Hide or forbid modulefile¶
Configuration¶
- No specific configuration
Use cases¶
Restrict usage of particular software to a limited set of user (RestrictUsage)
- Included in module specification result for a not granted user: no
- Visible for a not granted user on a full
avail: no - Visible for a not granted user on a targeted
avail: no - Visible for a not granted user once loaded on a
list: yes - Load tentative for a not granted user: error
Allow usage of particular software once clearance has been obtained (AllowOnceCleared)
- Included in module specification result for a not granted user: yes
- Visible for a not granted user on a full
avail: yes - Visible for a not granted user on a targeted
avail: yes - Visible for a not granted user once loaded on a
list: yes - Load tentative for a not granted user: error
Expire a software after a given date (Expire)
- Included in module specification result for a not granted user: no after expiration date
- Visible for a not granted user on a full
avail: no after expiration date - Visible for a not granted user on a targeted
avail: no after expiration date - Visible for a not granted user once loaded on a
list: yes, even after expiration date - Load tentative for a not granted user: error after expiration date
Disclose a software after a given date (Disclose)
- Included in module specification result for a not granted user: no prior disclosure date
- Visible for a not granted user on a full
avail: no prior disclosure date - Visible for a not granted user on a targeted
avail: no prior disclosure date - Visible for a not granted user once loaded on a
list: yes, even prior disclosure date - Load tentative for a not granted user: error prior disclosure date
Hide software not of interest for current user (HideNotOfInt)
- Included in module specification result for a not granted user: yes
- Visible for a not granted user on a full
avail: no, unless specific option set - Visible for a not granted user on a targeted
avail: yes - Visible for a not granted user once loaded on a
list: yes - Load tentative for a not granted user: success
Hide software only useful for other software as dependency (HideDep)
- Included in module specification result for a not granted user: yes
- Visible for a not granted user on a full
avail: no, unless specific option set - Visible for a not granted user on a targeted
avail: yes - Visible for a not granted user once loaded on a
list: yes - Load tentative for a not granted user: success
Hide dependency software once loaded (HideDepOnceLoaded)
- Included in module specification result for a not granted user: see HideDep
- Visible for a not granted user on a full
avail: see HideDep - Visible for a not granted user on a targeted
avail: see HideDep - Visible for a not granted user once loaded on a
list: no, unless specific option set - Load tentative for a not granted user: see HideDep
Specification¶
2 new modulefile commands are introduced for the needs described above:
module-hideandmodule-forbidmodule-hideremoves visibility of specified modulesmodule-hideacts when modules are searched (avail,whatisandsearchsub-commands) or selected (load,unload,display, etc sub-commands)Visibility is however enabled if hidden module is specifically searched
- On all context hidden module mod/1.0 is included in result for instance if mod/1.0 or mod@1.0,2.0 are specficied
- But hidden module mod/1.0 is excluded from result if mod@:2.0 or mod@1: are specified
- And is also excluded from result if mod or mod/* are specified when mod/1.0 is set default
- Unless if search is made to select one module since in this context a mod search query is equivalent to mod/default
- Hard-hidden modules are not disclosed even if specifically searched
Excluded from module resolution result
Unless precisely specified on the following selection contexts:
For example, the hidden module mod/1.0
- is included in
module load mod/1.0result - is excluded from
module load mod/1result, even if default symbol targets it - is excluded from
module load modresult, unless if default symbol targets it (as query is equivalent to mod/default) - is excluded from
module load mod@:2result, even if default symbol targets it - is included in
module load mod@1.0,2.0result - is included/excluded the same way for
prereqandconflictsub-commands thanloadsub-command - is matched by
is-loadedandinfo-loadedsub-commands querying it once loaded - is excluded from
module whatisresult - is included/excluded the same way for
whatissub-command thanavailsub-command - is excluded from
module availresult - is excluded from
module avail m*result - is included in
module avail mod/1.0result - is excluded from
module avail mod/1result, even if default symbol targets it - is excluded from
module avail modresult, even if default symbol targets it (as query is NOT equivalent to mod/default in this context) - is excluded from
module avail mod@:2result, even if default symbol targets it - is included in
module avail mod@1.0,2.0result
- is included in
Included in module resolution result if
--alloption ofavail,whatis,searchandaliasessub-commands is set--alloption does not apply tois-availsub-command to make it coherent withloadsub-command (eg. ais-avail modreturning true impliesload modeffectively loading a module)
Visibility of a module targeted by a
module-hidecommand, with regular hiding level defined, acts similarly than for a file whose name is prefixed by a dot character on Unix platformIf
--softoption is set onmodule-hidecommand, module hiding is weakenedModule is always included in resolution result for the following contexts
For example, the hidden module mod/1.0
- is included in
module load mod/1.0result - is included in
module load mod/1result - is included in
module load modresult - is included in
module load mod@:2result - is included in
module load mod@1.0,2.0result - is included/excluded the same way for
prereqandconflictsub-commands thanloadsub-command - is matched by
