From faf4de8b781a238f9f934470d8551431c8e248f1 Mon Sep 17 00:00:00 2001 From: alexandermichels Date: Tue, 30 May 2023 09:24:21 -0500 Subject: [PATCH] working on per hpc allow/deny --- configs/hpc.example.json | 16 ++++++++++++---- server.ts | 8 ++++++++ src/Helper.ts | 37 ++++++++++++++++++++++++++++++++++++- src/types.ts | 2 ++ 4 files changed, 58 insertions(+), 5 deletions(-) diff --git a/configs/hpc.example.json b/configs/hpc.example.json index 79185ae7..0367b93a 100644 --- a/configs/hpc.example.json +++ b/configs/hpc.example.json @@ -31,7 +31,9 @@ }, "mount": { "/data/cigi/scratch/cigi-gisolve/compute_shared": "/compute_shared" - } + }, + "allowlist" : [], + "denylist": [] }, "expanse_community": { "ip": "login.expanse.sdsc.edu", @@ -75,7 +77,9 @@ "xsede_job_log_credential": { "xsederesourcename": "expanse.sdsc.xsede.org", "apikey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - } + }, + "allowlist" : [], + "denylist": [] }, "bridges_community_gpu": { "ip": "bridges2.psc.edu", @@ -105,7 +109,9 @@ "export tmp_path=\"/tmp/cvmfs-$(openssl rand -hex 12)\"", "mkdir $tmp_path" ], - "init_sbatch_options": ["#SBATCH --partition=GPU-shared"] + "init_sbatch_options": ["#SBATCH --partition=GPU-shared"], + "allowlist" : [], + "denylist": [] }, "anvil_community": { "ip": "anvil.rcac.purdue.edu", @@ -141,6 +147,8 @@ "export tmp_path=\"/tmp/cvmfs-$(openssl rand -hex 12)\"", "mkdir $tmp_path" ], - "init_sbatch_options": ["#SBATCH --partition=shared", "#SBATCH --nodes=1"] + "init_sbatch_options": ["#SBATCH --partition=shared", "#SBATCH --nodes=1"], + "allowlist" : [], + "denylist": [] } } diff --git a/server.ts b/server.ts index 51e120f3..b2225f0f 100644 --- a/server.ts +++ b/server.ts @@ -908,6 +908,14 @@ app.post("/job", async function (req, res) { res.status(401).json({ error: "unrecognized hpc", message: null }); return; } + // check if the user can use the HPC + var allowedOnHPC = Helper.canAccessHPC(res.locals.username, hpcName); + console.log(allowedOnHPC); + if (!allowedOnHPC) { + res.status(401).json({ error: "Not authorized for HPC", message: null}); + return; + } + try { if (!hpc.is_community_account) { diff --git a/src/Helper.ts b/src/Helper.ts index d8c5d18a..97308210 100644 --- a/src/Helper.ts +++ b/src/Helper.ts @@ -1,5 +1,5 @@ import { Job } from "./models/Job"; -import { jupyterGlobusMap } from "../configs/config"; +import { hpcConfigMap, jupyterGlobusMap } from "../configs/config"; import * as fs from "fs"; var Helper = { @@ -102,6 +102,11 @@ var Helper = { return Object.keys(obj).length == 0; }, + /** + * + * @param host JupyterHub submitting jobs + * @returns bool, whether or not the Jupyter can submit + */ isAllowlisted(host: string): boolean { var jupyterGlobus = jupyterGlobusMap[host] if (!jupyterGlobus) { @@ -110,6 +115,36 @@ var Helper = { return true; }, + /** + * + * @param user the user to check for + * @param hpc the HPC to check for + * @returns whether or not the user can check the HPC + */ + canAccessHPC(user: string, hpc: string): boolean { + var allowList = hpcConfigMap[hpc].allowlist; + var denyList = hpcConfigMap[hpc].denylist; + console.log(allowList); + console.log(denyList); + // check if they are in the denylist + if (denyList.includes(user)) { + return false; + } + // check if the allowlist is empty + if (allowList.length == 0) { + // if they aren't in the deny and the allow + // is blank, we assume everyone is fine + return true; + } + else { + // if the allowList isn't blank, we need to check for them + return allowList.includes(user); + } + // shouldn't be reachable, but print false just in case + return false; + }, + + consoleEnd: "\x1b[0m", consoleGreen: "\x1b[32m", diff --git a/src/types.ts b/src/types.ts index a4029723..f48daabf 100644 --- a/src/types.ts +++ b/src/types.ts @@ -208,6 +208,8 @@ export interface hpcConfig { slurm_input_rules?: slurmInputRules; slurm_global_cap: slurm; xsede_job_log_credential: XSEDEJobLogCredential; + allowlist: string[]; + denylist: string[]; } export interface XSEDEJobLogCredential {