Add jobs and reservations privacy settings #149
Conversation
rezib
left a comment
rezib
left a comment
There was a problem hiding this comment.
Additionally to all other comments, can you please also move mocks mods into a separate commit to avoid confusions between the feature and all the stuff related to tests.
doc/usage.rst
Outdated
|
|
||
| .. figure:: img/screenshot_job_close_details.* | ||
|
|
||
| The Jobs view starts taking Slurm's Private Data parameter into account partially |
There was a problem hiding this comment.
This should not be mentioned only in the usage guide but also in the installation (§auth) and architecture guides (§auth). It is useless to mention slurm-web version since the documentation is versioned along with the software. A link should be added to related slurm documentation. The possible values with their impact on slurm-web behaviour should be explained explicitely. The mention "partially taken into account" is definitely too vague.
There was a problem hiding this comment.
Please also explain what guest user still has access to in presence of privatedata.
doc/usage.rst
Outdated
| #. The start time of this reservation | ||
| #. The end time of this reservation | ||
|
|
||
| The Reservation view starts taking Slurm's Private Data parameter into account partially |
rest/slurmrestapi.py
Outdated
| @authentication_verify() | ||
| @cache() | ||
| def get_reservations(): | ||
| if auth_enabled: |
There was a problem hiding this comment.
What happens here if auth is disabled?
rest/auth.py
Outdated
| to be enabled to retrieve current user") | ||
|
|
||
| token = request.headers['Authorization'].split()[1] | ||
| return User.verify_auth_token(token) |
There was a problem hiding this comment.
Explain in comment why you don't catch the auth verification exceptions here.
| return abort(403, "Authentication has \ | ||
| to be enabled to retrieve current user") | ||
|
|
||
| token = request.headers['Authorization'].split()[1] |
There was a problem hiding this comment.
The token extraction logic should be factorized to avoid loosely access to request headers dict from anywhere in the code.
rest/slurmrestapi.py
Outdated
| ) | ||
| return jobs | ||
|
|
||
| if onlyUsersJobs: |
There was a problem hiding this comment.
This if should be removed. We should have only one dict of jobs at this point, whatever the value of onlyUsersJobs is true or false.
rest/slurmrestapi.py
Outdated
| # pyslurm >= 16.05 expects a string in parameter of job.find_id() | ||
| job = pyslurm.job().find_id(str(job_id)) | ||
| fill_job_user(job) | ||
| config = pyslurm.config().get() |
tests/mocks/pyslurm.py
Outdated
| def find_id(self, jobid): | ||
| for job in context.CTLD.jobs: | ||
| if job.jobid == jobid: | ||
| if str(job.jobid) == str(jobid): |
There was a problem hiding this comment.
This is probably useless since all jobids should already be strings at this point.
rest/slurmrestapi.py
Outdated
| result = {} | ||
| if auth_enabled: | ||
| # Fetch the attributs of private_data | ||
| config = pyslurm.config().get() |
There was a problem hiding this comment.
The logic to extract the configuration, parse the privatedata and set a boolean should done in a factorized function since this code is very similar in the various routes.
|
2 additional notes:
|
Updates following "Add jobs and reservations privacy settings rackslab#149". Elements built previously for data privacy settings are refactored and documentation has been added.
Updates following "Add jobs and reservations privacy settings rackslab#149". Elements built previously for data privacy settings are refactored and documentation has been added.
This reverts commit 27a47fd since it has several issues. Notably, it does not compile on python 2.6: $ python -m py_compile rest/slurmrestapi.py SyntaxError: ('invalid syntax', ('rest/slurmrestapi.py', 241, 24, ' \ return {k: v for k, v in reservations.iteritems()\n')) The feature is reviewed in PR #149.
|
Can you please rebase your PR on current master branch 431e189? Can you also please respect contribution guidelines (https://github.com/edf-hpc/slurm-web/blob/master/CONTRIBUTING.md) in your commit messages? |
yencli
force-pushed
the
master
branch
5 times, most recently
from
3c12ccb to
d8407da
Compare
doc/architecture.rst
Outdated
|
|
||
| Slurm-web also takes into account of the Private data parameter from | ||
| `Slurm <https://slurm.schedmd.com/slurm.conf.html>`_. The python wrapper | ||
| edf-hpc/`pyslurm <https://github.com/edf-hpc/pyslurm/>`_ has been |
There was a problem hiding this comment.
The ling to Slurm configuration man is not properly formatted in generated documentation. The fact that PySLURM has been modified is not a useful information for slurm-web users and administrators. Please fix this.
doc/usage.rst
Outdated
| parameter in edf-hpc/`pyslurm <https://github.com/edf-hpc/pyslurm/>`_. The original | ||
| description can be found in`Slurm <https://slurm.schedmd.com/slurm.conf.html>`_. | ||
| If ``jobs`` has been defined previously in Slurm configuration, regular users can | ||
| only see their own jobs whereas the superusers see all the jobs and guests can see |
There was a problem hiding this comment.
Slurm-web has no notion of superusers. There are admins, users and guests but none superusers.
|
|
||
|
|
||
| # Retrive current user role and login | ||
| def get_current_user(): |
There was a problem hiding this comment.
Please add docstring to explain what this function does, notably in which cases it aborts.
|
|
||
|
|
||
| def retrieve_token(): | ||
| if 'Authorization' not in request.headers: |
There was a problem hiding this comment.
Please add docstring to explain what this function does, notably in which case it aborts.
rest/auth.py
Outdated
| to be enabled to retrieve current user") | ||
|
|
||
| token = retrieve_token() | ||
| # No exception is thrown from this method but return None when failed |
There was a problem hiding this comment.
