Merge pull request #350 from mboisson/allow_pam_access_group

Add a parameter to grant groups ssh access to compute nodes
ComputeCanada · Jan 24, 2025 · 820953c · 820953c
2 parents 9491d9f + 9e411e7
commit 820953c
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -42,6 +42,7 @@ The `profile::` sections list the available classes, their role and their parame
 - [`profile::rsyslog::server`](#profilersyslogserver)
 - [`profile::vector`](#profilervector)
 - [`profile::slurm::base`](#profileslurmbase)
+- [`profile::slurm::node`](#profileslurmnode)
 - [`profile::slurm::accounting`](#profileslurmaccounting)
 - [`profile::slurm::controller`](#profileslurmcontroller)
 - [`profile::slurm::node`](#profileslurmnode)
@@ -971,6 +972,22 @@ When `profile::slurm::base` is included, these classes are included too:
 - [`profile::consul`](#profileconsul)
 - [`profile::base::powertools`](#profilebasepowertools)
 
+## `profile::slurm::node`
+This class allows some configuration for the Slurm compute nodes.
+
+### parameters
+| Variable                | Description                                             | Type   |
+| :---------------------- | :------------------------------------------------------ | :----- |
+| `pam_access_groups`     | Groups that can access the node regardless of Slurm jobs | Array[String] |
+
+<details>
+<summary>default values</summary>
+
+```yaml
+profile::slurm::node::pam_access_groups: ['wheel']
+```
+</details>
+
 
 ## `profile::slurm::accounting`
 

diff --git a/site/profile/manifests/slurm.pp b/site/profile/manifests/slurm.pp
@@ -522,6 +522,7 @@
 # Slurm node class. This is where slurmd is ran.
 class profile::slurm::node (
   Boolean $enable_tmpfs_mounts = true,
+  Array[String] $pam_access_groups = ['wheel'],
 ) {
   contain profile::slurm::base
 
@@ -581,17 +582,19 @@
     require  => Pam['Add pam_slurm_adopt']
   }
 
-  $access_conf = '
+  $access_conf = @(END)
 # Allow root cronjob
 + : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
-# Allow admin to connect, deny all other
-+:wheel:ALL
+# Allow other groups if any
+<% $pam_access_groups.each | $group | { %>
++:<%= $group %>:ALL
+<% } %>
 -:ALL:ALL
-'
+|END
 
   file { '/etc/security/access.conf':
     ensure  => present,
-    content => $access_conf
+    content => inline_epp($access_conf, { 'pam_access_groups' => $pam_access_groups }),
   }
 
   selinux::module { 'sshd_pam_slurm_adopt':