misma  vía o por teléfono (+ 34 690207492), así como que se abstenga de
reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a
otra persona, procediendo a su borrado de manera inmediata.

Idiria Sociedad Limitada se reserva las acciones legales que le
correspondan contra todo tercero que acceda de forma  ilegítima al
contenido de cualquier mensaje externo procedente del mismo.

Para información y consultas visite nuestra web http://www.idiria.com



Idiria Sociedad Limitada - Disclaimer
This message, its content and any file attached thereto is for the
intended recipient only and is confidential. If you have received this
e-mail in error or had access to it, you should note that the information
in it is private and any use thereof is unauthorised. In such an event
please notify us by e-mail or by telephone (+ 34 690207492). Any
reproduction of this e-mail by whatsoever means and any transmission or
dissemination thereof to other persons is prohibited. It should be deleted
immediately from your system.

Idiria Soci

[slurm-dev] Re: Authentication and invoking slurm commands from web app

[José Román Bilbao Castro]

Nice !!, I think this gives a much more detailed insight into the problem I
am facing !.

Thanks a lot!

2014-10-02 15:51 GMT+02:00 :

>
> Brigham Young University has developed a number of web interfaces to
> SLurm. See:
> https://marylou.byu.edu/documentation/slurm/script-generator
> https://marylou.byu.edu/utilization/
>
> Their Javascript tool to generate batch job scripts is here:
> https://github.com/BYUHPC/BYUJobScriptGenerator
>
>
>
>
>
> Quoting José Román Bilbao Castro :
>
>  Thanks Lech,
>>
>> That is something to start with. The problem is that I plan to add
>> submission in the future and don't want to start something that will have
>> to be changed too much with time. So I would prefer to be able to firstly
>> execute any slurm command from my webserver and for any user...
>>
>> Regards,
>>
>> Jose
>>
>> 2014-10-02 15:28 GMT+02:00 Lech Nieroda :
>>
>>  Hello José,
>>>
>>> you might be interested in ubmod or its successor open xdmod. It's a
>>> system that queries SLURM regularly, writes the data into its own
>>> database
>>> and makes it available via webserver. You'd probably have to implement
>>> proper security measures for user  management.
>>>
>>> Regards,
>>> Lech
>>>
>>> (sent from mobile)
>>> Am 02.10.2014 14:38 schrieb =?ISO-8859-1?Q?Jos=E9_Rom=E1n_Bilbao_Castro?=
>>> <
>>> jrbc...@idiria.com>:
>>>
>>>  Thanks Brian,
>>>
>>> So you propose to have something like an intermediate database that maps
>>> web portal users to system users and make all calls internally from the
>>> webserver, right?. I just wanted to avoid the intermediate step for
>>> simplicity, but it seems to be a bad practice.
>>>
>>> So, regarding the second step... what is the safest and more logical
>>> manner of invoking slurm commands from the webserver?. I mean, at the
>>> end I
>>> must pass some credentials for the right user... Or should I have a
>>> tomcat
>>> user that belongs to the sudo group and call invoke commands as another
>>> user?. I am totally lost and need some thread to start pulling from it.
>>>
>>> Thanks again,
>>>
>>> Jose
>>>
>>>
>>> 2014-10-02 13:23 GMT+02:00 Brian B. :
>>>
>>>  Hello Jose,

 It is never a good idea to have the public facing credentials be the
 same
 as the private credentials. That is if your public facing server is
 compromised your internal system is compromised. The limited cases where
 direct internal access are needed (e.g. SSH) should be handled by
 hardened
 servers.

 Allowing users to input executable commands on a webpage is also not a
 good security practice. This is essentially how the shellshock bug
 works.

 This is just my take on things but I would suggest building a different
 system.

 --
 Regards,
 Brian

 On Oct 2, 2014, at 06:40, José Román Bilbao Castro 
 wrote:

 Hi all,

 First of all, this is my very first message to the list and don't even
 know if this is the proper place to port this message.

 I am facing a simple project that should allow a slurm user to monitor
 his jobs running on a slurm server. I have been looking at the Slurm
 authentication API but I cannot find anything useful for me as this
 seems
 to be applied to users already logged in the system. My question is
 where
 to start looking at (technologies, web development frameworks, etc...)
 to
 be able to enter a user/password on the web browser that coincides with
 that of the Linux user, send the credentials to the server, execute a
 slurm
 command on behalf of that user and print results back...

 May be this is a very complex question, but I have not much experience
 in
 web development and how it should be done to link slurm commands
 execution,
 specific user authorization, etc...

