We would like to create a “no submit” group, such that any users in that group are prevented from submitting jobs to any queues. My intuition says to do something like this at the top level of the config:
set server acl_groups_enable = True set server acl_groups -= no_submit_group
But I have a couple of questions:
- Can a user in
no_submit_groupcircumvent the ACL by setting their submit group to another group they belong to?
- Will this have any unintended trickle down effects into other ACLs? For example, we have several
acl_usersdirectives in individual queues, operating as whitelists. Will a top-level blacklist interfere with queue-level whitelists?
- Which ACLs at which levels take precedence? Say, for example, I want a group that can only submit to a single queue and no other queues. Would I do a
acl_groups -= only_queue_xat the server level and then
acl_groups += only_queue_xat the queue level?