21.4 Identity Managers
The Moab identity manager interface can be used to coordinate global and local information regarding users, groups, accounts, and classes associated with compute resources. The identity manager interface may also be used to allow Moab to automatically and dynamically create and modify user accounts and credential attributes according to current workload needs.
Moab allows sites extensive flexibility when it comes to defining credential access, attributes, and relationships. In most cases, use of the USERCFG, GROUPCFG, ACCOUNTCFG, CLASSCFG, and QOSCFG parameters is adequate to specify the needed configuration. However, in certain cases such as the following, this approach may not be ideal or even adequate:
Moab addresses these and similar issues through the use of an identity manager. An identity manager is configured with the IDCFG parameter and allows Moab to exchange information with an external identity management service. As with Moab resource manager interfaces, this service can be a full commercial package designed for this purpose, or something far simpler by which Moab obtains the needed information for a web service, text file, or database.
Configuring an identity manager in basic read-only mode can be accomplished by simply setting the SERVER attribute. If Moab is to interact with the identity manager in read/write mode, some additional configuration may be required.
One common use for an identity manager is to import fairness data from a global external information service. As an example, assume a site needed to coordinate Moab group level fairshare targets with an allocation database that constrains total allocations available to any given group. To enable this, a configuration like the following might be used:
IDCFG[alloc] SERVER=exec://$TOOLSDIR/idquery.pl ...
The tools/idquery.pl script could be set up to query a local database and report its results to Moab. Each iteration, Moab will then import this information, adjust its internal configuration, and immediately respect the new fairness policies.
When an identity manager outputs credential information either through an exec or file based interface, the data should be organized in the following format:
The following output may be generated by an exec based identity manager:
group:financial fstarget=16.3 alist=project2 group:marketing fstarget=2.5 group:engineering fstarget=36.7 group:dm fstarget=42.5 user:jason adminlevel=3 account:sales maxnode=128 maxjob=8,16
When local credential configuration (as specified via moab.cfg) conflicts with identity manager configuration, the identity manager value takes precedence and the local values are overwritten.
By default, Moab only loads identity manager information once when it is first started up. If the identity manager data is dynamic, then you may want Moab to periodically update its information. To do this, set the REFRESHPERIOD attribute of the IDCFG parameter. Legal values are documented in the following table:
IDCFG[hq] SERVER=exec://$TOOLSDIR/updatepolicy.sh REFRESHPERIOD=hour
Local usage information can be exported to an identity manager. One possible use of this feature is for multiple clusters to export local usage to an identity manager and import global usage for usage and fairshare policies.
To create or modify an external credential such as a user or group, the identity manager's CREDCREATEURL attribute must be specified. This URL can point to a database, a script, or a service and indicates the method to use to create a new external credential. If enabled, this method is called to create credentials on remote compute hosts if the credential is not currently defined on the master host. To enable Moab to automatically use this capability in a utility computing, grid, or cluster environment, the DYNAMICCRED flag must be set on the appropriate destination resource manager.
RMCFG[local] TYPE=PBS FLAGS=DYNAMICCRED IDCFG[cred] CREATECREDURL=exec://$TOOLSDIR/user.create.nat.sh
Searches Moab documentation only
|© 2001-2010 Adaptive Computing Enterprises, Inc.|