SH_SDOW on Sherlock
sh_adow is a system, implmented on Sherlock, whereby SRC Researcher Facing personell can impersonate, or “shadow,” a regular user, in order to test commands, modify files, copy data for local testing, etc. sh_adow requires explicit user consent, that consent can be explicitly revoked, and that consent expires after 48 hours – which is all to say that this is a pretty safe operation.
Every member of the researcher-facing team can now use sh_adow on a Sherlock login node to directly become a user: you get a login shell as the user, with their full environment loaded.
The workflow is simple:
The support consultant will ask the user to create an empty .sh_allow_support file in the $HOME directory, eg. with touch
touch $HOME/.sh_allow_support
This is the user consent to be shadowed. If that file doesn’t exist, the user cannot be impersonated.
The suppot consultant will then run sh_adow <username> on any login node
at which time, they can poke around, debug, fix things in the enviroment, then exit when finished.
The consent file auto-expires after 48h (and gets cleaned up automatically if stale). If it’s expired, just ask them to touch it again.
Everything is audited, so we can keep a record of those shadow sessions:
Slack notifications are sent to #sherlock-events when a session starts and ends (threaded together for easy tracking),
your commands are saved to a separate history file in the user’s homedir (.sh_support.
sh_adow should already be in your PATH (you can check with sh_adow -h ).