Hide or forbid modulefile
Configuration
No specific configuration
Use cases
Restrict usage of particular software to a limited set of user (RestrictUsage)
Included in module specification result for a not granted user: no
Visible for a not granted user on a full
avail: noVisible for a not granted user on a targeted
avail: noVisible for a not granted user once loaded on a
list: yesLoad tentative for a not granted user: error
Allow usage of particular software once clearance has been obtained (AllowOnceCleared)
Included in module specification result for a not granted user: yes
Visible for a not granted user on a full
avail: yesVisible for a not granted user on a targeted
avail: yesVisible for a not granted user once loaded on a
list: yesLoad tentative for a not granted user: error
Expire a software after a given date (Expire)
Included in module specification result for a not granted user: no after expiration date
Visible for a not granted user on a full
avail: no after expiration dateVisible for a not granted user on a targeted
avail: no after expiration dateVisible for a not granted user once loaded on a
list: yes, even after expiration dateLoad tentative for a not granted user: error after expiration date
Disclose a software after a given date (Disclose)
Included in module specification result for a not granted user: no prior disclosure date
Visible for a not granted user on a full
avail: no prior disclosure dateVisible for a not granted user on a targeted
avail: no prior disclosure dateVisible for a not granted user once loaded on a
list: yes, even prior disclosure dateLoad tentative for a not granted user: error prior disclosure date
Hide software not of interest for current user (HideNotOfInt)
Included in module specification result for a not granted user: yes
Visible for a not granted user on a full
avail: no, unless specific option setVisible for a not granted user on a targeted
avail: yesVisible for a not granted user once loaded on a
list: yesLoad tentative for a not granted user: success
Hide software only useful for other software as dependency (HideDep)
Included in module specification result for a not granted user: yes
Visible for a not granted user on a full
avail: no, unless specific option setVisible for a not granted user on a targeted
avail: yesVisible for a not granted user once loaded on a
list: yesLoad tentative for a not granted user: success
Hide dependency software once loaded (HideDepOnceLoaded)
Included in module specification result for a not granted user: see HideDep
Visible for a not granted user on a full
avail: see HideDepVisible for a not granted user on a targeted
avail: see HideDepVisible for a not granted user once loaded on a
list: no, unless specific option setLoad tentative for a not granted user: see HideDep
Specification
2 new modulefile commands are introduced for the needs described above:
module-hideandmodule-forbidmodule-hideremoves visibility of specified modulesmodule-hideacts when modules are searched (avail,whatisandsearchsub-commands) or selected (load,unload,display, etc sub-commands)Visibility is however enabled if hidden module is specifically searched
On all context hidden module mod/1.0 is included in result for instance if mod/1.0 or mod@1.0,2.0 are specified
But hidden module mod/1.0 is excluded from result if mod@:2.0 or mod@1: are specified
And is also excluded from result if mod or mod/* are specified when mod/1.0 is set default
Unless if search is made to select one module since in this context a mod search query is equivalent to mod/default
Hard-hidden modules are not disclosed even if specifically searched
Excluded from module resolution result
Unless precisely specified on the following selection contexts:
For example, the hidden module mod/1.0
is included in
module load mod/1.0resultis excluded from
module load mod/1result, even if default symbol targets itis excluded from
module load modresult, unless if default symbol targets it (as query is equivalent to mod/default)is excluded from
module load mod@:2result, even if default symbol targets itis included in
module load mod@1.0,2.0resultis included/excluded the same way for
prereqandconflictsub-commands thanloadsub-commandis matched by
is-loadedandinfo-loadedsub-commands querying it once loadedis excluded from
module whatisresultis included/excluded the same way for
whatissub-command thanavailsub-commandis excluded from
module availresultis excluded from
module avail m*resultis included in
module avail mod/1.0resultis excluded from
module avail mod/1result, even if default symbol targets itis excluded from
