Merge branch 'feat-add-pam-slurm' into 'main'

Add role to restrict user access to nodes via pam_slurm. Closes #26 See merge request rc/packer-openstack-hpc-image!14

Merge branch 'feat-add-pam-slurm' into 'main'
Add role to restrict user access to nodes via pam_slurm. Closes #26 See merge request rc/packer-openstack-hpc-image!14
b09643d3 · Ravi Tripathi · 5cbdc266 · 9a927fbc · b09643d3
Commit b09643d3 authored 2 years ago by Ravi Tripathi
--- a/ansible/roles/pam_slurm_adopt/tasks/main.yml
+++ b/ansible/roles/pam_slurm_adopt/tasks/main.yml
+---
+# restrict user access to nodes
+- name: Get version and release for slurm-pam pkg
+  shell: rpm -q --qf "%{VERSION}-%{RELEASE}\n" slurm-client
+  register: ver
+- debug:
+    var: ver
+- name: Install slurm-pam package
+  yum:
+    name: "slurm-pam-{{ ver.stdout }}"
+    state: present
+- name: Create new pam file wihtout pam_systemd.so
+  shell: grep -v pam_systemd.so < /etc/pam.d/password-auth > /etc/pam.d/password-auth-no-systemd
+- name: Update sshd pam file
+  blockinfile:
+    path: /etc/pam.d/sshd
+    insertbefore: "^account.+password-auth$"
+    backup: yes
+    marker: "# {mark} PAM config for Slurm"
+    marker_begin: "BEGIN account"
+    marker_end: "END account"
+    block: |
+      "-account    sufficient     pam_slurm_adopt.so"
+      "account    required   pam_access.so"
+- name: Update sshd pam file
+  blockinfile:
+    path: /etc/pam.d/sshd
+    insertbefore: "^session.+postlogin$"
+    backup: yes
+    marker: "# {mark} - PAM config for Slurm"
+    marker_begin: "BEGIN session"
+    marker_end: "END session"
+    block: |
+      "session    include      password-auth-no-systemd"
+- name: Update secure access config for the node
+  lineinfile:
+    dest: /etc/security/access.conf
+    line: "-:ALL EXCEPT root mhanby_ cmcclung_ (sysadmins) (atlab):ALL"
+    owner: root
+    mode: 0644