Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can I add new users and group into cfncluster? #170

Closed
guorongxu opened this issue Feb 21, 2017 · 11 comments
Closed

Can I add new users and group into cfncluster? #170

guorongxu opened this issue Feb 21, 2017 · 11 comments

Comments

@guorongxu
Copy link

Hello,

Can I create some users and group as the default user “ec2-user” or “ubuntu”?

I tried to manually add some users and group after the cluster was created, but I found the new users cannot submit jobs to the queue because of no preinstalled gridentine_client. I am wondering how to add the new users with the same privilege as the default user “ec2-user” or “ubuntu”.

Thanks,
Guorong

@mohanasudhan mohanasudhan added this to the Unplanned milestone Oct 19, 2017
@jmenbo
Copy link

jmenbo commented Feb 8, 2018

@guorongxu new users cannot submit jobs to the queue because their accounts have to also exist on the compute nodes. The way I was able to implement this was by:

1-create users on Master node manually and save the usernames and UIDs to a file under

/home/ec2-user/userlistfile

The format of the file should be:

username1,user1_uid
username2,user2_uid

2- Add a post-install script to your cluster with the following content:

if [ ! -s /etc/exports ]  # Assuming that if the exports file is "empty" it is a compute node and NOT the master node. We only want to do this for compute nodes
   then
    IFS=","
    while read USERNAME USERID
         do
         # -M do not create home since Master node is exporting /homes via NFS
         # -u to set UID to match what is set on the Master node
         useradd -M -u $USERID $USERNAME
    done < "/home/ec2-user/userlistfile"
fi

This will add users to compute nodes as they come up, giving them access to submit jobs

@johanneshk
Copy link

I tried the same on Ubuntu, but I /etc/exports doesn't seem to be empty here. So instead I check if the given user already exists, s.t. this script can also be run on the master node without side-effects:

#!/bin/bash

IFS=","
while read USERNAME USERID
     do
     # -M do not create home since Master node is exporting /homes via NFS
     # -u to set UID to match what is set on the Master node
	 if ! [ `id -u $USERNAME 2>/dev/null || echo -1` -ge 0 ]; then 
		useradd -M -u $USERID $USERNAME
	fi	
done < "/home/ubuntu/userlistfile"

@sean-smith
Copy link
Contributor

I created a wiki page to sum the approach up. Thanks @johanneshk and @jmenbo for the suggestions!

https://github.com/aws/aws-parallelcluster/wiki/MultiUser-Support

@Caian
Copy link

Caian commented May 13, 2019

It this is still relevant to anyone,

I solved the problem by deploying an OpenLDAP docker container on the head node and configuring the head node itself and the compute nodes to use it.

It is also possible to scale the solution by deploying the LDAP server to an external machine and make it accessible from several pclusters.

@sean-smith
Copy link
Contributor

@Caian Super cool, mind sharing how you've done this?

@jtrmal
Copy link

jtrmal commented Jun 4, 2019

@Caian yes, I would also be interested.

@tgjohnst
Copy link

tgjohnst commented Jun 7, 2019

@Caian that sounds like a great solution, I would also love to know more details about how you configured it.

@mukulagrawal78
Copy link

Dear All,
Requesting clarification on this old question.
It seems like users added in this way cannot use ssh with gssapi authentication that is configured for default user such as "ubuntu".
Two questions:
1/ How are these users able to submit job to compute nodes when they cant really ssh into compute nodes? Does scheduler use some default account to ssh and then submit job as other user?
2/ Any tips on how to enable gssapi authentication for all added users ?

@lukeseawalker
Copy link
Contributor

Hi, a blog post was published to show how to combine ParallelCluster with AWS Directory Services to create a multi-user, POSIX-compliant system with centralized authentication and automated home directory creation.
https://aws.amazon.com/it/blogs/opensource/aws-parallelcluster-aws-directory-services-authentication/

@mukulagrawal78
Copy link

@lukeseawalker thanks. I am not too familiar with AWS directory service. Is it basically a Kerberos KDC? Can I use my own KDC instead?

@no-response
Copy link

no-response bot commented Nov 9, 2020

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

@no-response no-response bot closed this as completed Nov 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

10 participants