Authenticating Active Directory users to an Azure CycleCloud HPC cluster

Overview:

Azure CycleCloud is an enterprise-friendly tool for orchestrating and managing High-Performance Computing (HPC) environments on Azure. With CycleCloud, users can provision infrastructure for HPC systems, deploy familiar HPC schedulers, and automatically scale the infrastructure to run jobs efficiently at any scale. 

There are two primary mechanisms for enabling login access to cluster nodes, through CycleCloud's built-in authentication, or by integrating nodes with a directory service such as Active Directory or LDAP. For enterprise production clusters, it is recommended that user access be managed through a directory service such as LDAP, Active Directory, or NIS.

In this blog, we are discussing how to integrate Active Directory into the CycleCloud cluster (Node Authentication) for User management, using a custom project called cyclecloud-adauth.

The cyclecloud-adauth project installs and configures Active directory-based user authentication for CycleCloud based HPC Clusters and it configure the home directory and password less ssh for AD users, right after they login.

Pre-Requisites

1. CycleCloud must be installed and running (CycleCloud 8.0 or later).
2. Windows Active Directory must be configured and running.
3. Active Directory should be reachable to all the nodes in the cluster and required ports should be opened for authentication.
4. Supported OS versions: CentOS 7 / RHEL7 / Alma Linux 8 / Ubuntu 18.04
5. Default user home directory for CycleCloud HPC nodes in /shared/home. This project configures home dirs. in the CycleCloud default user home location.
6. SELinux in Permissive mode

Configuring the Project

• Open a terminal session in CycleCloud server with the CycleCloud CLI enabled.
• Clone the cyclecloud-adauth repo

$ git clone https://github.com/vinil-v/cyclecloud-adauth.git

• Swtich to cyclecloud-adauth project directory and upload the project to cyclecloud locker.

$ cd cyclecloud-adauth/
$ cyclecloud project upload <locker name>

• Import the required template (Slurm/ OpenPBS or Gridenigne).

$ cyclecloud import_template -f templates/slurm_with_ad.txt

Configuring AD Login in CycleCloud Portal

The following parameters are required for successful configuration.

1. FQDN of AD server (e.g.: adserver.hpc.local)
2. IP address of AD server
3. Administrator account (User account should have rights to add the nodes to domain)
4. Administrator password

Create new cluster from the imported template (Slurm with AD in this case) and in the Active Directory section, add the above-mentioned parameter.

Start the cluster. Make sure that the Active directory is running and reachable to all the nodes.

Testing the user login

Trying to login with AD user user1.

login to scheduler with AD user user1 with AD user password. it will create home directory under /shared/home.

$ ssh user1@10.222.2.9
user1@10.222.2.9's password:
Creating home directory for user1.
[user1@centos7slurm1-scheduler ~]$ pwd
/shared/home/user1
[user1@centos7slurm1-scheduler ~]$ ls -la .ssh/
total 12
drwx------. 2 user1 domain users   61 Feb  1 05:28 .
drwx------. 5 user1 domain users  103 Feb  1 05:28 ..
-rw-r--r--. 1 user1 domain users  411 Feb  1 05:28 authorized_keys
-rw-------. 1 user1 domain users 1679 Feb  1 05:28 id_rsa
-rw-r--r--. 1 user1 domain users  411 Feb  1 05:28 id_rsa.pub
[user1@centos7slurm1-scheduler ~]$ sinfo
PARTITION AVAIL  TIMELIMIT  NODES  STATE NODELIST
hpc*         up   infinite     50  idle~ centos7slurm1-hpc-pg0-[1-50]
htc          up   infinite     50  idle~ centos7slurm1-htc-[1-50]
[user1@centos7slurm1-scheduler ~]$

NOTE: Check the UID or GID support for the job submission. some scheduler has configuration to support UID/GID range.

Reference:

Learn more about CycleCloud

More info on Azure High-Performance computing

Read more on Cyclecloud User Management