is-loadedandinfo-loadedsub-commands querying it once loaded - is excluded from
module whatisresult - is included/excluded the same way for
whatissub-command thanavailsub-command - is excluded from
module availresult - is excluded from
module avail m*result - is included in
module avail mod/1.0result - is included in
module avail mod/1result - is included in
module avail modresult - is included in
module avail mod@:2result - is included in
module avail mod@1.0,2.0result
- is included in
If
--hardoption is set onmodule-hidecommand, hiding is hardened and designated modules are never unveiledDesignated modules are strictly hidden, also referred as hard-hidden
--alloption ofavailsub-command cannot unveil them
Excluded from module resolution result, which means it is always excluded from resolution on following context:
For example, the hard-hidden module mod/1.0
- is excluded from
module load mod/1.0result - is excluded from
module load modresult, even if default symbol targets it - is excluded from
module load mod/1result, even if default symbol targets it - is excluded from
module load mod@:2result, even if default symbol targets it - is excluded from
module load mod@1.0,2.0result - is included/excluded the same way for
prereqandconflictsub-commands thanloadsub-command - is matched by
is-loadedandinfo-loadedsub-commands querying it once loaded - is excluded from any
availquery result - is included/excluded the same way for
whatissub-command thanavailsub-command
- is excluded from
Visibility of a module targeted by a
module-hide --hardcommand acts like if no modulefile exists on filesystem
If
--hide-once-loadedoption is set onmodule-hide, hiding also applies to specified modules once they are loaded- Hidden once loaded modules do not appear on
module list - Unless
--alloption is set onlistsub-command - When those modules are loaded, they are recorded in
MODULES_LMHIDDENenvironment variable to keep track of their hidden status - Hidden once loaded status does not affect
is-loaded: these modules will always be reported if they matchis-loadedqueries
- Hidden once loaded modules do not appear on
module-forbiddisallow evaluation of specified modulesIt does not imply hiding, but can be of course coupled with
module-hidecallsEvaluation of targeted modules is forbidden
- Error is rendered prior evaluation when trying to load, display, help, test, path, whatis them
- Note that for whatis evaluation mode, an error is reported only if a module is referred by its exact name which is not the case on
searchsub-command as no module is specified, just a keyword to search - No error occurs when unloading a module that were set forbidden after it was loaded by user
As it impacts module evaluation,
module-forbidis only effective when it targets modulefiles or virtual modules- Module alias or symbolic version are not impacted by
module-forbiddirectives - Even if they match some
module-forbidstatements, they are still resolved to their target and these targets do not inherit the forbidden tag set on their alias, symbol. - When a
module-forbidcommand targets a directory, this directory is still resolved to its target, but the target inherits the forbidden tag as it matches the name specified onmodule-forbidcommand
- Module alias or symbolic version are not impacted by
When combined with a
module-hide --hardcommand, designated modules is unveiled if referred by its exact name and set in error- Thus an error is obtained when trying to reach module instead of not finding it (which is the regular behavior for hard-hidden modules)
module-hideaccepts options that change its behavior:--hide-once-loaded: hides module from loaded module list--soft: lightweight module hide--hard: highest hiding level--not-user: specify a list of users unaffected by hide mechanism--not-group: specify a list of groups whose member are unaffected by hide mechanism--before: enables hide mechanism until a given date--after: enables hide mechanism after a given date
module-forbidaccepts options that change its behavior:--not-user: specify a list of users unaffected by forbid mechanism--not-group: specify a list of groups whose member are unaffected by forbid mechanism--before: enables forbid mechanism until a given date--after: enables forbid mechanism after a given date--message: supplements error message obtained when trying to evaluate a forbidden module with given text message--nearly-message: supplements warning message obtained when evaluating a nearly forbidden module with given text message
Each use case expressed above are covered by following command:
- RestrictUsage:
module-hide --hard - AllowOnceCleared:
module-forbid - Expire:
module-forbid --after+module-hide --hard --after - Disclose:
module-hide --hard --before - HideNotOfInt:
module-hide --soft - HideDep:
module-hide --soft - HideDepOnceLoaded:
module-hide --soft --hide-once-loaded
- RestrictUsage:
module-hideandmodule-forbidaccept the specification of several modulesFor instance
module-hide mod1 mod2...Advanced module version specifiers are supported if relative module option is enabled
Full path specification are not supported, as modulerc are not evaluated when reaching a modulefile specified as full path
For instance,
/path/to/modulefiles/.modulercis not evaluated when loading/path/to/modulefiles/mod/1.0Thus
module-hideandmodule-forbidcommands set in this modulerc files are not evaluatedIf module is specified as full path, no error is returned, but it will have no effect as demonstrated above
- Unless on very specific cases, where a global rc file defines these hidden/forbidden commands for the full path modules
--not-userand--not-groupspecification is only supported on Unix platform- These 2 options raise an error when used on Windows platform
- In which case relative
