Create User permission groups at queue level


#1

Hello,

Let’s say I have 3 users user1, user2, and user3. Today those are regular users which can qsub / qmove their own jobs. I want to create a group of admin users which will be able to perform the same commands to jobs they don’t own.

I also want to configure this (if possible) at a queue level (and not just configure user1 to be a PBS admin).

On my current PBS (v14.1), I tested acl_user_enable, but this only grant ability to certains user to submit jobs to the queue. I also tested query_other_jobs but this settings seems to allow all users to modify other’s jobs.
Then I came accross to PBS Operators, which seems to be what I’m looking for, but once again, this apply to all my queues.

Is there any way I can chroot PBS Operators to be able to perform commands to only specific queues?

Thanks


#2

Hi,

PBS Operators and PBS Managers different roles that can be assigned to the user to control the PBS Complex.

You can create the below hook events :

  1. queuejob hook : to decide which users can submit jobs to which queue
  2. movejob hook : to decide which users are allowed to move the job
  3. modifyjob hook : to decide which users are allowed to modify the job

User can modify their own jobs, but not other user jobs
User delegated as Operators or Managers can only modify other user jobs.

Yes operators can be made to perform commands only on specific queues using above mentioned hooks

For example:

  • userA can be an operator and at the same time userA can be avoided to modify jobs in the queueX using modifyjob
  • sample hook is as below

import pbs

pbs.logmsg(pbs.LOG_DEBUG, “requestor=%s” % (pbs.event().requestor,))
admin_ulist = [“PBS_Server”, “Scheduler”, “pbs_mom”, “root”]
try:
if pbs.event().requestor not in admin_ulist:
pbs.event().reject(“Normal users are not allowed to modify their jobs attributes. Please contact your PBS Administrator”)
except SystemExit:
pass

Thank you


#3

Hey adarsh -

Thanks for the clarifications. Indeed the hook approach is a good idea.

Thanks