module avail modresult, even if default symbol targets it (as query is NOT equivalent to mod/default in this context)is excluded from
module avail mod@:2result, even if default symbol targets itis included in
module avail mod@1.0,2.0result
Included in module resolution result if
--alloption ofavail,whatis,searchandaliasessub-commands is set--alloption does not apply tois-availsub-command to make it coherent withloadsub-command (e.g., ais-avail modreturning true impliesload modeffectively loading a module)
Visibility of a module targeted by a
module-hidecommand, with regular hiding level defined, acts similarly than for a file whose name is prefixed by a dot character on Unix platformIf
--softoption is set onmodule-hidecommand, module hiding is weakenedModule is always included in resolution result for the following contexts
For example, the hidden module mod/1.0
is included in
module load mod/1.0resultis included in
module load mod/1resultis included in
module load modresultis included in
module load mod@:2resultis included in
module load mod@1.0,2.0resultis included/excluded the same way for
prereqandconflictsub-commands thanloadsub-commandis matched by
is-loadedandinfo-loadedsub-commands querying it once loadedis excluded from
module whatisresultis included/excluded the same way for
whatissub-command thanavailsub-commandis excluded from
module availresultis excluded from
module avail m*resultis included in
module avail mod/1.0resultis included in
module avail mod/1resultis included in
module avail modresultis included in
module avail mod@:2resultis included in
module avail mod@1.0,2.0result
If
--hardoption is set onmodule-hidecommand, hiding is hardened and designated modules are never unveiledDesignated modules are strictly hidden, also referred as hard-hidden
--alloption ofavailsub-command cannot unveil them
Excluded from module resolution result, which means it is always excluded from resolution on following context:
For example, the hard-hidden module mod/1.0
is excluded from
module load mod/1.0resultis excluded from
module load modresult, even if default symbol targets itis excluded from
module load mod/1result, even if default symbol targets itis excluded from
module load mod@:2result, even if default symbol targets itis excluded from
module load mod@1.0,2.0resultis included/excluded the same way for
prereqandconflictsub-commands thanloadsub-commandis matched by
is-loadedandinfo-loadedsub-commands querying it once loadedis excluded from any
availquery resultis included/excluded the same way for
whatissub-command thanavailsub-command
Visibility of a module targeted by a
module-hide --hardcommand acts like if no modulefile exists on filesystem
If
--hidden-loadedoption is set onmodule-hide, hiding also applies to specified modules once they are loadedHidden once loaded modules do not appear on
module listUnless
--alloption is set onlistsub-command
Hidden once loaded modules load, unload or tag is not reported
If this evaluation has been triggered automatically
By an automated module handling mechanism for instance
Which means user has not explicitly asked the module load or unload
And was automatically loaded, in case of an automatic unload
Which means the automatic unload of an hidden loaded module will be reported if it was manually loaded
And if
verbositylevel is lower thanverbose2levelAnd if no issue occurs during hidden module evaluation
Switch of hidden modules is not reported
If both switched-off and switched-on modules are set hidden
If switched-off module were automatically loaded
And if the switch evaluation has been automatically triggered
When those modules are loaded, a
hidden-loadedtag is applied to them and recorded in__MODULES_LMTAGenvironment variable to keep track of their hidden statusHidden once loaded status does not affect
is-loaded: these modules will always be reported if they matchis-loadedqueries
module-forbiddisallow evaluation of specified modulesIt does not imply hiding, but can be of course coupled with
module-hidecallsEvaluation of targeted modules is forbidden
Error is rendered prior evaluation when trying to load, display, help, test, path, whatis them
Note that for whatis evaluation mode, an error is reported only if a module is referred by its exact name which is not the case on
searchsub-command as no module is specified, just a keyword to searchNo error occurs when unloading a module that were set forbidden after it was loaded by user
As it impacts module evaluation,
module-forbidis only effective when it targets modulefiles or virtual modulesModule alias or symbolic version are not impacted by
module-forbiddirectivesEven if they match some