module-hideormodule-forbidcommand is made ineffective as well as remaining content of the modulerc script hosting them - Error message is clearly seen when trying to load related modules and indicate where to find the erroneous command
--beforeand--afterare also supported bymodule-hideto phase-out modules prior to forbid their evaluation--beforeand--afteraccept a date time as valueAccepted date time format is
YYYY-MM-DD[THH:MM]If no time value is specified (just a date like
2020-08-01), 00:00 is assumed- So 2020-08-01` is translated into
2020-08-01T00:00
- So 2020-08-01` is translated into
An error is raised if submitted date time value does not match accepted date time format
if both
--beforeand--afteroptions are set and before date is greater than after date- targeted module is always hidden/forbidden
- no error is returned
--beforeand--afteroptions are not supported on Tcl version below 8.5- Prior 8.5,
clock scancommand does not have a-formatoption - This option is required to support defined date time format
- An error is raised when
--beforeor--afteroptions are used over a Tcl version below 8.5
- Prior 8.5,
--messageoption adds additional text to the access denied error messageNewline set in text message are preserved, which could help to control text output format
Message content is set along forbidden module specification
- Message recorded for matching module specification will be printed
- Message recorded on other matching specification will be ignored, only message from retained matching specificaton is printed
a module matching a
module-forbidstatement whose--afterlimit is close is considered nearly forbiddennearly-forbiddentag applies to such module- matched
module-forbidstatement should of course not be disabled for current user of group due to--not-useror--not-groupoption values - the near range is defined by the
nearly_forbidden_daysconfiguration, which equals to14(14 days) by default - this configuration accepts an integer value which represents a number of days prior forbiding starts to be effective for module
nearly_forbidden_daysconfiguration can be set at configure time with--with-nearly-forbidden-daysoption or afterward with theconfigsub-command (which sets theMODULES_NEARLY_FORBIDDEN_DAYSenvironment variable)- when evaluating a nearly-forbidden module, a warning message is reported to indicate that module access will soon be denied
--nearly-messageoption adds additional text to the access will be denied warning messageNewline set in text message are preserved, which could help to control text output format
Message content is set along nearly-forbidden module specification
- Message recorded for matching module specification will be printed
- Message recorded on other matching specification will be ignored, only message from retained matching specificaton is printed
module-hideandmodule-forbidare intended to be used in modulerc files- as they impact modulefile resolution
- they also need to be enabled in modulefile context as global/user rc files are evaluated as modulefile, not modulerc
several
module-hidecalls for the same module will supersede each other- definition with the highest hiding level wins
- which means the most restrictive call wins
- a
--hide-once-loadedstatus set is kept even if correspondingmodule-hidecall is not the highest one - the multiple definitions can come accross different modulerc files (global, modulepath or modulefile rc levels)
Module specification passed as argument to
module-hideandmodule-forbidare matched exactly against available modules- Exception made when extended_default or icase mechanisms are enabled
- Which means wildcard characters like * or ? are treated literally
Auto symbols (@default and @latest) are adapted when a latest version is hidden
- Auto symbols are applied to this version if it is selected specifically (for instance loaded by its full name)
- Auto symbols are applied to another version when hidden latest is not selected specifically, even if specified with @latest auto symbol
Auto-symbols cannot be set hidden
- When a defined
defaultorlatestsymbol is set hidden, it is replaced by adefaultorlatestauto-symbol targetting highest available module version - Targeting an auto-symbol with a
module-hidecommand, will have no effect
- When a defined
When module specification of
module-hidetargets:A symbolic version
- This symbol only is hidden
- Modulefile targeted by hidden symbolic version stays visible
An alias
- This alias only is hidden
- Modulefile targeted by hidden alias stays visible
A modulefile targeted by either symbolic version or alias
- This modulefile is hidden and all symbolic versions targeting it
- Aliases targeting modulefile stays visible (thus resolving alias in load or whatis contexts make hidden modulefile target visible unless if set hard-hidden)
Hidden alias or symbolic version should not appear in the list of alternative names of loaded modules
Unless this alias or symbolic version is not hard-hidden and is used to designate the module to load
When
defaultsymbolic version is set hidden- also remove parent module name from the list of alternative names
- if resolution query corresponds to parent module name, unhide
defaultsymbol unless if hard-hidden
On
availsub-commandHidden symbolic versions are not reported along module they target
- Unless for non-hard-hidden symbols specifically designated in search query
A
--defaultfiltered search considers search query matchesdefaultsymbol- So
defaultsymbolic version will appear in result unless if hard-hidden
- So
Different hiding level are considered
- -1: module is not hidden
- 0: soft hiding (applied with
module-hide --soft) - 1: regular hiding (applied with dot name module or default
module-hidecommand) - 2: hard hiding (applied with
module-hide --hard)
Hiding threshold
- is 0 by default, which means module is considered hidden if its hiding level is greater or equal to 0
- is raised to 2 when
--alloption is applied, which means module is considered hidden if its hiding level is greater or equal to 2