 Thanks in advance,

 Jose

 --


 *José Román Bilbao Castro*

 Ingeniero Consultor
 +34 901009188

 *jrbc...@idiria.com **http://www.idiria.com
 * <*http:// www.idiria.com/
 *>


 --
 Idiria Sociedad Limitada - Aviso legal

 Este mensaje, su contenido y cualquier fichero transmitido con él está
 dirigido únicamente a su destinatario y es confidencial. Por ello, se
 informa a quien lo reciba por error ó tenga conocimiento del mismo sin
 ser
 su destinatario, que la información contenida en él es reservada y su
 uso
 no autorizado, por lo que en tal caso le rogamos nos lo comunique por la
 misma  vía o por teléfono (+ 34 690207492), así como que se abstenga de
 reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo
 a
 otra persona, procediendo a su borrado de manera inmediata.

 Idiria Sociedad Limitada se reserva las acciones legales que le
 correspondan contra todo tercero que acceda de forma  ilegít

[slurm-dev] Re: Authentication and invoking slurm commands from web app

[José Román Bilbao Castro]

It seems I was to fast... They don't seem to have open-sourced code. In
fact, they ask for specific Keys for each implementation so I suppose this
is a closed project for their users only... :-(

2014-10-02 15:51 GMT+02:00 :

>
> Brigham Young University has developed a number of web interfaces to
> SLurm. See:
> https://marylou.byu.edu/documentation/slurm/script-generator
> https://marylou.byu.edu/utilization/
>
> Their Javascript tool to generate batch job scripts is here:
> https://github.com/BYUHPC/BYUJobScriptGenerator
>
>
>
>
>
> Quoting José Román Bilbao Castro :
>
>  Thanks Lech,
>>
>> That is something to start with. The problem is that I plan to add
>> submission in the future and don't want to start something that will have
>> to be changed too much with time. So I would prefer to be able to firstly
>> execute any slurm command from my webserver and for any user...
>>
>> Regards,
>>
>> Jose
>>
>> 2014-10-02 15:28 GMT+02:00 Lech Nieroda :
>>
>>  Hello José,
>>>
>>> you might be interested in ubmod or its successor open xdmod. It's a
>>> system that queries SLURM regularly, writes the data into its own
>>> database
>>> and makes it available via webserver. You'd probably have to implement
>>> proper security measures for user  management.
>>>
>>> Regards,
>>> Lech
>>>
>>> (sent from mobile)
>>> Am 02.10.2014 14:38 schrieb =?ISO-8859-1?Q?Jos=E9_Rom=E1n_Bilbao_Castro?=
>>> <
>>> jrbc...@idiria.com>:
>>>
>>>  Thanks Brian,
>>>
>>> So you propose to have something like an intermediate database that maps
>>> web portal users to system users and make all calls internally from the
>>> webserver, right?. I just wanted to avoid the intermediate step for
>>> simplicity, but it seems to be a bad practice.
>>>
>>> So, regarding the second step... what is the safest and more logical
>>> manner of invoking slurm commands from the webserver?. I mean, at the
>>> end I
>>> must pass some credentials for the right user... Or should I have a
>>> tomcat
>>> user that belongs to the sudo group and call invoke commands as another
>>> user?. I am totally lost and need some thread to start pulling from it.
>>>
>>> Thanks again,
>>>
>>> Jose
>>>
>>>
>>> 2014-10-02 13:23 GMT+02:00 Brian B. :
>>>
>>>  Hello Jose,

 It is never a good idea to have the public facing credentials be the
 same
 as the private credentials. That is if your public facing server is
 compromised your internal system is compromised. The limited cases where
 direct internal access are needed (e.g. SSH) should be handled by
 hardened
 servers.

 Allowing users to input executable commands on a webpage is also not a
 good security practice. This is essentially how the shellshock bug
 works.

 This is just my take on things but I would suggest building a different
 system.

 --
 Regards,
 Brian

 On Oct 2, 2014, at 06:40, José Román Bilbao Castro 
 wrote:

 Hi all,

 First of all, this is my very first message to the list and don't even
 know if this is the proper place to port this message.

 I am facing a simple project that should allow a slurm user to monitor
 his jobs running on a slurm server. I have been looking at the Slurm
 authentication API but I cannot find anything useful for me as this
 seems
 to be applied to users already logged in the system. My question is
 where
 to start looking at (technologies, web development frameworks, etc...)
 to
 be able to enter a user/password on the web browser that coincides with
 that of the Linux user, send the credentials to the server, execute a
 slurm
 command on behalf of that user and print results back...

 May be this is a very complex question, but I have not much experience
 in
 web development and how it should be done to link slurm commands
 execution,
 specific user authorization, etc...

 Thanks in advance,

 Jose

 --


 *José Román Bilbao Castro*

 Ingeniero Consultor
 +34 901009188

 *jrbc...@idiria.com **http://www.idiria.com
 * <*http:// www.idiria.com/
 *>


 --
 Idiria Sociedad Limitada - Aviso legal

 Este mensaje, su contenido y cualquier fichero transmitido con él está
 dirigido únicamente a su destinatario y es confidencial. Por ello, se
 informa a quien lo reciba por error ó tenga conocimiento del mismo sin
 ser
 su destinatario, que la información contenida en él es reservada y su
 uso
 no autorizado, por lo que en tal caso le rogamos nos lo comunique por la
 misma  vía o por teléfono (+ 34 690207492), así como que se abstenga de
 reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo
 a
 otra persona, procediendo a su borrado de manera inmediata.

 Idiria Sociedad Limitada se reserva la

[slurm-dev] Re: Authentication and invoking slurm commands from web app

[Lech Nieroda]

Hello José,
you might be interested in ubmod or its successor open xdmod. It's a system 
that queries SLURM regularly, writes the data into its own database and makes 
it available via webserver. You'd probably have to implement proper security 
measures for user  management.
Regards,
Lech
(sent from mobile)
Am 02.10.2014 14:38 schrieb =?ISO-8859-1?Q?Jos=E9_Rom=E1n_Bilbao_Castro?= 
: 
Re: [slurm-dev] Re: Authentication and invoking slurm commands from
 web app
Thanks Brian,So you propose to have something like an intermediate database 
that maps web portal users to system users and make all calls internally from 
the webserver, right?. I just wanted to avoid the intermediate step for 
simplicity, but it seems to be a bad practice. So, regarding the second step... 
what is the safest and more logical manner of invoking slurm commands from the 
webserver?. I mean, at the end I must pass some credentials for the right 
user... Or should I have a tomcat user that belongs to the sudo group and call 
invoke commands as another user?. I am totally lost and need some thread to 
start pulling from it.Thanks again,Jose2014-10-02 13:23 GMT+02:00 Brian B. 
:Hello Jose,It is never a good idea to have the public facing 
credentials be the same as the private credentials. That is if your public 
facing server is compromised your internal system is compromised. The limited 
cases where direct internal access are needed (e.g. SSH) should be handled by 
hardened servers. Allowing users to input executable commands on a webpage is 
also not a good security practice. This is essentially how the shellshock bug 
works. This is just my take on things but I would suggest building a different 
system. --Regards,BrianOn Oct 2, 2014, at 06:40, José Román Bilbao Castro 
 wrote: 
Hi all,First of all, this is my very first message to the list and don't even 
know if this is the proper place to port this message. I
 am facing a simple project that should allow a slurm user to monitor 
his jobs running on a slurm server. I have been looking at the Slurm 
authentication API but I cannot find anything useful for me as this 
seems to be applied to users already logged in the system. My question 
is where to start looking at (technologies, web development frameworks, 
etc...) to be able to enter a user/password on the web browser that 
coincides with that of the Linux user, send the credentials to the 
server, execute a slurm command on behalf of that user and print results
 back... May be this is a very complex question, but I 
have not much experience in web development and how it should be done to
 link slurm commands execution, specific user authorization, etc... Thanks in 
advance,Jose-- *José Román Bilbao Castro*Ingeniero Consultor+34 
901009188jrbcast@idiria.com_http://www.idiria.com_ 
<http://www.idiria.com/_>--Idiria Sociedad Limitada - Aviso legalEste mensaje, 
su contenido y cualquier fichero transmitido con él está dirigido únicamente a 
su destinatario y es confidencial. Por ello, se informa a quien lo reciba por 
error ó tenga conocimiento del mismo sin ser su destinatario, que la 
información contenida en él es reservada y su uso no autorizado, por lo que en 
tal caso le rogamos nos lo comunique por la misma  vía o por teléfono (+ 34 
690207492), así como que se abstenga de reproducir el mensaje mediante 
cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su 
borrado de manera inmediata.  Idiria Sociedad Limitada se reserva las acciones 
legales que le correspondan contra todo tercero que acceda de forma  ilegítima 
al contenido de cualquier mensaje externo procedente del mismo. Para 
información y consultas visite nuestra web http://www.idiria.com  Idiria 
Sociedad Limitada - DisclaimerThis message, its content and any file attached 
thereto is for the intended recipient only and is confidential. If you have 
received this e-mail in error or had access to it, you should note that the 
information in it is private and any use thereof is unauthorised. In such an 
event please notify us by e-mail or by telephone (+ 34 690207492). Any 
reproduction of this e-mail by whatsoever means and any transmission or 
dissemination thereof to other persons is prohibited. It should be deleted 
immediately from your system.Idiria Sociedad Limitada reserves the right to 
take legal action against any persons unlawfully gaining access to the content 
of any external message it has emitted.For additional information, please visit 
our website http://www.idiria.com  
-- *José Román Bilbao Castro*Ingeniero Consultor+34 
901009188jrbcast@idiria.com_http://www.idiria.com_ 
<http://www.idiria.com/_>--Idiria Sociedad Limitada - Aviso legalEste mensaje, 
su contenido y cualquier fichero transmitido con él está dirigido únicamente a 
su destinatario y es confidencial. Por ello, se informa a quien lo reciba por 
error ó tenga conocimiento del mismo sin ser su destinatario, que la 
información contenida en 

