Centralized authentication on the cluster
The security feature allows users to set up FreeIPA and LDAP to help authenticate into HPC clusters.
Note
Nodes provisioned using the Omnia provision tool do not require a RedHat subscription to run
security.yml
on RHEL target nodes.For RHEL target nodes not provisioned by Omnia, ensure that RedHat subscription is enabled on all target nodes. Every target node will require a RedHat subscription.
Configuring FreeIPA/LDAP security
Enter the following parameters in input/security_config.yml
.
Parameter |
Details |
---|---|
|
Boolean indicating whether FreeIPA is required or not.
|
|
Sets the intended realm name.
|
|
Password authenticating admin level access to the Directory for system management tasks. It will be added to the instance of directory server created for IPA.Required Length: 8 characters. The password must not contain -,, ‘,” |
|
“admin” user password for the IPA server on RockyOS. |
|
Boolean indicating whether ldap client is required or not.
|
|
Sets the intended domain name.
|
|
LDAP server IP. Required if |
|
For a TLS connection, provide a valid certification path. For an SSL connection, ensure port 636 is open.
|
|
This variable accepts Server Certificate Path. Make sure certificate is present in the path provided. The certificate should have .pem or .crt extension. This variable is mandatory if connection type is TLS.
|
|
This variable accepts the user home directory path for ldap configuration. If nfs mount is created for user home, make sure you provide the LDAP users mount home directory path.
|
|
If LDAP server is configured with bind dn then bind dn user to be provided. If this value is not provided (when bind is configured in server) then ldap authentication fails. Omnia does not validate this input. Ensure that it is valid and proper.
|
|
If LDAP server is configured with bind dn then bind dn password to be provided. If this value is not provided (when bind is configured in server) then ldap authentication fails. Omnia does not validate this input. Ensure that it is valid and proper. |
|
Boolean value deciding whether security features are enabled on the Login Node.
|
Note
When ldap_required
is true, freeipa_required
has to be false. Conversely, when freeipa_required` is true, ldap_required
has to be false.
Configuring login node security
Enter the following parameters in input/login_node_security_config.yml
.
Variable |
Details |
---|---|
|
The number of login failures that can take place before the account is locked out.
|
|
Period (in seconds) after which the number of failed login attempts is reset. Min value: 30; Max value: 60.
|
|
Period (in seconds) for which users are locked out. Min value: 5; Max value: 10.
|
|
User sessions that have been idle for a specific period can be ended automatically. Min value: 90; Max value: 180.
|
|
Email address used for sending alerts in case of authentication failure. When blank, authentication failure alerts are disabled. Currently, only one email ID is accepted. |
|
Access control list of users. Accepted formats are username@ip (root@1.2.3.4) or username (root). Multiple users can be separated using whitespaces. |
|
This variable decides whether users are to be allowed or denied access. Ensure that AllowUsers or DenyUsers entries on sshd configuration file are not commented.
|
|
This variable is used to disable services. Root access is mandatory.
|
|
List of services to be disabled (Comma-separated). Example: ‘telnet,lpd,bluetooth’
|
Installing LDAP Client
Manager and compute nodes will have LDAP client installed and configured if ldap_required
is set to true. The login node does not have LDAP client installed.
Caution
No users/groups will be created by Omnia.
FreeIPA installation on the NFS node
IPA services are used to provide account management and centralized authentication.
To customize your installation of FreeIPA, enter the following parameters in input/security_config.yml
.
Input Parameter |
Definition |
Variable value |
---|---|---|
kerberos_admin_password |
“admin” user password for the IPA server on RockyOS and RedHat. |
The password can be found in the file |
ipa_server_hostname |
The hostname of the IPA server |
The hostname can be found on the manager node. |
domain_name |
Domain name |
The domain name can be found in the file |
ipa_server_ipadress |
The IP address of the IPA server |
The IP address can be found on the IPA server on the manager node using the |
To set up IPA services for the NFS node in the target cluster, run the following command from the utils/cluster
folder on the control plane:
cd utils/cluster
ansible-playbook install_ipa_client.yml -i inventory -e kerberos_admin_password="" -e ipa_server_hostname="" -e domain_name="" -e ipa_server_ipadress=""
- Hostname requirements
The Hostname should not contain the following characters: , (comma), . (period) or _ (underscore). However, the domain name is allowed commas and periods.
The Hostname cannot start or end with a hyphen (-).
No upper case characters are allowed in the hostname.
The hostname cannot start with a number.
The hostname and the domain name (that is:
hostname00000x.domain.xxx
) cumulatively cannot exceed 64 characters. For example, if thenode_name
provided ininput/provision_config.yml
is ‘node’, and thedomain_name
provided is ‘omnia.test’, Omnia will set the hostname of a target cluster node to ‘node00001.omnia.test’. Omnia appends 6 digits to the hostname to individually name each target node.
Note
Use the format specified under NFS inventory in the Sample Files for inventory.
Running the security role
Run:
cd security
ansible-playbook security.yml -i inventory
The inventory should contain compute, manager, login as per the inventory file in samplefiles. The inventory file is case-sensitive. Follow the casing provided in the sample file link.
To enable security features on the login node, ensure that
enable_secure_login_node
ininput/security_config.yml
is set to true.To customize the security features on the login node, fill out the parameters in
input/login_node_security_config.yml
.If a subsequent run of
security.yml
fails, thesecurity_config.yml
file will be unencrypted.
Caution
No users/groups will be created by Omnia.
If you have any feedback about Omnia documentation, please reach out at omnia.readme@dell.com.