Outline minimal policies for nf-nomad cluster setup

[abhi18av]

Looks good! Later we can add some more specific policies to test with minimal permissions

Originally posted by @jhaezebr in https://github.com/nextflow-io/nf-nomad/pull/57#pullrequestreview-2158871958

[abhi18av]

Hi @jhaezebr , could you please outline the specific minimal policies here that you think will be needed for running the cluster.

Ideally, we should not bake in any policy which is from user perspective i.e. we should not have hard assumptions.

I have been thinking about this subject as well and from the use case the university cluster, what we'd need is that specific users/groups should be able to use a specific node for execution.

What's the best way to achieve this?

CC @jagedn

[jhaezebr]

For the use case of nf-nomad, I'd suggest a policy with minimal permissions, just enough so that nextflow can run jobs in a single namespace.

If I understand your usecase for your university cluster correctly, you want to restrict usage of specific nodes to specific user/groups? (eg: group 1 can submit jobs to node A and B, while group 2 can submit to node C ?) As far as I understand you would need an enterprise license for that. Then you could link a namespace to one or more nodes, and then give users access to that namespace. ( https://developer.hashicorp.com/nomad/docs/concepts/node-pools#node-pool-governance ). But I'm not familiar with that usecase as we do not have an enterprise license.

[abhi18av]

From https://github.com/nextflow-io/nf-nomad/issues/56#issuecomment-2209267588

namespace "nextflow" {
  policy = "write"
  capabilities = [
    "csi-write-volume",
    "csi-read-volume",
    "csi-list-volume",
    "csi-mount-volume"
  ]
}

agent {
  policy = "deny"
}

operator {
  policy = "deny"
}

quota {
  policy = "deny"
}

node {
  policy = "deny"
}

host_volume "*" {
  policy = "deny"
}

plugin {
  policy = "read"
}