ISSN 2348-1196 (print) International Journal of Computer Science and Information Technology Research ISSN 2348-120X (online) Vol. 9, Issue 4, pp: (18-22), Month: October - December 2021, Available at: www.researchpublish.com
Towards modern authentication in a large-scale compute Installation 1
Nabil Nabulsi, 2Abdulaziz Hamidi Saudi Aramco, Dhahran, Saudi Arabia
Abstract: One of the many challenges in large cloud or compute installations specifically for High Performance Computing (HPC), is implementing a scalable, centrally managed authentication solution that supports simultaneous bursts of authentication requests or resolution. A modern solution like identity Policy and Audit (IPA), proven as a viable solution for traditional IT workloads, however for large compute installations it is more challenging. IPA is a cost-effective solution based on FreeIPA, providing a central repository for storing user identity, access policies, and auditing. Compared to a solution like Sun’s Network Information Service (NIS), IPA has strong features in general but also contains some shortcomings such as complexity of configuration, administration, and recovery. This paper presents a case study for migrating to IPA solution for large computing installation of +12,0000 nodes deployed across two data centers. It uncovers some inherited limitations of out-ofthe-box IPA deployment for HPC workloads and ways to work around these limitations to achieve an efficient, reliable, and scalable authentication solution. Keywords: HPC, Scalable Authentication, IPA, Linux.
I. INTRODUCTION NIS Versus IPA In general, Linux allows native administration of user credentials and details like user ID and group ID locally using tiny databases or plain files. Although this works well for individual machines, it becomes less desirable when maintaining a larger group of servers such as HPC, if each machine is supposed to be identical in behavior. The chance of having machines out of sync is linear as the number of machines increases in the environment. A centrally managed solution to manage user credentials is necessary to maintain IDs and details eliminates out-of-sync problem. NIS or Network Information Service developed by Sun Microsystems [1] utilized delegation, like DNS (Domain Name System). It allowed for independent distributed nodes for authentication called NIS slaves. These slaves or replicas receive updates from one master through a push mechanism to stay in-sync. Slaves could also request a transfer of all data using pull to get in-sync on demand. Scalability is achieved through multi-tiering of slaves with an unknown maximum number of clients. Joining an NIS domain was easy, authorization is based on IP address where data and communication are not encrypted. Another limitation of NIS was a limit of 16 groups a user could be member off [2]. Some of these and limitations got improved on in NIS+ [3]. Managing data in general was achieved through either native Remote Procedure Call (RPC) commands like yppasswd and ypchsh or editing local files on the master and rendering or updating the binary maps (native format) [4]. Though it was not the most secure approach, it was easy to configure, administer, recover and finally easy to troubleshoot. IPA is an Identity Management system (IdM) bundled by RedHat based on FreeIPA combining Lightweight Directory Access Protocol (LDAP), Kerberos, DNS, Private Key Infrastructure (PKI) [5]. Different to the NIS approach, IPA utilizes a meshed network for maximum availability and service continuity. It uses replication policies to ensure data integrity across IPA servers and to maintain access during link or connection outages. There is no single master as the case in NIS and as such all servers can push updates to the other replicas [6]. Since IPA is incorporating technology like LDAP which proven to handle an equal size of HPC nodes using less back-end servers as compared to one using NIS.
Page | 18 Research Publish Journals