diff --git a/roles/pam_slurm/tasks/main.yml b/roles/pam_slurm/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8a13ab12a174e0fbb953a12ffcdaae7eccf8a060
--- /dev/null
+++ b/roles/pam_slurm/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: "Copy access.conf"
+ template: src=access.conf.j2 dest=/etc/security/access.conf
+ become: true
+ become_user: root
+
+- name: "Copy password sshd pam config"
+ template: src=sshd.j2 dest=/etc/pam.d/sshd
+ become: true
+ become_user: root
+
diff --git a/roles/pam_slurm/templates/access.conf.j2 b/roles/pam_slurm/templates/access.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..684f5e79748e52b82d8a7e2dfa77708bbc2befa4
--- /dev/null
+++ b/roles/pam_slurm/templates/access.conf.j2
@@ -0,0 +1 @@
+-:ALL EXCEPT root systems ec2-user debian ubuntu admin :ALL
diff --git a/roles/pam_slurm/templates/sshd.j2 b/roles/pam_slurm/templates/sshd.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a1218458728bb47fea1d4f73194191a516cb6214
--- /dev/null
+++ b/roles/pam_slurm/templates/sshd.j2
@@ -0,0 +1,22 @@
+#%PAM-1.0
+auth required pam_sepermit.so
+auth substack password-auth
+auth include postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth optional pam_reauthorize.so prepare
+account required pam_nologin.so
+account include password-auth
+account sufficient pam_slurm.so
+account required pam_access.so
+password include password-auth
+# pam_selinux.so close should be the first session rule
+session required pam_selinux.so close
+session required pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session required pam_selinux.so open env_params
+session required pam_namespace.so
+session optional pam_keyinit.so force revoke
+session include password-auth
+session include postlogin
+# Used with polkit to reauthorize users in remote sessions
+-session optional pam_reauthorize.so prepare
diff --git a/roles/slurm-common/tasks/installSlurmFromSource.yml b/roles/slurm-common/tasks/installSlurmFromSource.yml
index be136da92000e764e613bb1c040c52f3f497e73e..167994b2dc000568ee739480d28a07679f86685c 100644
--- a/roles/slurm-common/tasks/installSlurmFromSource.yml
+++ b/roles/slurm-common/tasks/installSlurmFromSource.yml
@@ -15,14 +15,27 @@
src: "http://consistency0/src/slurm-{{ slurm_version }}.tar.bz2"
copy: no
dest: /tmp
- creates: /tmp/slurm-{{ slurm_version }}
+ creates: "{{ slurm_dir }}/bin/srun"
+
+- name: stat srun
+ stat: path="{{ slurm_dir }}/bin/srun"
+ register: stat_srun
+
+
+- name: configure slurm
+ command: /tmp/slurm-{{ slurm_version }}/configure --prefix={{ slurm_dir }} --with-munge={{ munge_dir }} --enable-pam
+ args:
+ creates: "{{ slurm_dir }}/bin/srun"
+ chdir: /tmp/slurm-{{ slurm_version }}
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
- name: build slurm
- shell: ./configure --prefix={{ slurm_dir }} --with-munge={{ munge_dir }} && make
+ command: make
args:
+ creates: "{{ slurm_dir }}/bin/srun"
chdir: /tmp/slurm-{{ slurm_version }}
- creates: /tmp/slurm-{{ slurm_version }}/src/srun/srun
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
- name: install slurm
shell: make install
@@ -30,6 +43,20 @@
args:
chdir: /tmp/slurm-{{ slurm_version }}
creates: "{{ slurm_dir }}/bin/srun"
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
+
+- name: build pam_slurm
+ command: make
+ args:
+ chdir: /tmp/slurm-{{ slurm_version }}/contribs/pam
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
+
+- name: install pam_slurm
+ shell: make install
+ sudo: true
+ args:
+ chdir: /tmp/slurm-{{ slurm_version }}/contribs/pam
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
- name: add slurm log rotate config
template: src=slurmlog.j2 dest=/etc/logrotate.d/slurm mode=644