Azure CycleCloud is an enterprise-friendly tool for orchestrating and managing High-Performance Computing (HPC) environments on Azure. With CycleCloud, users can provision infrastructure for HPC systems, deploy familiar HPC schedulers, and automatically scale the infrastructure to run jobs efficiently at any scale. There are two primary mechanisms for enabling login access to cluster nodes, through CycleCloud's built-in authentication, or by integrating nodes with a directory service such as Active Directory or LDAP. For enterprise production clusters, it is recommended that user access be managed through a directory service such as LDAP, Active Directory, or NIS.
In this blog, we are discussing how to integrate LDAP into the cyclecloud cluster (Node Authentication) for User management using cloud-init and this will give you an idea of how to integrate third-party user management systems like NIS and LDAP in cyclecloud clusters for Node authentication.
CycleCloud server ( I am using CycleCloud Version: 8.2.2-1902)
Functional LDAP server (I have an OpenLDAP-servers configured for User Management)
Compute OS - CentOS 7
The first requirement is to have a functional LDAP server. I have an OpenLDAP-Server running and we are going to demonstrate how to enable login access to cluster nodes using an LDAP user named "vinil".
The built-in user management system is enabled by default on every CycleCloud installation and is an installation-wide setting -- all clusters managed by the CycleCloud server will have this enabled. To disable it, navigate to the CycleCloud section of the Settings page. The pop-up box contains an option for Node Authentication and selecting Disabled from the drop-down will ensure that no local user accounts aside from the VM agent user will be created.
Node authentication select "Disabled"
Create the cluster as usual with the preferred scheduler, VM SKUs etc. And in the cloud-init section add the script to integrate the Nodes with LDAP (LDAP server and cluster as in the same subnet).
Here I am using a shell script to configure the LDAP client on the Master and compute nodes.
#Update the hostname in /etc/hosts for name resolution. Update the correct IP address of your Ldap server. This is for demo purpose only
echo "10.222.1.17 auth-server.2bdikvxkkxjeffxswkrwrjvvra.bx.internal.cloudapp.net auth-server" >> /etc/hosts
#Install the required client packages
yum -y install openldap-clients nss-pam-ldapd
# Configuring Ldap client
authconfig --enableldap \
LDAP user's home directory is set to /share/home location to make sure that we have the home directories shared across all the cluster nodes. All the same cloud-init script for all the node arrays (HPC, HTC, Login , schedulers etc)
Let's test the authentication using an LDAP user. We could see the built-in user management is disabled in the CycleCloud portal for the cluster.
Login to the scheduler using the LDAP user "vinil" and see if you are able to login. We are successfully able to login to the cluster as an LDAP user.
[azureuser@cc82b ~]$ ssh email@example.com
Last login: Tue Aug 2 04:45:42 2022
[vinil@demo-scheduler ~]$ id
uid=12001(vinil) gid=12001(Vinil) groups=12001(Vinil) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[vinil@demo-scheduler ~]$ getent passwd vinil
NOTE: By default, password authentication is disabled. if you are using password-based authentication make sure that "PasswordAuthentication yes" is set in /etc/ssh/sshd_config file. Additionally set the proper home directory, permissions and ssh-keys are present.
Similarly, for CycleCloud portal access, we could integrate LDAP or AD in Settings --> Authentication --> configure --> LDAP. This will enable the LDAP user to login into the CycleCloud portal using LDAP credentials.
Third-party user management systems can be easily integrated into CycleCloud for portal access and Node authentication. This guide gives you an idea about how LDAP can be integrated for node authentication and portal access.