[slurm-dev] Re: Authentication and invoking slurm commands from web app

[Ryan Cox]

What keys are you talking about?  Are you referring to the script 
generator that Moe linked to?  It's on github as LGPL with no keys of 
any kind: https://github.com/BYUHPC/BYUJobScriptGenerator. It only 
creates a script but doesn't submit it.  We could easily add that 
capability for our own site but we haven't gotten around to it since 
copy-paste then "sbatch thefilename" isn't exactly hard.


Unfortunately a lot of our internal stuff isn't available as open source 
since it's way too tied to internal systems.  Utilization graphs are 
pretty easy.  You can get some information directly from the database 
but we prefer to have more advanced information available.  Some of it 
involves running scontrol to periodically populate tables (we should 
have used the perl API but we hadn't looked at it yet... oh well).


We also have a pretty substantial web services API which is also too 
integrated into our systems to release it.  Among many other things, it 
allows for querying information about all jobs, specific jobs, nodes, 
etc.  Users can submit jobs and admins can modify node state, etc.  The 
key for security is to have a good authentication method and have your 
commands only take well-sanitized input.  In other words, if you want to 
do something like call "scontrol show job" directly, make sure that it 
accepts one parameter from the user, an integer that you have verified 
is only an integer.  Even then, bash may happen :)


Creating an API or doing something like that more directly on the web 
server isn't a trivial task.  You may want to look for existing 
solutions like those mentioned by Lech and others, though I haven't 
looked at those myself.  Having done this ourselves, I know that it can 
take a long time to do it right.


Ryan


On 10/02/2014 08:20 AM, José Román Bilbao Castro wrote:
Re: [slurm-dev] Re: Authentication and invoking slurm commands from 
web app
It seems I was to fast... They don't seem to have open-sourced code. 
In fact, they ask for specific Keys for each implementation so I 
suppose this is a closed project for their users only... :-(


2014-10-02 15:51 GMT+02:00 mailto:je...@schedmd.com>>:


Brigham Young University has developed a number of web interfaces
to SLurm. See:
https://marylou.byu.edu/documentation/slurm/script-generator
https://marylou.byu.edu/utilization/

Their Javascript tool to generate batch job scripts is here:
https://github.com/BYUHPC/BYUJobScriptGenerator





Quoting José Román Bilbao Castro mailto:jrbc...@idiria.com>>:

Thanks Lech,

That is something to start with. The problem is that I plan to add
submission in the future and don't want to start something
that will have
to be changed too much with time. So I would prefer to be able
to firstly
execute any slurm command from my webserver and for any user...

Regards,

Jose

2014-10-02 15:28 GMT+02:00 Lech Nieroda
mailto:lech.nier...@uni-koeln.de>>:

Hello José,

you might be interested in ubmod or its successor open
xdmod. It's a
system that queries SLURM regularly, writes the data into
its own database
and makes it available via webserver. You'd probably have
to implement
proper security measures for user  management.

Regards,
Lech

(sent from mobile)
Am 02.10.2014 14:38 schrieb
=?ISO-8859-1?Q?Jos=E9_Rom=E1n_Bilbao_Castro?= <
jrbc...@idiria.com <mailto:jrbc...@idiria.com>>:

 Thanks Brian,

So you propose to have something like an intermediate
database that maps
web portal users to system users and make all calls
internally from the
webserver, right?. I just wanted to avoid the intermediate
step for
simplicity, but it seems to be a bad practice.

So, regarding the second step... what is the safest and
more logical
manner of invoking slurm commands from the webserver?. I
mean, at the end I
must pass some credentials for the right user... Or should
I have a tomcat
user that belongs to the sudo group and call invoke
commands as another
user?. I am totally lost and need some thread to start
pulling from it.

