User & group management

The distributed HPAC Platform LDAP architecture

The server architecture

The HPAC Platform provides a single sign-on mechanism to all resources that is also integrated with the HBP-wide infrastructure so that the same account can be used for accessing all services for which the user has the required access permissions.

The infrastructure in place for enabling this mechanism consists of a master LDAP (Lightweight Directory Address Protocol) server and some slave servers. It is used to store information about user accounts and user groups. The master HBP LDAP server is hosted at EPFL. Slave LDAPs are located at most sites providing hardware resources for the HPAC Platform, which are at the moment Barcelona Supercomputing Centre (BSC), Cineca (CINECA) and Jülich Supercomputing Centre (JSC). New user accounts are first created on the master LDAP server that then feeds this information into the slave servers. Also all updates of user accounts or groups are first applied at the master server and then propagated to the slave servers. The user and group information stored in the slave LDAP servers are propagated to the HPC systems. The EPFL BlueBrain IV system that is hosted at the Swiss National Supercomputing Centre (CSCS) gets this information directly from the master LDAP server.

LDAP server architecture
Architecture of the LDAP servers used for the HPAC Platform user database

User authentication and access to HPAC Platform services

When a user wants to use HPC services via UNICORE, the identity is first verified by the OIDC server at EPFL using the HBP username and password. The OIDC server returns an OIDC token in case of a successful authentication. This OIDC token is then used to access the UNICORE services. UNICORE passes this token to the UNITY server at JSC that validates the token by contacting the OIDC server. In case of a successful validation, UNITY returns the user’s distinguished name (DN) back to UNICORE. All information in UNITY is transient and created on the fly when a user logs in or an OIDC token is validated.

The UNICORE user database XUUDB maps the DNs to the user IDs (uid) and group IDs (gid) of the HPC systems. The slave LDAP servers at the HPC sites periodically update the user information in the XUUDB, i.e. the mapping of DN to uid and gid. These user records are also synchronized with the master LDAP server.

The whole process happens in an automated way that is completely transparent for the user who only needs a single account with username and password.

User authentication
User authentication for the HPAC Platform infrastructure

Library for connecting slave LDAP servers to the master LDAP

JSC developed a library for connecting the local account databases to the master LDAP server of the HBP that centrally manages the accounting data. It propagates account applications made through the Collaboratory into the JSC accounting system. The library is designed as a one-way synchronization, i.e. the master LDAP server contains the latest version of the data, which needs to be applied to the JSC databases in a second step. New user accounts, new groups, projects or any modifications applied at the central LDAP server are added or modified accordingly within the JSC databases. The library is designed for local use within the HPC infrastructure of the JSC. It is installed on a dedicated server at JSC and its functionality will be transparent for HPAC Platform users as it is part of the HPC infrastructure layer.

More information about the library can be found here:
https://trac.version.fz-juelich.de/hbpaccounting