[Freeipa-devel] Maintaining Identity in a large cluster

Jan-Frode Myklebust janfrode at tanso.net
Thu Jun 26 22:29:05 UTC 2008 

On Thu, Jun 26, 2008 at 11:06:00PM +0100, Matthew Booth wrote:
> 
> If you talk to a cluster designer, their cluster is *a* machine.

Former cluster sysadmin here. And yes, I agree, a cluster is a machine.

> Under other circumstances, 'best practise' would be to insist that a 
> user log on as themselves, then escalate their privileges to root via an 
> approved method. The audit system can tag them as they log in, and all 
> subsequent actions can be made accountable. This doesn't work on a big 
> cluster because the system administrator can't be expected to enter 
> their password 512 times.

An option would maybe be to do all root-tasks trough sudo. And use the
NOPASSWD:-option in the sudoers config. Establish a policy that one
should never log in as root, and always use sudo.

    %sysadmin   ALL=(ALL)       NOPASSWD: ALL

Or to encourage your sysadmins to not cheat:

    Cmnd_Alias     SHELLS = /bin/ash,  /bin/ksh,  /bin/bash, /bin/sh, /bin/bsh, /bin/tcsh, /usr/sbin/sesh, /bin/csh, /sbin/nash
    Cmnd_Alias     TERMINALS  = /usr/bin/gnome-terminal, /usr/bin/konsole, /usr/bin/xterm, /usr/bin/uxterm
    Cmnd_Alias     SU = /bin/su
    %sysadmin  ALL = (ALL) NOPASSWD: ALL, !SU, !SHELLS, !TERMINALS


> The solution is typically ssh keys shared across the cluster. The effect 
> of this is that anyone who can perform an identity change on any machine 
> can become anonymous on the cluster just by logging on to another node 
> after the identity change.

Don't allow identity changes. 

> In practise, most/all users will be able to 
> perform an identity change. If they are administrators this will be to 
> root. If they are users, this will be to a processing user.

I don't see why users should need to change to a processing user. Why
can't they run as their login user ?

> The problem extends beyond just cluster shell operations. For example, 
> MPI jobs will typically be initiated on 1 node but executed on many. 
> Again, it cannot be expected to require an authenticated privilege 
> escalation for each target node.

MPI-jobs normally doesn't need escalated privileges to run.


   -jf

More information about the Freeipa-devel mailing list