[Freeipa-devel] Maintaining Identity in a large cluster

Matthew Booth mbooth at redhat.com
Thu Jun 26 22:06:00 UTC 2008 

Hi,

I was recently asked to look into the problem of auditing user activity 
on a large cluster. There are a number of issues, but the one I'm 
highlighting here is the problem of maintaining a who a real user is in 
a large cluster.

If you talk to a cluster designer, their cluster is *a* machine. It is 
not a collection of machines, but a single entity. Security is 
important, but it is provided only at the boundary. Separate components 
of the machine (anybody else might call them servers) would have no more 
business authenticating each other than a CPU core would have 
authenticating another core. If I need to become root on an 8-core box, 
I wouldn't expect to enter my password 8 times. Now imagine there are 
hundreds of 'cores'.

A key administration tool of any cluster is a distributed shell. There 
are many implementations, but usage always boils down to something like:

# clustersh node[1-512] rpm -Uvh /clusterfs/newpkg.rpm

Key points to note:
* The user is root
* The user expects the command to run as root on nodes 1-512.

 From a security standpoint this is fine. The cluster trusts its network 
because it's entirely separate from any other network (it's just a bus 
in our big machine, right?). The user had to log on to the cluster in 
the first place with their own credentials, so access control is 
maintained. The problem comes when you introduce auditing.

Under other circumstances, 'best practise' would be to insist that a 
user log on as themselves, then escalate their privileges to root via an 
approved method. The audit system can tag them as they log in, and all 
subsequent actions can be made accountable. This doesn't work on a big 
cluster because the system administrator can't be expected to enter 
their password 512 times.

The solution is typically ssh keys shared across the cluster. The effect 
of this is that anyone who can perform an identity change on any machine 
can become anonymous on the cluster just by logging on to another node 
after the identity change. In practise, most/all users will be able to 
perform an identity change. If they are administrators this will be to 
root. If they are users, this will be to a processing user.

The problem extends beyond just cluster shell operations. For example, 
MPI jobs will typically be initiated on 1 node but executed on many. 
Again, it cannot be expected to require an authenticated privilege 
escalation for each target node.

The challenge is to maintain the identity of a real user across the 
cluster without compromising the 'single machine' model of the cluster. 
I'm not convinced this can be done today. It occurred to me that 
kerberos might be useful in this space if sshd can be coerced into:

1. Allowing principal mbooth/root to log in directly as root.
2. Setting the audit context to mbooth.

Has this problem been given any thought to date?

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

More information about the Freeipa-devel mailing list