Authentication

Active Directory

CCME needs to connect to an Active Directory (or LDAP server) to authenticate the users. You can either let CCME deploy an Active directory, or use your own Active Directory. Both the CCME Management Host and the HPC clusters will connect to the Active Directory through LDAPs, no join is done on the Active Directory domain.

Authentication configuration is done when you create the CCME Management Host (CMH), see the following variables in deployment.ccme.conf (see CMH Configuration): active_directory_name, active_directory_ips, active_directory_read_only_user_dn active_directory_read_only_user_password_secret_arn and active_directory_admin_password_secret_arn. The CMH will configure the ParallelCluster configuration files according to the selected parameters, and the clusters will automatically configure SSSD (System Security Services Daemon) to authenticate users.

You can specifie a filter to limit directory access to a subset of users through the use of the LdapAccessFilter option in the ParallelCluster configuration file.

Note

On Linux, sssd caches the users after their connection to the instance. You can need to clear the cache if a uid/gid user or group has been changed in the AD with the following command:

systemctl stop sssd
rm -rf /var/lib/sss/db/*
systemctl start sssd

Warning

If you do Windows remote visualization (see Windows) you will need to configure authentication directly in the AMI or through a custom powershell script that will configure the instance at launch time.

CCME Active Directory

CCME can deploy its own Active Directory when you set active_directory_ips=NONE in deployment.ccme.conf: an AWS Managed Directory Service is then deployed, and shared among all the clusters and the CMH.

In this case, you must provide the ARN to a secret containing the password for the administrator (see active_directory_admin_password_secret_arn).

When you use an Active Directory managed by CCME, you can set the option CCME_SUDOER_GROUP to specify the name of a group in the AD that will be granted sudo access on the cluster.

Self-managed Active Directory

You can also use your own Active Directory. You just need to configure the deployment.ccme.conf accordingly.

OIDC External Authentication

Optional external authentication is available only for EnginFrame, through the Application Load Balancer and an OIDC-compatible SSO system.

In order to create a configuration file for the Open ID authentication, a basic configuration file is available in the CCME/conf/ directory. You must duplicate this file (in the same directory) and name the new file following the next pattern: ${CCME_OIDC}.oidc.yaml, with ${CCME_OIDC} the parameter you specified in ParallelCluster configuration file.

Note

Using OIDC authentication for EnginFrame does not prevent the use of a source of authentication for the clusters. You can use either the Active Directory deployed by CCME or your own.

Example in bash:

cp "CCME/conf/default.oidc.yaml" "CCME/conf/${CCME_OIDC}.oidc.yaml"

Content of CCME/conf/default.oidc.yaml:

 1################################################################################
 2# Copyright (c) 2017-2025 UCit SAS
 3# All Rights Reserved
 4#
 5# This software is the confidential and proprietary information
 6# of UCit SAS ("Confidential Information").
 7# You shall not disclose such Confidential Information
 8# and shall use it only in accordance with the terms of
 9# the license agreement you entered into with UCit.
10################################################################################
11#
12# Configuration file for OpenID
13# - All parameters are mandatory if not specified as optional
14# - UserMapping can take 'NONE' or a username as a value
15# - No other parameter can be set to 'NONE'
16#
17################################################################################
18# Authentication connectivity
19# Example with google OpenID
20################################################################################
21
22# WARNING:
23#   The port is mandatory for all URL of some Identity Provider
24#   In case of connectivity problem, please add the port (https://<DNS>:<PORT>).
25
26# The variable Issuer is the OpenID provider URL
27Issuer: 'https://accounts.google.com'
28
29# The variable AuthorizationEndpoint is the Application Authorization Endpoint URL
30AuthorizationEndpoint: 'https://accounts.google.com/o/oauth2/v2/auth'
31
32# The variable TokenEndpoint is the Application Token Endpoint URL
33TokenEndpoint: 'https://oauth2.googleapis.com/token'
34
35# The variable UserInfoEndpoint is the Application User Information Endpoint URL
36UserInfoEndpoint: 'https://openidconnect.googleapis.com/v1/userinfo'
37
38# The variable ClientCredentials should be filled with the ARN of credentials
39# stored in AWS Secrets Service Manager.
40ClientCredentials: 'arn:aws:secretsmanager:<REGION>:<ACCOUNT>:secret:<secret-id>'
41
42# The variable Scope should be filled with supported scopes separated by space
43Scope: 'openid profile'
44
45# The variable AuthenticationRequestExtraParams is optional
46# Uncomment the variable to use it.
47# AuthenticationRequestExtraParams:
48  # key: value
49
50# The variable SessionCookieName is used as browser cookie name
51# to maintain the authentication with the Application Load Balancer
52SessionCookieName: 'ccmeAlb'
53
54# The variable UsernameAttribute is optional.
55# It defines the username attribute contained in the OpenID token to use as
56# username for the authenticated user.
57UsernameAttribute: 'family_name'
58
59# The variable UserMapping is optional.
60# Its value can either be NONE to disable user mapping, or be a username that
61# will be used to map all users to the service account represented by this username.
62UserMapping: 'NONE'

Warning

Once the user is authenticated to the IdP, the ALB checks the validity of the authorization ID token and access token (steps 3 to 6 in ALB OIDC Authentication flow). The ALB is very sensitive to the URLs you specify in the ``Issuer`` parameter: it does an exact string comparison with the iss (issuer) field within the id_token. Thus, for example if your IdP incorporates the port number in the URL you MUST have the port number in the Issuer URL field, even if this is the default (443) HTTPS port.

The CCME OpenID feature can use a custom decode_jwt_headers python script to retrieve information about the user. CCME provides a default one, but if you want to use a custom one, simply create your version of decode_jwt_headers.py.j2 inside CCME/custom/. An example is given in CCME/custom/example.decode_jwt_headers.py.j2.

Example of ARN syntax:

arn:aws:secretsmanager:${aws_region}:${aws_account_id}:secret:${secrets_manager_prefix}-oidc-credentials-4J3int

The credentials stored in the secret should be:

{
  "ClientId": "${your_client_id}",
  "ClientSecret": "${your_client_secret}"
}