module-forbidstatements, they are still resolved to their target and these targets do not inherit the forbidden tag set on their alias, symbol.When a
module-forbidcommand targets a directory, this directory is still resolved to its target, but the target inherits the forbidden tag as it matches the name specified onmodule-forbidcommand
When combined with a
module-hide --hardcommand, designated modules is unveiled if referred by its exact name and set in errorThus an error is obtained when trying to reach module instead of not finding it (which is the regular behavior for hard-hidden modules)
module-hideaccepts options that change its behavior:--hidden-loaded: hides module from loaded module list--soft: lightweight module hide--hard: highest hiding level--not-user: specify a list of users unaffected by hide mechanism--not-group: specify a list of groups whose member are unaffected by hide mechanism--user: specify a list of users specifically affected by hide mechanism--group: specify a list of groups whose member are specifically affected by hide mechanism--before: enables hide mechanism until a given date--after: enables hide mechanism after a given date
module-forbidaccepts options that change its behavior:--not-user: specify a list of users unaffected by forbid mechanism--not-group: specify a list of groups whose member are unaffected by forbid mechanism--user: specify a list of users specifically affected by forbid mechanism--group: specify a list of groups whose member are specifically affected by forbid mechanism--before: enables forbid mechanism until a given date--after: enables forbid mechanism after a given date--message: supplements error message obtained when trying to evaluate a forbidden module with given text message--nearly-message: supplements warning message obtained when evaluating a nearly forbidden module with given text message
Each use case expressed above are covered by following command:
RestrictUsage:
module-hide --hardAllowOnceCleared:
module-forbidExpire:
module-forbid --after+module-hide --hard --afterDisclose:
module-hide --hard --beforeHideNotOfInt:
module-hide --softHideDep:
module-hide --softHideDepOnceLoaded:
module-hide --soft --hidden-loaded
module-hideandmodule-forbidaccept the specification of several modulesFor instance
module-hide mod1 mod2...Advanced module version specifiers are supported if relative module option is enabled
Full path specification are not supported, as modulerc are not evaluated when reaching a modulefile specified as full path
For instance,
/path/to/modulefiles/.modulercis not evaluated when loading/path/to/modulefiles/mod/1.0Thus
module-hideandmodule-forbidcommands set in this modulerc files are not evaluatedIf module is specified as full path, no error is returned, but it will have no effect as demonstrated above
Unless on very specific cases, where a global rc file defines these hidden/forbidden commands for the full path modules
--user,--group,--not-userand--not-groupspecification is only supported on Unix platformThese options raise an error when used on Windows platform
In which case relative
module-hideormodule-forbidcommand is made ineffective as well as remaining content of the modulerc script hosting themError message is clearly seen when trying to load related modules and indicate where to find the erroneous command
--userand--groupoptions prevail over--not-userand--not-groupoptionsWhen
--useror--groupis set, exclusion list from--not-userand--not-groupare ignored
--beforeand--afterare also supported bymodule-hideto phase-out modules prior to forbid their evaluation--beforeand--afteraccept a date time as valueAccepted date time format is
YYYY-MM-DD[THH:MM]If no time value is specified (just a date like
2020-08-01), 00:00 is assumedSo
2020-08-01is translated into2020-08-01T00:00
An error is raised if submitted date time value does not match accepted date time format
if both
--beforeand--afteroptions are set and before date is greater than after datetargeted module is always hidden/forbidden
no error is returned
--beforeand--afteroptions are not supported on Tcl version below 8.5Prior 8.5,
clock scancommand does not have a-formatoptionThis option is required to support defined date time format
An error is raised when
--beforeor--afteroptions are used over a Tcl version below 8.5
--messageoption adds additional text to the access denied error messageNewline set in text message are preserved, which could help to control text output format
Message content is set along forbidden module specification
Message recorded for matching module specification will be printed
Message recorded on other matching specification will be ignored, only message from retained matching specification is printed
