I am looking to see if anyone has thought about this, or has suggestions as to the feasibility of this scenario.
Please let me know if this has been discussed in another thread that I have not come across yet!
Current cluster setup:
Slurm scheduled cluster with local ldap server for user mapping.
/home is nfs mounted on all head-nodes and compute nodes, as is the necessary Slurm configuration bits. OOD is as it should be, effectively another head-node, same mounts as the rest of the head-nodes and compute nodes. Only login method is ssh key. All is working well.
Background on current OOD Authentication (this is a little bit hacked):
Due to not having any password authentication I have modified the Keycloak login page to only have the option to authenticate with a SSO provider. In this case, the user can either be directed to Globus or CiLogon for authentication.
Once they authenticate with the SSO, Keycloak then attempts to map the primary email from the SSO to the email associated with a username in the clusters ldap (which is read-only to Keycloak). In most cases this is successful. The email that has been authenticated by the SSO is the same as the one that the user’s account in the clusters ldap is setup with and Keycloak can map the username which it then provides to PAM on OOD. PAM is happy, and the user is logged.
For those who noticed I did not explain what happens when the SSO email matches the email in ldap…
Answer: As a fallback, Keycloak makes a local account in Keycloak with the SSO provided email as a username and sends that to PAM on OOD, which of course does not map to a real username and authentication breaks…This can be a seperate thread if there is interest/I get a lot of dirty looks for this.
Essentially I am using keycloak for nothing but its Identity Federation. I know what your thinking but lets not dwell on this as it is out of context of my actual question.
Background on second cluster:
Effectively identical in scheduling and authentication to the current cluster with OOD.
This second cluster has no shared components with the first cluster. Meaning:
- It has its own Slurm scheduler
- It has its own nfs mounted
/homeand slurm configs
- It has its own ldap…oh dear…
Correct me if I am wrong:
- Multiple Slurm schedulers would not be an issue, just make sure the configs for it are accessable (mount the necessary nfs) and make another
/etc/ood/config/clusters.d/yaml file for cluster 2.
Actual Question/What I see as potential (or definite) issues:
/home's. How might this work with the File Manager? Mount them with different names according to the cluster?
- Multiple ldap’s. What if users have access to one cluster but not the other (i.e. are in one ldap but not the other)? What if users have different usernames between the clusters…uid’s not matching? …oh my
- If those are not game breaking, where would I start with Keycloak?
Thank you in advance for any advice! Even if it is “You are crazy just spin up a separate OOD for cluster 2…”