[Moabusers] moab 5.3 beta ignores MEMBERULIST

Douglas Wightman wightman at clusterresources.com
Thu Oct 9 08:55:14 MDT 2008 

Do you have "ENFORCEACCOUNTACCESS TRUE" in your moab.cfg file?

- Douglas

Brock Palen wrote:
> We use accounts to control access to SR's  and use MEMBERULIST to 
> control who can request such an account.
> 
> Recently we found that users were allowed access to resources by seeting 
> their account to ones that they were not in MEMBERULIST
> 
> For eaxmple:
> 
> ACCOUNTCFG[veeras] MEMBERULIST=veeras,crealucu MAXPROC[USER]=132
> SRCFG[veeras]           ACCOUNTLIST=veeras+,cacstaff
> SRCFG[veeras]           QOSLIST=~preempt
> SRCFG[veeras]           OWNER=ACCT:veeras
> SRCFG[veeras]           HOSTLIST=nyx533.....
> SRCFG[veeras]           PERIOD=INFINITY
> SRCFG[veeras]           FLAGS=IGNSTATE,OWNERPREEMPT
> 
> But the user mattkorz  could do:
> 
> qsub -A verras
> 
> and gain access to the the veeras reservation without the qos preempt,
> 
> checkjob -v 1573430
> 
> job 1573430 (RM job '1573430.nyx.engin.umich.edu')
> 
> AName: STDIN
> State: Running
> Creds:  user:mattkorz  group:cacstaff  account:veeras  class:cac  qos:cac
> WallTime:   00:00:00 of 00:05:00
> SubmitTime: Wed Oct  8 11:11:36
>   (Time Queued  Total: 00:00:06  Eligible: 00:00:06)
> 
> StartTime: Wed Oct  8 11:11:42
> Total Requested Tasks: 1
> 
> Req[0]  TaskCount: 1  Partition: nyx
> Memory >= 0  Disk >= 0  Swap >= 0
> Opsys:   ---  Arch: ---  Features: ---
> Dedicated Resources Per Task: PROCS: 1
> NodeAccess: ---
> 
> Allocated Nodes:
> [nyx533:1]
> 
> Task Distribution: nyx533
> 
> UMask:          0000
> OutputFile:     - 
> (nyx-login1.engin.umich.edu:/home/mattkorz/STDIN.o1573430)
> ErrorFile:      - 
> (nyx-login1.engin.umich.edu:/home/mattkorz/STDIN.e1573430)
> StartCount:     1
> System Available Partition List: ALL,nyx,1
> Partition List: ALL,nyx,1
> SrcRM:          nyx  DstRM: nyx  DstRMJID: 1573430.nyx.engin.umich.edu
> Submit Args:    -I -l nodes=1,walltime=00:05:00 -A veeras
> Flags:          BACKFILL,INTERACTIVE
> Attr:           BACKFILL,INTERACTIVE,checkpoint
> StartPriority:  4999
> PE:             1.00
> Reservation '1573430' (-00:00:28 -> 00:04:32  Duration: 00:05:00)
> 
> 
> According to the manual this is not supposed to happen.  PBS may accept 
> a job with an account a user is not allowed to use, because it does not 
> know of the ACL's in Moab, but Moab should block the job, right?
> 
> http://www.clusterresources.com/products/mwm/docs/3.5credoverview.shtml#partition 
> 
> 
> Brock Palen
> www.umich.edu/~brockp
> Center for Advanced Computing
> brockp at umich.edu
> (734)936-1985
> 
> 
> 
> _______________________________________________
> moabusers mailing list
> moabusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/moabusers

More information about the moabusers mailing list