The comment is wrong, it does not return None.
|
|
||
| token = retrieve_token() | ||
| # No exception is thrown from this method but return None when failed | ||
| try: |
There was a problem hiding this comment.
This is a copy/paste of the code in the decorator, please factorize.
rest/slurmrestapi.py
Outdated
| jobs = pyslurm.job().get() | ||
| result = {} | ||
| if auth_enabled: | ||
| """ |
There was a problem hiding this comment.
PEP-8 says that block comment should use #[1], not docstrings, please fix it.
[1] https://www.python.org/dev/peps/pep-0008/#block-comments
|
|
||
|
|
||
| def check_private_data_for_entity(user, entity): | ||
| onlyUsersEntities = False |
There was a problem hiding this comment.
Please add docstring to explain what this function does.
There was a problem hiding this comment.
The user argument is not used, please fix it.
There was a problem hiding this comment.
The user argument is used as well as entity.
There was a problem hiding this comment.
The code sets currentUser with user but currentUser then receives the result of get_current_user() before being actually used if the if check. If you remove currentUser = user the function is the same. Then, no, the argument is definitely not used.
yencli
force-pushed
the
master
branch
4 times, most recently
from
0cab2fe to
ecb078e
Compare
yencli
force-pushed
the
master
branch
5 times, most recently
from
acfec8f to
28af211
Compare
rezib
left a comment
rezib
left a comment
There was a problem hiding this comment.
PEP8 says variable names must be in lowercase separated by underscore. For instance, you should replace currentUser by current_user. Please fix this.
| return onlyUsersEntities | ||
|
|
||
|
|
||
| def filter_entities(entity, entitiesList): |
There was a problem hiding this comment.
Please add missing docstring here.
rest/cache.py
Outdated
|
|
||
|
|
||
| def cache(): | ||
| def cache(userSpecific=False): |
There was a problem hiding this comment.
This is not a good solution as the cache is not shared between users. It implies that n different users accessing the jobs will generate n RPC to slurmctld and this is not what we want. N users accessing the jobs in a short period of time (< jobs cache expiration) should generate only 1 RPC to slurmctld.
There was a problem hiding this comment.
Do you prefer to have the job filter inside the cache?
There was a problem hiding this comment.
Clearly, no. This cache function is not about jobs so there is no reason to filter jobs here. Caching and filtering are 2 different purposes that must be treated separately.
There was a problem hiding this comment.
Any suggestion? Userspecific only when privateData is on?
There was a problem hiding this comment.
Userspecific only when privateData is on?
This doesn't solve the mentioned problem neither.
For me, the right solution is to manage the cache at pyslurm calls level, not at API route level. This is what I suggested last friday.
rest/slurmrestapi.py
Outdated
| Private Data settings. | ||
| """ | ||
| onlyUsersEntities = False | ||
| currentUser = user |
There was a problem hiding this comment.
Please avoid this useless additional variable. The rest of the function code can simply use the user argument directly.
rest/slurmrestapi.py
Outdated
| currentUser, entity) | ||
|
|
||
| if onlyUsersEntities: | ||
| # if private data is applied and the jobs' owner is different from |
There was a problem hiding this comment.
The comment is wrong as the logic here is not only about jobs.
| # show if auth disabled, onlyUsersJobs becomes always False and all | ||
| # the jobs are added to the job list to show | ||
|
|
||
| return dict((k, v) for k, v in entitiesList.iteritems() |
There was a problem hiding this comment.
Please fix the indentation here:
C:556, 0: Wrong continued indentation.
v['users']) or (entity == 'jobs' and
^| (bad-continuation)
C:557, 0: Wrong continued indentation.
currentUser.login == v['login'])))
^ | (bad-continuation)
The readability of the of this nested logic is not that great. I think it would be relevantly replaced by an additional if statement before the return and its iteration...
yencli
force-pushed
the
master
branch
2 times, most recently
from
da04f2f to
1f4aff9
Compare
|
Please split commit with cache mechanism change and privatedata introduction. Even though the later requires the former, they are 2 distinct and complex things that really deserve 2 separate commits. |
|
Cache change is a requirement for privatedata so please put cache change before privatedata introduction. |
yencli
force-pushed
the
master
branch
5 times, most recently
from
ce1038b to
c555876
Compare
|
Please remove the |
|
Please remove the code of the cache decorator itself as it is useless as of now. |
|
OK, I removed the decorator. |
| ''.join("%s-%r" % (key, val) for (key, | ||
| val) in kwargs.iteritems()) | ||
| ) | ||
| def get_from_cache(f, overrideName=None, *args, **kwargs): |
There was a problem hiding this comment.
Please add a docstring on this new function.
| reservations = get_from_cache( | ||
| pyslurm.reservation().get, 'get_reservations') | ||
| return reservations | ||
| return filter_entities('reservations', reservations) |
There was a problem hiding this comment.
Lot of changes are missing in this file.
This modification prevents regular users from seeing other users' previous requests before the caches expired.
The application of Slurm's Private Data settings for jobs and reservations has been introduced to Slurm-web. Descriptions of Slurm's configuration can be found in https://slurm.schedmd.com/slurm.conf.html (see "PrivateData").This implies that regular users may only see their own jobs or reservations if PrivateData is set previously in Slurm's configuration. Associated documentations has been updated accordingly.
Update mock pyslurm and define private_data in 2 mock clusters.
|
OK, it's been merged. |
2 participants
The "PrivateData" parameter from Slurm configuration is now partially introduced to slurm-web. However, this change is only compatible with a modified version of pyslurm that contains an extra output (see edf-hpc/pyslurm@634ed69). Also, the mocks for testing are modified along with.
Jobs and Reservations views are affected in this change. Regular users may only see their own jobs or reservations if defined in PrivateData previously.