Thanks again,

Jose


2014-10-02 13:23 GMT+02:00 Brian B. mailto:for...@gmail.com>>:

Hello Jose,

It is never a good idea to have the public facing
credentials be the same
as the private credentials. That is if your public
facing server is
compromise

[slurm-dev] Re: Authentication and invoking slurm commands from web app

[José Román Bilbao Castro]

Well, under:

https://marylou.byu.edu/documentation/apps/api/

At the API Keys section. Is is why I supposed this is for internal use only
and therefore it shouldn't be open-sourced.

The script generator, although very useful is not the purpose of my
research at the moment.

So I understand that you uses control to get periodic status on jobs and
infrastructure. That is right but I am still intrigued with mechanisms
needed to perform a job submission. But as you explained it is not
implemented yet. Bad luck for me :).

Anyway, I will keep on investigating on this issue. Not only on the slurm
issue but on the way that people make this kind of tasks involving system
users and commands .

Thanks a lot,

Jose

Enviado desde mi iPad

El 2/10/2014, a las 17:44, Ryan Cox  escribió:

 What keys are you talking about?  Are you referring to the script
generator that Moe linked to?  It's on github as LGPL with no keys of any
kind: https://github.com/BYUHPC/BYUJobScriptGenerator.  It only creates a
script but doesn't submit it.  We could easily add that capability for our
own site but we haven't gotten around to it since copy-paste then "sbatch
thefilename" isn't exactly hard.

Unfortunately a lot of our internal stuff isn't available as open source
since it's way too tied to internal systems.  Utilization graphs are
pretty easy.  You can get some information directly from the database but
we prefer to have more advanced information available.  Some of it
involves running scontrol to periodically populate tables (we should have
used the perl API but we hadn't looked at it yet... oh well).

We also have a pretty substantial web services API which is also too
integrated into our systems to release it.  Among many other things, it
allows for querying information about all jobs, specific jobs, nodes,
etc.  Users can submit jobs and admins can modify node state, etc.  The
key for security is to have a good authentication method and have your
commands only take well-sanitized input.  In other words, if you want to
do something like call "scontrol show job" directly, make sure that it
accepts one parameter from the user, an integer that you have verified is
only an integer.  Even then, bash may happen :)

Creating an API or doing something like that more directly on the web
server isn't a trivial task.  You may want to look for existing solutions
like those mentioned by Lech and others, though I haven't looked at those
myself.  Having done this ourselves, I know that it can take a long time
to do it right.

Ryan


On 10/02/2014 08:20 AM, José Román Bilbao Castro wrote:

Re: [slurm-dev] Re: Authentication and invoking slurm commands from web app
It seems I was to fast... They don't seem to have open-sourced code. In
fact, they ask for specific Keys for each implementation so I suppose this
is a closed project for their users only... :-(

2014-10-02 15:51 GMT+02:00 :

>
> Brigham Young University has developed a number of web interfaces to
> SLurm. See:
> https://marylou.byu.edu/documentation/slurm/script-generator
> https://marylou.byu.edu/utilization/
>
> Their Javascript tool to generate batch job scripts is here:
> https://github.com/BYUHPC/BYUJobScriptGenerator
>
>
>
>
>
> Quoting José Román Bilbao Castro :
>
>Thanks Lech,
>>
>> That is something to start with. The problem is that I plan to add
>> submission in the future and don't want to start something that will have
>> to be changed too much with time. So I would prefer to be able to firstly
>> execute any slurm command from my webserver and for any user...
>>
>> Regards,
>>
>> Jose
>>
>> 2014-10-02 15:28 GMT+02:00 Lech Nieroda :
>>
>>Hello José,
>>>
>>> you might be interested in ubmod or its successor open xdmod. It's a
>>> system that queries SLURM regularly, writes the data into its own
>>> database
>>> and makes it available via webserver. You'd probably have to implement
>>> proper security measures for user  management.
>>>
>>> Regards,
>>> Lech
>>>
>>> (sent from mobile)
>>> Am 02.10.2014 14:38 schrieb =?ISO-8859-1?Q?José_Román_Bilbao_Castro?= <
>>> jrbc...@idiria.com>:
>>>
>>> Â Thanks Brian,
>>>
>>> So you propose to have something like an intermediate database that maps
>>> web portal users to system users and make all calls internally from the
>>> webserver, right?. I just wanted to avoid the intermediate step for
>>> simplicity, but it seems to be a bad practice.
>>>
>>> So, regarding the second step... what is the safest and more logical
>>> manner of invoking slurm commands from the webserver?