TORQUE Administrator's Manual - 3.4 Host Security

TORQUE Resource Manager

3.4 Host Security

For systems that desire dedicated access to compute nodes (for example, users with sensitive data), TORQUE’s prologue and epilogue scripts (see Appendix G Prologue and Epilogue Scripts ) provide a vehicle to leverage the authenication provided by linux-PAM modules.

To allow only users with running jobs (and root) to access compute nodes, follow the following instructions:

Untar contrib/pam_authuser.tar.gz (found in the src tar ball)
Compile pam_authuser.c with make and make install on every compute node.
Edit /etc/system-auth as described in README.pam_authuser, again on every compute node.
Either make a tar ball of the epilogue* and prologue* scripts (to preserve the symbolic link) and untar it in the mom_priv directory, or just copy epilogue* and prologue* to mom_priv/.

The prologue* scripts are perl scripts that add the user of the job to /etc/authuser. The epilogue* scripts then remove the first occurance of the user from /etc/authuser. File locking is employed in all scripts to eliminate the chance of race conditions. Also, in the epilogue* scripts, there is code that is commented out that when activated kills all processes owned by the user (using pkill), when that user does not have another valid job on the same node.

prologue* and epilogue* scripts were added to the pam_authuser tar ball in version 2.1 of TORQUE.