Merge pull request #99 from alexandermichels/hpc-allow-deny-2023-05

working on per hpc allow/deny. Tested and worked.

configs/hpc.example.json

@@ -31,7 +31,9 @@
     },
     "mount": {
       "/data/cigi/scratch/cigi-gisolve/compute_shared": "/compute_shared"
-    }
+    },
+    "allowlist" : [],
+    "denylist": []
   },
   "expanse_community": {
     "ip": "login.expanse.sdsc.edu",
@@ -75,7 +77,9 @@
     "xsede_job_log_credential": {
       "xsederesourcename": "expanse.sdsc.xsede.org",
       "apikey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
-    }
+    },
+    "allowlist" : [],
+    "denylist": []
   },
   "bridges_community_gpu": {
     "ip": "bridges2.psc.edu",
@@ -105,7 +109,9 @@
       "export tmp_path=\"/tmp/cvmfs-$(openssl rand -hex 12)\"",
       "mkdir $tmp_path"
     ],
-    "init_sbatch_options": ["#SBATCH --partition=GPU-shared"]
+    "init_sbatch_options": ["#SBATCH --partition=GPU-shared"],
+    "allowlist" : [],
+    "denylist": []
   },
   "anvil_community": {
     "ip": "anvil.rcac.purdue.edu",
@@ -141,6 +147,8 @@
       "export tmp_path=\"/tmp/cvmfs-$(openssl rand -hex 12)\"",
       "mkdir $tmp_path"
     ],
-    "init_sbatch_options": ["#SBATCH --partition=shared", "#SBATCH --nodes=1"]
+    "init_sbatch_options": ["#SBATCH --partition=shared", "#SBATCH --nodes=1"],
+    "allowlist" : [],
+    "denylist": []
   }
 }

server.ts

@@ -908,6 +908,14 @@ app.post("/job", async function (req, res) {
     res.status(401).json({ error: "unrecognized hpc", message: null });
     return;
   }
+  // check if the user can use the HPC
+  var allowedOnHPC = Helper.canAccessHPC(res.locals.username, hpcName);
+  console.log(allowedOnHPC);
+  if (!allowedOnHPC) {
+    res.status(401).json({ error: "Not authorized for HPC", message: null});
+    return;
+  }
+
 
   try {
     if (!hpc.is_community_account) {

src/Helper.ts

@@ -1,5 +1,5 @@
 import { Job } from "./models/Job";
-import { jupyterGlobusMap } from "../configs/config";
+import { hpcConfigMap, jupyterGlobusMap } from "../configs/config";
 import * as fs from "fs";
 
 var Helper = {
@@ -102,6 +102,11 @@ var Helper = {
     return Object.keys(obj).length == 0;
   },
 
+  /**
+   * 
+   * @param host JupyterHub submitting jobs
+   * @returns bool, whether or not the Jupyter can submit
+   */
   isAllowlisted(host: string): boolean {
     var jupyterGlobus = jupyterGlobusMap[host]
     if (!jupyterGlobus) {
@@ -110,6 +115,36 @@ var Helper = {
     return true;
   },
 
+  /**
+   * 
+   * @param user the user to check for
+   * @param hpc the HPC to check for
+   * @returns whether or not the user can check the HPC
+   */
+  canAccessHPC(user: string, hpc: string): boolean {
+    var allowList = hpcConfigMap[hpc].allowlist;
+    var denyList = hpcConfigMap[hpc].denylist;
+    console.log(allowList);
+    console.log(denyList);
+    // check if they are in the denylist
+    if (denyList.includes(user)) {
+        return false;
+    }
+    // check if the allowlist is empty
+    if (allowList.length == 0) {
+        // if they aren't in the deny and the allow
+        // is blank, we assume everyone is fine
+        return true;
+    }
+    else {
+        // if the allowList isn't blank, we need to check for them
+        return allowList.includes(user);
+    }
+    // shouldn't be reachable, but print false just in case
+    return false;
+    },
+
+
   consoleEnd: "\x1b[0m",
 
   consoleGreen: "\x1b[32m",

src/types.ts

@@ -208,6 +208,8 @@ export interface hpcConfig {
   slurm_input_rules?: slurmInputRules;
   slurm_global_cap: slurm;
   xsede_job_log_credential: XSEDEJobLogCredential;
+  allowlist: string[];
+  denylist: string[];
 }
 
 export interface XSEDEJobLogCredential {