Centralized user/group management
Using Web UI¶
Log in to the Web UI with an admin account and locate "Users Management" or "Group Management" sections on the left sidebar.
Info
Users and Group management are limited to admins users
Users¶
Add users¶
To create a new user, simply fill out the "Create New User" form. Select whether or not the user will be an admin by checking "Enable Sudo Access" checkbox. If needed, you can also manually force UID/GID or choose a shell different than /bin/bash.
You will see a success message if the user is created correctly
What is a SUDO user?
Users will SUDO permissions will be admin on the cluster and authorized to run any sudo command. Make sure to limit this ability to HPC/AWS/Linux admins and other power users.
Custom shell
SOCA uses /bin/bash by default but admins can specify any available shells installed on the system ( list available on /etc/shells)
Delete users¶
To delete a user, navigate to 'Delete Users' section then select the user you want to delete and check the checkbox.
You will see a success message if the user is deleted correctly.
Info
Deleting a user will only delete the LDAP user. Associated $HOME directory is still preserved on /data/home
Reset password for a given user¶
Users can change their own password via the web ui. If needed, admins can also temporarily unlock a user by resetting the password on his/her behalf.
Manage SUDO (admin permission)¶
Admins can grant/revoke SUDO permissions for any user:
Groups¶
Create a new group¶
To create a new group, simply select "Create a Group" and select the user(s) you want to add to this group.
Check group membership¶
You can check group membership by going to "Check group membership" tab.
Change group membership¶
If needed, you can add/remove users from a given groups.
Delete group¶
Lastly, to delete a group, simply navigate to "Delete Group" tab.
Other LDAP operations¶
Attention
It's recommended to interact with OpenLDAP via the web ui interface.
Scale-Out Computing on AWS uses OpenLDAP and you can interact with your directory using LDIF directly.
Scale-Out Computing on AWS LDAP Schema
- People: OU=People,DC=soca,DC=local
- Groups: OU=Group,DC=soca,DC=local
- Sudoers: OU=Sudoers,DC=soca,DC=local (This OU manages sudo permission on the cluster)
Admin LDAP account credentials
- Bind DN (-D): cn=admin,dc=soca,dc=local
- Password (-y) /root/OpenLdapAdminPassword.txt
For example, if you want to create a new group, create a new LDIF file (mynewgroup.ldif) and add the following content:
dn: cn=mynewgroup,ou=Group,dc=soca,dc=local
objectClass: top
objectClass: posixGroup
cn: mynewgroup
gidNumber: 6000
memberUid: mytestuser
Run the following ldapadd command to add your new group:
ldapadd -x -D cn=admin,dc=soca,dc=local -y /root/OpenLdapAdminPassword.txt -f mynewgroup.ldif
adding new entry "cn=mynewgroup,ou=Group,dc=soca,dc=local"
Finally valid your group has been created correctly using ldapsearch
# Validate with Ldapsearch
~ ldapsearch -x cn=mynewgroup
#Extended LDIF
#
# LDAPv3
# base DC=soca,DC=local (default) with scope subtree
# filter: cn=mynewgroup
# requesting: ALL
#
# mynewgroup, Group, soca.local
dn: cn=mynewgroup,ou=Group,dc=soca,dc=local
objectClass: top
objectClass: posixGroup
cn: mynewgroup
gidNumber: 6000
memberUid: mytestuser
Example for LDIF modify operation
dn: cn=mynewgroup,ou=Group,dc=soca,dc=local
changetype: modify
add: memberUid
memberUid: anotheruser
dn: cn=mynewgroup,ou=Group,dc=soca,dc=local
changetype: modify
delete: memberUid
memberUid:: anotheruser # you get the memberUid by running a simple ldapsearch first
Give users permissions to submit job¶
By default, users can submit job to any queue, however you can set up ACL at queue level if needed