Security concerns for multi-user installation

Hi cryoSPARC developers,

I provide support for a university HPC cluster that uses the Slurm scheduler. One group of researchers has asked us to install and configure cryoSPARC for their use. The software is installed in a location where only the licensed users have access, however I am trying to determine the most secure way of setting up the software so that multiple members of the lab group can run it.

Specifically, the cluster sys admins are somewhat concerned about creating a dedicated cryoSPARC unix account that would enable users to anonymously submit jobs to the scheduler. Is there any way to install and configure cryoSPARC for multiple users but then have the users submit their jobs as themselves instead of under the anonymous, dedicated cryosparc account? In addition to being more secure (from our standpoint), having users run their Slurm jobs under their own usernames would enable us to better track and manage Slurm accounting data.

Alternatively, do you have any set of “best practices” for running securely in an HPC environment that you could share?

Any insights are appreciated!

Welcome to the forum @decarlson.
The guide includes a discussion of access controls.
Regarding the specific concern about anonymous job submissions, allowing the system user that “owns” the cryoSPARC instance to trigger job submissions as another user may raise additional security concerns. However, the {{ cryosparc_username }} variable can be used in the submission script template to link specific (cryoSPARC) users to cluster job submissions. Even if that information cannot be used by slurm directly for “Fairshare” enforcement, it would enable (customized) usage accounting.
For more finely grained control, but with some loss of intra-group data sharing and with additional administrative complexity, user-specific, carefully separated cryoSPARC instances are another possibility.

1 Like