[Freeipa-devel] Maintaining Identity in a large cluster
Jan-Frode Myklebust
janfrode at tanso.net
Thu Jun 26 22:29:05 UTC 2008
On Thu, Jun 26, 2008 at 11:06:00PM +0100, Matthew Booth wrote:
>
> If you talk to a cluster designer, their cluster is *a* machine.
Former cluster sysadmin here. And yes, I agree, a cluster is a machine.
> Under other circumstances, 'best practise' would be to insist that a
> user log on as themselves, then escalate their privileges to root via an
> approved method. The audit system can tag them as they log in, and all
> subsequent actions can be made accountable. This doesn't work on a big
> cluster because the system administrator can't be expected to enter
> their password 512 times.
An option would maybe be to do all root-tasks trough sudo. And use the
NOPASSWD:-option in the sudoers config. Establish a policy that one
should never log in as root, and always use sudo.
%sysadmin ALL=(ALL) NOPASSWD: ALL
Or to encourage your sysadmins to not cheat:
Cmnd_Alias SHELLS = /bin/ash, /bin/ksh, /bin/bash, /bin/sh, /bin/bsh, /bin/tcsh, /usr/sbin/sesh, /bin/csh, /sbin/nash
Cmnd_Alias TERMINALS = /usr/bin/gnome-terminal, /usr/bin/konsole, /usr/bin/xterm, /usr/bin/uxterm
Cmnd_Alias SU = /bin/su
%sysadmin ALL = (ALL) NOPASSWD: ALL, !SU, !SHELLS, !TERMINALS
> The solution is typically ssh keys shared across the cluster. The effect
> of this is that anyone who can perform an identity change on any machine
> can become anonymous on the cluster just by logging on to another node
> after the identity change.
Don't allow identity changes.
> In practise, most/all users will be able to
> perform an identity change. If they are administrators this will be to
> root. If they are users, this will be to a processing user.
I don't see why users should need to change to a processing user. Why
can't they run as their login user ?
> The problem extends beyond just cluster shell operations. For example,
> MPI jobs will typically be initiated on 1 node but executed on many.
> Again, it cannot be expected to require an authenticated privilege
> escalation for each target node.
MPI-jobs normally doesn't need escalated privileges to run.
-jf
More information about the Freeipa-devel
mailing list