Firstly evaluated
module-forbidcommand that matches module specification is retained with its message property
a module matching a
module-forbidstatement whose--afterlimit is close is considered nearly forbiddennearly-forbiddentag applies to such modulematched
module-forbidstatement should of course not be disabled for current user or group due to--not-useror--not-groupoption valuesthe near range is defined by the
nearly_forbidden_daysconfiguration, which equals to14(14 days) by defaultthis configuration accepts an integer value which represents a number of days prior forbidding starts to be effective for module
nearly_forbidden_daysconfiguration can be set at configure time with--with-nearly-forbidden-daysoption or afterward with theconfigsub-command (which sets theMODULES_NEARLY_FORBIDDEN_DAYSenvironment variable)when evaluating a nearly-forbidden module, a warning message is reported to indicate that module access will soon be denied
--nearly-messageoption adds additional text to the access will be denied warning messageNewline set in text message are preserved, which could help to control text output format
Message content is set along nearly-forbidden module specification
Message recorded for matching module specification will be printed
Message recorded on other matching specification will be ignored, only message from retained matching specification is printed
Firstly evaluated
module-forbidcommand that matches module specification is retained with its message property
module-hideandmodule-forbidare intended to be used in modulerc filesas they impact modulefile resolution
they also need to be enabled in modulefile context as global/user rc files are evaluated as modulefile, not modulerc
several
module-hidecalls for the same module will supersede each otherdefinition with the highest hiding level wins
which means the most restrictive call wins
a
--hidden-loadedstatus set is kept even if correspondingmodule-hidecall is not the highest onethe multiple definitions can come across different modulerc files (global, modulepath or modulefile rc levels)
Module specification passed as argument to
module-hideandmodule-forbidare matched exactly against available modulesException made when extended_default or icase mechanisms are enabled
Which means wildcard characters like * or ? are treated literally
Auto symbols (@default and @latest) are adapted when a latest version is hidden
Auto symbols are applied to this version if it is selected specifically (for instance loaded by its full name)
Auto symbols are applied to another version when hidden latest is not selected specifically, even if specified with @latest auto symbol
Auto-symbols cannot be set hidden
When a defined
defaultorlatestsymbol is set hidden, it is replaced by adefaultorlatestauto-symbol targeting highest available module versionTargeting an auto-symbol with a
module-hidecommand, will have no effect
When module specification of
module-hidetargets:A symbolic version
This symbol only is hidden
Modulefile targeted by hidden symbolic version stays visible
An alias
This alias only is hidden
Modulefile targeted by hidden alias stays visible
A modulefile targeted by either symbolic version or alias
This modulefile is hidden and all symbolic versions targeting it
Aliases targeting modulefile stays visible (thus resolving alias in load or whatis contexts make hidden modulefile target visible unless if set hard-hidden)
Hidden alias or symbolic version should not appear in the list of alternative names of loaded modules
Unless this alias or symbolic version is not hard-hidden and is used to designate the module to load
When
defaultsymbolic version is set hiddenalso remove parent module name from the list of alternative names
if resolution query corresponds to parent module name, unhide
defaultsymbol unless if hard-hidden
On
availsub-commandHidden symbolic versions are not reported along module they target
Unless for non-hard-hidden symbols specifically designated in search query
A
--defaultfiltered search considers search query matchesdefaultsymbolSo
defaultsymbolic version will appear in result unless if hard-hidden
Different hiding level are considered
-1: module is not hidden
0: soft hiding (applied with
module-hide --soft)1: regular hiding (applied with dot name module or default
module-hidecommand)2: hard hiding (applied with
module-hide --hard)
Hiding threshold
is 0 by default, which means module is considered hidden if its hiding level is greater or equal to 0
is raised to 2 when
--alloption is applied, which means module is considered hidden if its hiding level is greater or equal to 2