Why

• Streamline the usage of HPC-oriented clusters from resource centers belonging to the EOSC-synergy consortium
• CESGA (ES), PSNC (PL), LIP (PT), UNICAN (ES), members of the EuroCC network of competence
  • See also talk of Bastian Koller earlier

Problem

• Enable login to HPC with existing AAI
  • EGI Checkin, INDIGO IAM, eduTeams, B2Access, Keycloak, …

Use case:

• HPC clusters typically require login via ssh (requires local accounts)
  • Integration with federated AAI (e.g. EGI-Check-In Indigo-IAM, …):
    • requires ssh client and server to understand Tokens
  • Also: modification of ssh binaries is not acceptable

Goal

• “make-it-feel-normal”:
  • Authorisation via entitlements (VO / Group / Role -Memberships)
  • Use OpenId Connect (OIDC) as a basis
  • Unmodified client and server
  • Dynamic local-account generation
    • pool accounts and more
    • very similar backends to lcas and lcmaps
  • Remove the need for usernames

Architecture Outline

TL;DR

• Client side is wrapped into a script with two steps:
  1. Create:
     1. Call an Interface at the remote side (REST / SSH)
     2. Try to create the user (based on OIDC AT)
     3. Obtain the username
  2. Login:
     1. Use sshpass to put AT into password field
• Remote account creation:
  • Flexible mechanisms offer various approaches:
    • Pooled accounts
    • “True” creation (local, ldap, AD, …) (like with lcas and lcmaps
• Limitations:
  • OIDC AT can be placed into the password field of ssh
    • Unless it’s shorter than 1023 bytes
  • Trust model of HPC is sometimes not understood

    (by HPC) 😉

Status

• A team of enthusiasts is set up:
  • PSNC: Damien Kaliszan, Pawel Wolniewicz
  • KIT: Diana Gudu, Marcus Hardt
• The architecture was discussed with external experts (on AAI and a bit Sec)
  • Mischa Sallé (Nikhef)
• A set of HPC centres are willing to try it:
  • CESGA, Spain
  • PSNC, Poland
  • BIFI, Spain
• Contact: m-contact@lists.kit.edu