HPC Gateway identities

HPC Gateway identities are stored in “users” collection of Mongo database.


When a user wants to connect to HPC Gateway, the system perform 2 steps:

  1. Check user authentication
  2. Get user identity information, like his name, his rights and permissions

The authentication is managed by Jetty. By default, the authentication is based on a method “ssh-login-module”. It is configured with 2 files:

  • Referenced in ${HPCG_HOME}/core/jetty/webapps/torii/WEB-INF/jetty-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configure class="org.eclipse.jetty.webapp.WebAppContext">

    <Set name="contextPath">/torii</Set>
    <Set name="displayName">Authentication Test</Set>
    <Set name="securityHandler">
        <New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
            <Set name="loginService">
                <New class="org.eclipse.jetty.jaas.JAASLoginService">
                    <Set name="name">Test Realm</Set>
                    <!-- Set name="loginModuleName">unix-login-module</Set-->
                    <!-- Set name="loginModuleName">property-file-login-module</Set-->
                    <Set name="loginModuleName">ssh-login-module</Set>
                </New>
            </Set>
        </New>
    </Set>

    ...
    
</Configure>
  • Defined in ${HPCG_HOME}/core/jetty/etc/login.conf
unix-login-module {
  org.rundeck.jetty.JettyPamLoginModule requisite
  debug="true"
  service="sshd"
  useUnixGroups="false"
  supplementalRoles="user";
};

ldap-login-module {
  org.eclipse.jetty.jaas.spi.LdapLoginModule required
  debug="true"
  contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
  hostname="ldap.example.com"
  port="389"
  bindDn="cn=Directory Manager"
  bindPassword="directory"
  authenticationMethod="simple"
  forceBindingLogin="false"
  userBaseDn="ou=people,dc=alcatel"
  userRdnAttribute="uid"
  userIdAttribute="uid"
  userPasswordAttribute="userPassword"
  userObjectClass="inetOrgPerson"
  roleBaseDn="ou=groups,dc=example,dc=com"
  roleNameAttribute="cn"
  roleMemberAttribute="uniqueMember"
  roleObjectClass="groupOfUniqueNames";
};

property-file-login-module {
   org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
   debug="true"
   file="/opt/hpcg/repo/etc/property-file-login.list";
};

ssh-login-module {
   com.fujitsu.fse.torii.authentication.SshLoginModule required
   debug="true"
   hostname="localhost"
   port="22";
};


The current standard method is “ssh-login-module”. There are other methods like LDAP, PAM, and one can develop customized method following the JAAS protocol. This is not a difficult task.

Once authenticated, the user need to get his identity from the database. By default, if he is not yet defined in the database, HPC Gateway reject the user. There is a configuration parameter in the database, “autoPopulate”, to tell HPC Gateway to automatically create the identity and put this identity into a default team. When this parameter is set, a new user, who successfully authenticated, can connect with rights defined by the team. Usually, this team should have limited rights, like a Guest or Public team.

configs.webserver
{
    "_id" : "webserver",
    "settings" : [ 
        {
            "key" : "autoPopulate",
            "value" : "true"
        }, 
        {
            "key" : "defaultTeam",
            "value" : "568e3a3cddff3a6ccdaf92c8"
        }
    ]
}