Recent Changes - Search:

Disclaimer

edit SideBar

Configure User Authentication

1.  General

To be able to use the PBS batch system, users must be identified to all the WNs; they must also be able to login on the UIs to submit PBS or Grid jobs. It's also necessary to have the users identified on GridVM, for NFSv4. Because of this, we need to share the users through all nodes.

It's not desirable to have users login on the Computing Elements, the Worker Nodes, or the VM container, GridVM.

Since I don't want to get tangled in LDAP now, I've chosen NIS.

The NIS server for the cluster and grid is GridVM, which is configured with separate passwd and group files in /etc/yp/. This makes it for a cleaner administration and allows easily to prevent user logins on gridvm (without messing with PAM).

Please DO NOT make local users on UIs and CEs. If you really have to (but I'd like to know the reason), DO NOT make "RedHat-style" per-user groups; if you use adduser, always specify -g users.

1.1  PhysFS problem

Assuming we need to cross-mount NFS between PhysFS and the cluster, how do we keep UIDs in sync? I've seen that current (Jan 2009) NFSv4 on Linux does not do the proper "by name" mapping of users.

I can only think of making users on physfs first, and then copying them to gridvm:/etc/passwd. Awkward.

1.2  Prevent user interactive logins on CEs and GridVM

On these nodes, all NIS users get an invalid shell (/bin/nologin) for login, using the compat mechanism in /etc/nsswitch.conf, and a +:::::/bin/nologin entry in /etc/passwd.

If an admin needs to become a certain user on a host where the user has /bin/nologin as shell, for example for testing access rights, or PBS job submission, he can use su -s /bin/bash - USER

1.3  Prevent user interactive logins on Worker Nodes

If you put an invalid shell like /bin/nologin, PBS/Torque will not know what to use to execute scripts. The easiest alternative is to touch /etc/nologin on all WNs, which will allow only root to login.
Because of this, REMEMBER not to disable root login via ssh on the WNs, or you will lock yourself out of the node!

2.  Create Admin user

Make an admin on gridvm

root@gridvm]# useradd -g users -G wheel clusteradm 
root@gridvm]# id clusteradm
uid=641(clusteradm) gid=100(users) groups=100(users),10(wheel)
root@gridvm]# apg -MSNL
root@gridvm]# passwd clusteradm
root@gridvm]# visudo
clusteradm	ALL=(ALL) ALL
root@gridvm]# ssh clusteradm@gridvm 
clusteradm@gridvm]$ ssh gridvm # force creation of .ssh
clusteradm@gridvm]$ ssh-keygen -t dsa
clusteradm@gridvm]$ cat .ssh/id_dsa.pub >> .ssh/authorized_keys
glite-ce ~]$ cat /etc/passwd
...
+clusteradm::::::
+::::::/bin/nologin

3.  Create UI and PBS user

Make a normal user, with interactive access to the UIs, and access to PBS

  • Check userids on physfs ?
  • Add the user to /etc/yp/passwd and /etc/yp/shadow
  • make the home directory
  • set the password
  • configure for ssh
[root@gridvm yp]# grep luke passwd shadow
passwd:luke:x:702:100:Luke Skywalker (UJ Astrophysics):/nfs/home/luke:/bin/bash
shadow:luke::14266:0:99999:7:::
[root@gridvm yp]# mkdir /nfs/home/luke
[root@gridvm yp]# chmod go-rx /nfs/home/luke
[root@gridvm yp]# rsync -ar /etc/skel/ /nfs/home/luke/
[root@gridvm yp]# chown -R luke.users /nfs/home/luke/
[root@gridvm yp]# ls -la /nfs/home/luke/
total 36
drwxr-xr-x    4 luke users 4096 Jan 22 13:13 .
drwxr-xr-x  112 root  root  4096 Jan 22 13:13 ..
-rw-r--r--    1 luke users   24 Aug  2 14:27 .bash_logout
-rw-r--r--    1 luke users  191 Aug  2 14:27 .bash_profile
-rw-r--r--    1 luke users  124 Aug  2 14:27 .bashrc
-rw-r--r--    1 luke users  383 Aug 14  2006 .emacs
-rw-r--r--    1 luke users  120 Oct 17  2005 .gtkrc
drwxr-xr-x    3 luke users 4096 Aug 12  2002 .kde
drwxr-xr-x    2 luke users 4096 Nov 24 19:27 .xemacs
[root@gridvm yp]# pwck passwd shadow
[root@gridvm yp]# make
[root@gridvm yp]# yppasswd luke
Changing NIS account information for luke on gridvm.grid.uj.ac.za.
Please enter root password:
Changing NIS password for luke on gridvm.grid.uj.ac.za.
Please enter new password:
Please retype new password:

The NIS password has been changed on gridvm.grid.uj.ac.za.
[root@gridvm yp]# sudo -u luke ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/nfs/home/luke/.ssh/id_dsa): 
Created directory '/nfs/home/luke/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /nfs/home/luke/.ssh/id_dsa.
Your public key has been saved in /nfs/home/luke/.ssh/id_dsa.pub.
The key fingerprint is:
3e:0c:0d:83:1a:e2:17:c0:9b:08:90:18:b2:1b:84:76 luke@gridvm.grid.uj.ac.za
[root@gridvm yp]# sudo -u luke cp /nfs/home/luke/.ssh/id_dsa.pub /nfs/home/luke/.ssh/authorized_keys
[root@gridvm yp]# cat /nfs/home/luke/.ssh/config 
Host *
Protocol 2,1

This is (mostly) automated now - see User Accounts

4.  Grid VO users

On glite-ce, the yaim configuration makes users for the VOs, using adduser. This is not nice, with this configuration. I've made a script (in gridvm:/etc/yp) that can check which users from a passwd file are missing in another passwd, so that we can copy across these users. But shouldn't we delete them from glite-ui?

Edit - History - Print - Recent Changes - Search
Page last modified on April 11, 2009, at 01:56 PM