Centralized authentication on the cluster
The security feature allows users to set up FreeIPA and LDAP to help authenticate into HPC clusters.
Configuring FreeIPA/LDAP security
Pre requisites
Run
local_repo.yml
to create offline repositories of FreeIPA or OpenLDAP. If both were downloaded, ensure that the non-required system is removed frominput/software_config.json
before runningsecurity.yml
. For more information, click here.Enter the following parameters in
input/security_config.yml
.
Parameter |
Details |
---|---|
|
|
Parameter |
Details |
---|---|
|
For a TLS connection, provide a valid certification path. For an SSL connection, ensure port 636 is open.
|
|
File path pointing to the Certificate Authority (CA) issued certificate path. Certificate files should be saved with a .pem or .crt extension. If not provided, a self-signed certificate is generated by Omnia. |
|
File path pointing to the certificate used to authorize the LDAP server. Certificate files should be saved with a .pem or .crt extension. |
|
The private key that matches the LDAP certificate. |
|
|
|
|
|
|
|
|
|
|
|
LDAP server is configured using organizations. They are necessary for user creation and group mapping.
|
|
LDAP server is configured using organizations. They are necessary for user creation and group mapping.
|
Parameter |
Details |
---|---|
|
|
|
|
|
|
Create a new user on OpenLDAP
Create an LDIF file (eg:
create_user.ldif
) on the auth server containing the following information:DN: The distinguished name that indicates where the user will be created.
objectClass: The object class specifies the mandatory and optional attributes that can be associated with an entry of that class. Here, the values are
inetOrgPerson
,posixAccount
, andshadowAccount
.UID: The username of the replication user.
sn: The surname of the intended user.
cn: The given name of the intended user.
Below is a sample file:
# User Creation
dn: uid=ldapuser,ou=People,dc=omnia,dc=test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapuser
sn: ldapuser
loginShell:/bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/ldapuser
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
# Group Creation
dn: cn=ldapuser,ou=Group,dc=omnia,dc=test
objectClass: posixGroup
cn: ldapuser
gidNumber: 2000
memberUid: ldapuser
Note
Avoid whitespaces when using an LDIF file for user creation. Extra spaces in the input data may be encrypted by OpenLDAP and cause access failures.
Run the command
ldapadd -D <admin database username> -w <admin database password> -f create_user.ldif
to execute the LDIF file and create the account.To set up a password for this account, use the command
ldappasswd -D <admin database username> -w <admin database password> -S <user_dn>
. The value ofuser_dn
is the distinguished name that indicates where the user was created. (In this example,ldapuser,ou=People,dc=omnia,dc=test
)
Configuring login node security
Prerequisites
Run
local_repo.yml
to create an offline repository of all utilities used to secure the login node. For more information, click here.
Enter the following parameters in input/login_node_security_config.yml
.
Variable |
Details |
---|---|
|
The number of login failures that can take place before the account is locked out.
|
|
Period (in seconds) after which the number of failed login attempts is reset. Min value: 30; Max value: 60.
|
|
Period (in seconds) for which users are locked out. Min value: 5; Max value: 10.
|
|
User sessions that have been idle for a specific period can be ended automatically. Min value: 90; Max value: 180.
|
|
Email address used for sending alerts in case of authentication failure. When blank, authentication failure alerts are disabled. Currently, only one email ID is accepted. |
|
Access control list of users. Accepted formats are username@ip (root@1.2.3.4) or username (root). Multiple users can be separated using whitespaces. |
|
This variable decides whether users are to be allowed or denied access. Ensure that AllowUsers or DenyUsers entries on sshd configuration file are not commented.
|
|
This variable is used to disable services. Root access is mandatory.
|
|
List of services to be disabled (Comma-separated). Example: ‘telnet,lpd,bluetooth’
|
Installing LDAP Client
Caution
No users/groups will be created by Omnia.
FreeIPA installation on the NFS node
IPA services are used to provide account management and centralized authentication.
To customize your installation of FreeIPA, enter the following parameters in input/security_config.yml
.
Input Parameter |
Definition |
Variable value |
---|---|---|
kerberos_admin_password |
“admin” user password for the IPA server on RockyOS and RedHat. |
The password can be found in the file |
ipa_server_hostname |
The hostname of the IPA server |
The hostname can be found on the manager node. |
domain_name |
Domain name |
The domain name can be found in the file |
ipa_server_ipadress |
The IP address of the IPA server |
The IP address can be found on the IPA server on the manager node using the |
To set up IPA services for the NFS node in the target cluster, run the following command from the utils/cluster
folder on the control plane:
cd utils/cluster
ansible-playbook install_ipa_client.yml -i inventory -e kerberos_admin_password="" -e ipa_server_hostname="" -e domain_name="" -e ipa_server_ipadress=""
- Hostname requirements
The hostname should not contain the following characters: , (comma), . (period) or _ (underscore). However, the domain name is allowed commas and periods.
The hostname cannot start or end with a hyphen (-).
No upper case characters are allowed in the hostname.
The hostname cannot start with a number.
The hostname and the domain name (that is:
hostname00000x.domain.xxx
) cumulatively cannot exceed 64 characters. For example, if thenode_name
provided ininput/provision_config.yml
is ‘node’, and thedomain_name
provided is ‘omnia.test’, Omnia will set the hostname of a target cluster node to ‘node000001.omnia.test’. Omnia appends 6 digits to the hostname to individually name each target node.
Note
Use the format specified under NFS inventory in the Sample Files for inventory.
Running the security role
Run:
cd security
ansible-playbook security.yml -i inventory
The inventory should contain auth_server as per the inventory file in samplefiles. The inventory file is case-sensitive. Follow the format provided in the sample file link.
Do not include the IP of the control plane or local host in the auth_server group in the passed inventory.
To customize the security features on the login node, fill out the parameters in
input/login_node_security_config.yml
.If a subsequent run of
security.yml
fails, thesecurity_config.yml
file will be unencrypted.
Caution
No users will be created by Omnia.
If you have any feedback about Omnia documentation, please reach out at omnia.readme@dell.com.