The security feature allows users to set up FreeIPA and LDAP to help authenticate into HPC clusters.
Note
* Nodes provisioned using the Omnia provision tool do not require a RedHat subscription to run security.yml
on RHEL target nodes. * For RHEL target nodes not provisioned by Omnia, ensure that RedHat subscription is enabled on all target nodes. Every target node will require a RedHat subscription.
Configuring FreeIPA/LDAP security ________________________________
Enter the following parameters in input/security_config.yml
.
Parameter | Details |
---|---|
|
Boolean indicating whether FreeIPA is required or not.
|
|
Sets the intended realm name.
|
|
Password authenticating admin level access to the Directory for system management tasks. It will be added to the instance of directory server created for IPA.Required Length: 8 characters. The password must not contain -,, ‘,” |
|
“admin” user password for the IPA server on RockyOS. |
|
Boolean indicating whether ldap client is required or not.
|
|
Sets the intended domain name.
|
|
LDAP server IP. Required if ldap_required is true. There should be an explicit LDAP server running on this IP. |
|
For a TLS connection, provide a valid certification path. For an SSL connection, ensure port 636 is open.
|
|
This variable accepts Server Certificate Path. Make sure certificate is present in the path provided. The certificate should have .pem or .crt extension. This variable is mandatory if connection type is TLS.
|
|
|
|
If LDAP server is configured with bind dn then bind dn user to be provided. If this value is not provided (when bind is configured in server) then ldap authentication fails. Omnia does not validate this input. Ensure that it is valid and proper.
|
|
If LDAP server is configured with bind dn then bind dn password to be provided. If this value is not provided (when bind is configured in server) then ldap authentication fails. Omnia does not validate this input. Ensure that it is valid and proper. |
|
Boolean value deciding whether security features are enabled on the Login Node.
|
Note
When ldap_required
is true, freeipa_required
has to be false. Conversely, when freeipa_required is true, ldap_required` has to be false.
Enter the following parameters in input/login_node_security_config.yml
.
Variable | Details |
---|---|
|
The number of login failures that can take place before the account is locked out.
|
|
Period (in seconds) after which the number of failed login attempts is reset. Min value: 30; Max value: 60.
|
|
Period (in seconds) for which users are locked out. Min value: 5; Max value: 10.
|
|
User sessions that have been idle for a specific period can be ended automatically. Min value: 90; Max value: 180.
|
|
Email address used for sending alerts in case of authentication failure. When blank, authentication failure alerts are disabled. Currently, only one email ID is accepted. |
|
Access control list of users. Accepted formats are username@ip (root@1.2.3.4) or username (root). Multiple users can be separated using whitespaces. |
|
This variable decides whether users are to be allowed or denied access. Ensure that AllowUsers or DenyUsers entries on sshd configuration file are not commented.
|
|
This variable is used to disable services. Root access is mandatory.
|
|
List of services to be disabled (Comma-separated). Example: 'telnet,lpd,bluetooth'
|
Manager and compute nodes will have LDAP client installed and configured if ldap_required
is set to true. The login node does not have LDAP client installed.
Caution
No users/groups will be created by Omnia.
IPA services are used to provide account management and centralized authentication.
To customize your installation of FreeIPA, enter the following parameters in input/security_config.yml
.
Input Parameter | Definition | Variable value |
---|---|---|
kerberos_admin_password | "admin" user password for the IPA server on RockyOS and RedHat. | The password can be found in the file input/security_config.yml . |
ipa_server_hostname | The hostname of the IPA server | The hostname can be found on the manager node. |
domain_name | Domain name | The domain name can be found in the file input/security_config.yml . |
ipa_server_ipadress | The IP address of the IPA server | The IP address can be found on the IPA server on the manager node using the ip a command. This IP address should be accessible from the NFS node. |
To set up IPA services for the NFS node in the target cluster, run the following command from the utils/cluster
folder on the control plane: :
cd utils/cluster
ansible-playbook install_ipa_client.yml -i inventory -e kerberos_admin_password="" -e ipa_server_hostname="" -e domain_name="" -e ipa_server_ipadress=""
Note
Use the format specified under NFS inventory in the Sample Files for inventory.
Run: :
cd security
ansible-playbook security.yml -i inventory
The inventory should contain compute, manager, login as per the inventory file in samplefiles. The inventory file is case-sensitive. Follow the casing provided in the sample file link.
- To enable security features on the login node, ensure that
enable_secure_login_node
ininput/security_config.yml
is set to true.- To customize the security features on the login node, fill out the parameters in
input/login_node_security_config.yml
.- If a subsequent run of
security.yml
fails, thesecurity_config.yml
file will be unencrypted.
Caution
No users/groups will be created by Omnia.