From d1cd78a80b5728b79e84fdf60f8bc4a05ae69878 Mon Sep 17 00:00:00 2001 From: Simo Tuomisto Date: Fri, 4 Sep 2020 16:53:06 +0300 Subject: [PATCH 1/2] Add a new option pam_enable_slurm_adopt which enables the new slurm pam module with cgroup adoption --- defaults/main.yml | 3 +++ templates/system-auth.j2 | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 6e52399..88db20c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,6 +7,9 @@ pam_use_sssd: False # Enable the pam_slurm.so module pam_enable_slurm: False +# Enable the pam_slurm_adopt.so module +pam_enable_slurm_adopt: False + # These are allowed in /etc/security/access.conf, set when # pam_enable_slurm == True slurm_access_groups: diff --git a/templates/system-auth.j2 b/templates/system-auth.j2 index 77f9016..8a1394e 100644 --- a/templates/system-auth.j2 +++ b/templates/system-auth.j2 @@ -10,7 +10,9 @@ auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so +{% if not pam_enable_slurm_adopt %} account sufficient pam_localuser.so +{% endif %} account sufficient pam_succeed_if.so uid < 1000 quiet {% if pam_use_sssd %} account [default=bad success=ok user_unknown=ignore] pam_sss.so @@ -18,6 +20,9 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so {% if pam_enable_slurm %} account sufficient pam_access.so account required pam_slurm.so +{% elif pam_enable_slurm_adopt %} +-account sufficient pam_slurm_adopt.so action_adopt_failure=deny action_generic_failure=deny +account required pam_access.so {% endif %} account required pam_permit.so @@ -30,7 +35,9 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so +{% if not pam_enable_slurm_adopt %} -session optional pam_systemd.so +{% endif %} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so {% if pam_use_sssd %} From fab4980d1154df0c27194a8863dbbcb6593c45c0 Mon Sep 17 00:00:00 2001 From: Simo Tuomisto Date: Fri, 4 Sep 2020 16:55:58 +0300 Subject: [PATCH 2/2] Add ansible molecule tests for no slurm, pam_slurm.so and pam_slurm_adopt.so cases --- molecule/default/INSTALL.rst | 22 ++++++++++++++++++++++ molecule/default/converge.yml | 8 ++++++++ molecule/default/molecule.yml | 35 +++++++++++++++++++++++++++++++++++ molecule/default/verify.yml | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 99 insertions(+) create mode 100644 molecule/default/INSTALL.rst create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/verify.yml diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst new file mode 100644 index 0000000..d926ca2 --- /dev/null +++ b/molecule/default/INSTALL.rst @@ -0,0 +1,22 @@ +******* +Docker driver installation guide +******* + +Requirements +============ + +* Docker Engine + +Install +======= + +Please refer to the `Virtual environment`_ documentation for installation best +practices. If not using a virtual environment, please consider passing the +widely recommended `'--user' flag`_ when invoking ``pip``. + +.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ +.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site + +.. code-block:: bash + + $ python3 -m pip install 'molecule[docker]' diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..94b23c1 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,8 @@ +--- +- name: Converge + hosts: all + become: True + tasks: + - name: "Include ansible-role-pam" + include_role: + name: "ansible-role-pam" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..1c7ae62 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: noslurm + image: docker.io/pycontribs/centos:8 + pre_build_image: true + groups: + - pam + - name: pam-slurm + image: docker.io/pycontribs/centos:8 + pre_build_image: true + groups: + - pam + - pam_slurm + - name: pam-slurm-adopt + image: docker.io/pycontribs/centos:8 + pre_build_image: true + groups: + - pam + - pam_slurm_adopt +provisioner: + name: ansible + inventory: + group_vars: + pam: + pam_enabled: True + pam_slurm: + pam_enable_slurm: True + pam_slurm_adopt: + pam_enable_slurm_adopt: True +verifier: + name: ansible diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..6c6f091 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,34 @@ +--- +- name: Verify pam enabled + hosts: all + tasks: + #- command: cat /etc/pam.d/system-auth + # register: catcmd + #- debug: + # var: catcmd.stdout_lines + - name: Check whether /etc/pam.d/system-auth is populated + command: 'grep "#%PAM-1.0" /etc/pam.d/system-auth' + +- name: No slurm pam tests + hosts: noslurm + tasks: + - name: Check that localuser.so is in /etc/pam.d/system-auth + command: 'grep "account sufficient pam_localuser.so" /etc/pam.d/system-auth' + - name: Check that slurm is not mentioned in /etc/pam.d/system-auth + command: 'grep -v slurm /etc/pam.d/system-auth' + +- name: Slurm pam tests + hosts: pam-slurm + tasks: + - name: Check that localuser.so is in /etc/pam.d/system-auth + command: 'grep "account sufficient pam_localuser.so" /etc/pam.d/system-auth' + - name: Check pam_slurm.so is in /etc/pam.d/system-auth + command: 'grep "account required pam_slurm.so" /etc/pam.d/system-auth' + +- name: Slurm adopt pam tests + hosts: pam-slurm-adopt + tasks: + - name: Check that localuser.so is not in /etc/pam.d/system-auth + command: 'grep -v "account sufficient pam_localuser.so" /etc/pam.d/system-auth' + - name: Check pam_slurm_adopt.so is in /etc/pam.d/system-auth + command: 'grep "\-account sufficient pam_slurm_adopt.so action_adopt_failure=deny action_generic_failure=deny" /etc/pam.d/system-auth'