HPC AAI Integration

Isabel Campos, Diana Gudu, Marcus Hardt

November 2020



  • Streamline the usage of HPC-oriented clusters from resource centers belonging to the EOSC-synergy consortium
  • CESGA (ES), PSNC (PL), LIP (PT), UNICAN (ES), members of the EuroCC network of competence
    • See also talk of Bastian Koller earlier


  • Enable login to HPC with existing AAI
    • EGI Checkin, INDIGO IAM, eduTeams, B2Access, Keycloak, …

Use case:

  • HPC clusters typically require login via ssh (requires local accounts)
    • Integration with federated AAI (e.g. EGI-Check-In Indigo-IAM, …):
      • requires ssh client and server to understand Tokens
    • Also: modification of ssh binaries is not acceptable


  • “make-it-feel-normal”:
    • Authorisation via entitlements (VO / Group / Role -Memberships)
    • Use OpenId Connect (OIDC) as a basis
    • Unmodified client and server
    • Dynamic local-account generation
      • pool accounts and more
      • very similar backends to lcas and lcmaps
    • Remove the need for usernames


Architecture Outline


  • Client side is wrapped into a script with two steps:
    1. Create:
      1. Call an Interface at the remote side (REST / SSH)
      2. Try to create the user (based on OIDC AT)
      3. Obtain the username
    2. Login:
      1. Use sshpass to put AT into password field
  • Remote account creation:
    • Flexible mechanisms offer various approaches:
      • Pooled accounts
      • “True” creation (local, ldap, AD, …) (like with lcas and lcmaps
  • Limitations:
    • OIDC AT can be placed into the password field of ssh
      • Unless it’s shorter than 1023 bytes
    • Trust model of HPC is sometimes not understood

      (by HPC) 😉


  • A team of enthusiasts is set up:
    • PSNC: Damien Kaliszan, Pawel Wolniewicz
    • KIT: Diana Gudu, Marcus Hardt
  • The architecture was discussed with external experts (on AAI and a bit Sec)
    • Mischa Sallé (Nikhef)
  • A set of HPC centres are willing to try it:
    • CESGA, Spain
    • PSNC, Poland
    • BIFI, Spain
  • Contact: m-contact@lists.kit.edu