Integrating WebMO Users with System Users
In a typical default installation, WebMO runs as its own system user (webmo) with its own home directory (/home/webmo). This means that all WebMO jobs from all WebMO users run under the same user ID and are stored in the the same home directory.
The advantage of this approach is that a system administrator does not need to create separate unix accounts for every WebMO user. This is clearly an advantage when there are large numbers of users who run relatively few jobs, e.g., students in an undergraduate chemistry course. But it implies that computing resources and data storage being shared among all WebMO users without any prioritization or limits.
In some instances, it may be preferable for WebMO users to be tied system users. This could be the case when WebMO is used for large jobs on a queuing system or when WebMO users have many jobs that take up significant storage space. In this instance, having the system account for the CPU usage and storage of each user separately would allow for more control over resource distribution than grouping all WebMO activity as a single system user. Jobs could be run according to system user and/or group queuing priorities, and storage quotas could be respected for each system user.
WebMO allows for full integration between WebMO and system activities as follows:
- WebMO users can login using their system credentials
- WebMO jobs can be run under the user id (UID) of the corresponding system user
- WebMO files can be directly accessed by a system user or stored in a system user's home directory
Logging In as a System User
WebMO maintains its own database of usernames and passwords, which is distinct from the system usernames and passwords. However, using external authentication allows system users to login using their system password instead of their WebMO password. Furthermore, system users can be externally authenticated and have a WebMO account automatically created for them without manual intervention by the WebMO administrastor. Details and instructions are provided in the External Authentication documentation.
Note that WebMO usernames are translated into lowercase in order to be case-insensitive. Thus only system users with lower-case names can be externally authenticated.
Submitting Jobs with a System User UID
WebMO jobs usually run under the user ID (UID) of the webserver or webmo user. By using a batch queuing system, WebMO jobs can be submitted to run under the UID of the system user corresponding to the WebMO username. This then allows any queue policies applicable to the user (limits on the number of nodes being used, etc.) to be enforced.
To enable this option, perform the following:
- The following criteria must be met:
- WebMO must be installed in a system user's home directory, e.g., /home/webmo/public_html, not in the system webserver directory
- Suexec must be enabled, so that WebMO cgi scripts run as the above system user, e.g., webmo
- Batch queueing must be selected
- External authentication of system users by /etc/password, NIS, PAM, or PAM+shadow, must be selected
- A local system account must exist for the specified execution UID
- The execution UID must be > 100
- If running on a cluster computer, user home directories must be NFS mounted across the compute nodes
- If the webserver (head) node /home directories are NFS mounted, e.g., the cluster computer has a separate file server node, then the mount must be mounted with the no_root_squash option
- Edit /etc/sudoers as necessary. (This was probably already done if external authentication was enabled.) AUTHEN is needed for PAM authentication. SYSCMD and QCMD are needed for running jobs under UID's. The 'requiretty' option MUST NOT be present, otherwise the WebMO scripts will not be able to run sudo non-interactively.
# visudo
Remove or comment out the "requiretty" option.
If using the the SGE queuing system, add "SGE_ROOT" to the "env_keep" list.
Add the lines:
# WebMO user
Cmnd_Alias SYSCMD = /bin/chown,/bin/chmod,/bin/mkdir
Cmnd_Alias QCMD = /usr/local/bin/qsub,/usr/local/bin/qstat,/usr/local/bin/qdel,/usr/local/bin/qalter
Cmnd_Alias AUTHEN = /home/webmo/bin/pam_authenticate.pl
webmo ALL=(ALL) NOPASSWD: QCMD, SYSCMD, AUTHEN
If using the SLURM queuing system, then QCMD must instead reference the analogoussbatch,squeue,scancel, andscontrolcommands. The QCMD entries must match the commands that are entered into the Batch Queue Manager. - Enable sudo usage.
Login as the WebMO administrator. Choose System Manager. Check "Enable sudo usage". Click Submit and Return to Admin. - Specify execution UID.
Choose Group Manager. Edit the desired group, and choose the "Permissions" tab. Under "Job execution UID", select:- "Webserver UID" to run all jobs under the UID of the webserver (normally 'webmo')
- "WebMO username UID" to run jobs under the UID of the sytem user with the same name as the correpsonding WebMO user (assuming such a system user exists, i.e. WebMO user 'smith' job will under system UID 'smith')
- "Fixed execution UID" to run all submitted from this group under a single system UID (i.e. 'organic')
- Test user ID of submitted jobs by a system user.
Login to WebMO as a system user. Submit a job. From a separate login shell, issue a "qstat" comand, and verify that the job is running as the system user and not as the webmo user.
Running jobs under a non-webmo system UID requires that both the user has been externally authenticated (with System Manager and User Manager) and that the user's group has been set to use either WebMO username UID or Fixed execution UID (with Group Manager).
Accessing or Storing Files by System Users
WebMO job files are usually stored in webmo's home directory, e.g., in /home/webmo/webmo. As a result, they are not directly accessible by system users but rather must be imported.
Two options exist for allowing direct access to WebMO output files by system users:
- Storing the files in the webmo home directory and providing access to them via symbolic links in the system user's home directory
- Storing the files in the system user's home directory and provding webmo access to them via symbolic links in the webmo job directory
Option 1: Symbolic link from user home directory to WebMO jobs directory
This option is very easy to implement, since it is just a single symbolic link that users can implement themselves.
[webmo] $ su - smith
[smith] $ ln -s /home/webmo/webmo/smith /home/smith/my_webmo_jobs
Option 2: Symbolic link from WebMO jobs directory to user home directory
This option is more complicated, but it allows for accounting of storage by each user with system quotas.
The following pre-requisites must be met:
- User home directories must be accessible by other users, i.e., the other execute bit on user home directories must be set with
# chmod o+x /home/smith - WebMO jobs must be executed using "WebMO username UID" or a "fixed UID"
To enable this option automatically for all new users created by external authentication, login as the WebMO administrator, choose System manager, and check "Store user job files in $HOME/webmo".
To enable this option for existing users, perform the following:
- Create a job directory in the user home directory.
[webmo] $ su - smith
[smith] $ mkdir /home/smith/webmo
[smith] $ mkdir /home/smith/webmo/smith - Make the directory writable by both webmo and the user.
If webmo and smith belong to the same group
[smith] $ chmod 775 /home/smith/webmo/smith
Or if webmo and smith belong to different groups
[smith] $ su -
[root] # chown smith:{webmogroup} /home/smith/webmo/smith
[root] # chmod 775 /home/smith/webmo/smith
[root] # exit - Move user jobs from the WebMO job directory to the user job directory.
[smith] $ exit
[webmo] $ mv /home/webmo/webmo/smith/* /home/smith/webmo/smith/ - Replace the WebMO job directory with a symbolic link.
[webmo] $ rmdir /home/webmo/webmo/smith/
[webmo] $ ln -s /home/smith/webmo/smith /home/webmo/webmo/smith