Security
The security role allows users to set up FreeIPA and LDAP to help authenticate into HPC clusters.
Configuring FreeIPA/LDAP security
Enter the following parameters in input/security_config.yml.
Parameter Name |
Values |
Additional Information |
|---|---|---|
freeipa_required |
true, false |
Boolean indicating whether FreeIPA is required or not. |
realm_name |
OMNIA.TEST |
Sets the intended realm name |
directory_manager_password |
Password authenticating admin level access to the Directory for system management tasks. It will be added to the instance of directory server created for IPA.Required Length: 8 characters. The password must not contain -,, ‘,” |
|
kerberos_admin_password |
“admin” user password for the IPA server on RockyOS. |
|
domain_name |
omnia.test |
Sets the intended domain name |
ldap_required |
false, true |
Boolean indicating whether ldap client is required or not |
ldap_server_ip |
LDAP server IP. Required if |
|
ldap_connection_type |
TLS |
For a TLS connection, provide a valid certification path. For an SSL connection, ensure port 636 is open. |
ldap_ca_cert_path |
/etc/openldap/certs/omnialdap.pem |
This variable accepts Server Certificate Path. Make sure certificate is present in the path provided. The certificate should have .pem or .crt extension. This variable is mandatory if connection type is TLS. |
user_home_dir |
/home |
This variable accepts the user home directory path for ldap configuration. If nfs mount is created for user home, make sure you provide the LDAP users mount home directory path. |
ldap_bind_username |
admin |
If LDAP server is configured with bind dn then bind dn user to be provided. If this value is not provided (when bind is configured in server) then ldap authentication fails. |
ldap_bind_password |
If LDAP server is configured with bind dn then bind dn password to be provided. If this value is not provided (when bind is configured in server) then ldap authentication fails. |
|
enable_secure_login_node |
false, true |
Boolean value deciding whether security features are enabled on the Login Node. |
Note
When ldap_required is true, freeipa_required has to be false. Conversely, when freeipa_required` is true, ldap_required has to be false.
Configuring login node security
Enter the following parameters in input/login_node_security_config.yml.
Variable |
Default, Choices |
Description |
|---|---|---|
max_failures |
3 |
The number of login failures that can take place before the account is locked out. |
failure_reset_interval |
60 |
Period (in seconds) after which the number of failed login attempts is reset. Min value: 30; Max value: 60. |
lockout_duration |
10 |
Period (in seconds) for which users are locked out. Min value: 5; Max value: 10. |
session_timeout |
180 |
User sessions that have been idle for a specific period can be ended automatically. Min value: 90; Max value: 180. |
alert_email_address |
Email address used for sending alerts in case of authentication failure. When blank, authentication failure alerts are disabled. Currently, only one email ID is accepted. |
|
user |
Access control list of users. Accepted formats are username@ip (root@1.2.3.4) or username (root). Multiple users can be separated using whitespaces. |
|
allow_deny |
allow, deny |
This variable decides whether users are to be allowed or denied access. Ensure that AllowUsers or DenyUsers entries on sshd configuration file are not commented. |
restrict_program_support |
false, true |
This variable is used to disable services. Root access is mandatory. |
restrict_softwares |
telnet,lpd,bluetooth,rlogin,rexec |
List of services to be disabled (Comma-separated). Example: ‘telnet,lpd,bluetooth’ |
Installing LDAP Client
Manager and compute nodes will have LDAP client installed and configured if ldap_required is set to true. The login node does not have LDAP client installed.
Warning
No users/groups will be created by Omnia.
FreeIPA installation on the NFS node
IPA services are used to provide account management and centralized authentication.
To customize your installation of FreeIPA, enter the following parameters in input/security_config.yml.
Input Parameter |
Definition |
Variable value |
|---|---|---|
kerberos_admin_password |
“admin” user password for the IPA server on RockyOS and RedHat. |
The password can be found in the file |
ipa_server_hostname |
The hostname of the IPA server |
The hostname can be found on the manager node. |
domain_name |
Domain name |
The domain name can be found in the file |
ipa_server_ipadress |
The IP address of the IPA server |
The IP address can be found on the IPA server on the manager node using the |
To set up IPA services for the NFS node in the target cluster, run the following command from the utils/cluster folder on the control plane:
cd utils/cluster
ansible-playbook install_ipa_client.yml -i inventory -e kerberos_admin_password="" -e ipa_server_hostname="" -e domain_name="" -e ipa_server_ipadress=""
- Hostname requirements
In the
examplesfolder, a mapping_host_file.csv template is provided which can be used for DHCP configuration. The header in the template file must not be deleted before saving the file. It is recommended to provide this optional file as it allows IP assignments provided by Omnia to be persistent across control plane reboots.The Hostname should not contain the following characters: , (comma), . (period) or _ (underscore). However, the domain name is allowed commas and periods.
The Hostname cannot start or end with a hyphen (-).
No upper case characters are allowed in the hostname.
The hostname cannot start with a number.
The hostname and the domain name (that is:
hostname00000x.domain.xxx) cumulatively cannot exceed 64 characters. For example, if thenode_nameprovided ininput/provision_config.ymlis ‘node’, and thedomain_nameprovided is ‘omnia.test’, Omnia will set the hostname of a target compute node to ‘node00001.omnia.test’. Omnia appends 6 digits to the hostname to individually name each target node.
Use the format specified under NFS inventory in the Sample Files for inventory.
Running the security role
Run:
cd security
ansible-playbook security.yml -i inventory
The inventory should contain compute, manager, login_node as per the inventory file in samplefiles.
To enable security features on the login node, ensure that
enable_secure_login_nodeininput/security_config.ymlis set to true.To customize the security features on the login node, fill out the parameters in
input/login_node_security_config.yml.
Warning
No users/groups will be created by Omnia.