Skip to content

Allow "." and long usernames in the DCV authenticator#3208

Open
hanwen-cluster wants to merge 2 commits into
aws:developfrom
hanwen-cluster:developjun2
Open

Allow "." and long usernames in the DCV authenticator#3208
hanwen-cluster wants to merge 2 commits into
aws:developfrom
hanwen-cluster:developjun2

Conversation

@hanwen-cluster

@hanwen-cluster hanwen-cluster commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Description of changes

The DCV external rejected valid usernames in two ways:

  1. USER_REGEX did not permit ".", so usernames such as "first.last" failed validation with "The authUser parameter is not valid".

  2. Session ownership was verified by parsing ps aux, whose USER column is truncated to 8 characters. For usernames longer than 8 characters the truncated name never matched, so valid sessions were reported as non-existent.

Changes:

  • Add "." to the allowed characters in USER_REGEX.
  • Resolve the username to its numeric UID (pwd.getpwnam) and match it against the UID column from ps -eo uid,args instead of comparing the (truncatable) username from ps aux. This is robust for names of any length and avoids the fragile fixed-column parsing.
  • Raise error when the user does not exist on the system.

Note: usernames containing uppercase characters are still rejected by USER_REGEX; that is a separate, pre-existing limitation and is out of scope here.

This commit addresses aws/aws-parallelcluster#7352, #2472, aws/aws-parallelcluster#7345

Tests

The following tests have been passed

{%- import 'common.jinja2' as common with context -%}
{{- common.OSS_COMMERCIAL_X86.append("rocky8") or "" -}}
{{- common.OSS_COMMERCIAL_X86.append("rocky9") or "" -}}
---
test-suites:
  ad_integration:
    test_ad_integration.py::test_ad_integration:
      dimensions:
        - regions: [ "ap-southeast-1" ]
          instances: {{ common.INSTANCES_DEFAULT_X86 }}
          oss: [ {{ LUSTRE_OS_X86_0 }}, {{ LUSTRE_OS_X86_2 }}, {{ LUSTRE_OS_X86_4 }}]
          schedulers: ["slurm"]
  dcv:
    test_dcv.py::test_dcv_configuration:
      dimensions:
        # DCV on GPU enabled instance
        - regions: [{{ g4dn_2xlarge_CAPACITY_RESERVATION_2_INSTANCES_1_HOURS_NOPG_DCV_OS_X86_1 }}]
          instances: ["g4dn.2xlarge"]
          oss: [{{ DCV_OS_X86_1 }}]
          schedulers: ["slurm"]
        # DCV on ARM + GPU
        - regions: [{{ g5g_2xlarge_CAPACITY_RESERVATION_2_INSTANCES_1_HOURS_NOPG_DCV_OS_X86_3 }}]
          instances: ["g5g.2xlarge"]
          oss: [{{ DCV_OS_X86_3 }}]
          schedulers: ["slurm"]
    test_dcv.py::test_dcv_with_remote_access:
      dimensions:
        - regions: ["ap-southeast-2"]
          instances: {{ common.INSTANCES_DEFAULT_X86 }}
          oss: [{{ DCV_OS_X86_1 }}]
          schedulers: ["slurm"]

References

Checklist

  • Make sure you are pointing to the right branch.
  • If you're creating a patch for a branch other than develop add the branch name as prefix in the PR title (e.g. [release-3.6]).
  • Check all commits' messages are clear, describing what and why vs how.
  • Make sure to have added unit tests or integration tests to cover the new/modified code.
  • Check if documentation is impacted by this change.

Please review the guidelines for contributing and Pull Request Instructions.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

The DCV external rejected valid usernames in two ways:

1. USER_REGEX did not permit ".", so usernames such as "first.last" failed validation with "The authUser parameter is not valid".

2. Session ownership was verified by parsing `ps aux`, whose USER column is truncated to 8 characters. For usernames longer than 8 characters the truncated name never matched, so valid sessions were reported as non-existent.

Changes:
- Add "." to the allowed characters in USER_REGEX.
- Resolve the username to its numeric UID (pwd.getpwnam) and match it against the UID column from `ps -eo uid,args` instead of comparing the (truncatable) username from `ps aux`. This is robust for names of any length and avoids the fragile fixed-column parsing.
- Raise error when the user does not exist on the system.

Note: usernames containing uppercase characters are still rejected by USER_REGEX; that is a separate, pre-existing limitation and is out of scope here.

This commit addresses aws/aws-parallelcluster#7352, aws#2472, aws/aws-parallelcluster#7345
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant