Project

General

Profile

Actions

Feature #16590

open

support dynamic arvados users on shell nodes (NSS)

Added by Peter Amstutz about 4 years ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Story points:
-
Release:
Release relationship:
Auto

Description

This needs to be done via glibc NSS (Name Service Switch).

This is a module that is loaded by glibc and configured systemwide, which allows customizing lookups on various fundamental system databases (in this case, passwd).

If we can authenticate that a username is a valid Arvados username, then we can use sshd AuthorizedKeysCommand to look up the user's ssh public key on demand, and maybe PAM to set up the user session.

1. Network Information Services

For remote user database lookups, glibc supports NIS (Network Information Services, formally Sun Yellow Pages). Would involve running a NIS server. This is a really old standard sun-rpc based standard, that seems to be mostly obsolete, LDAP would be a better choice (see below).

Some options to do this:

2. systemd NSS module

https://systemd.io/USER_GROUP_API/

"Each subsystem that needs to define users and groups on the local system is supposed to implement this API, and offer its interfaces on a Varlink AF_UNIX/SOCK_STREAM file system socket bound into the /run/systemd/userdb/ directory."

So the approach would be to create a service that listens on this socket and supports the appropriate protocol, looks up users in Arvados and responds appropriately. This could also creates the home directory on demand.

3. write our own module in Go

https://github.com/protosam/go-libnss

4. use LDAP/NSS

Use existing LDAP NSS module

https://wiki.debian.org/LDAP/NSS

Teach arvados-controller to answer LDAP queries:

https://github.com/glauth/glauth

https://github.com/vjeantet/ldapserver

Here's a blog that describes how to use LDAP + NSS + AuthorizedKeysCommand + PAM to enable publickey based login and create home directories on the fly:

https://shellpower.wordpress.com/2015/05/26/ssh-public-key-authentication-with-ldap-on-ubuntu/

Actions #1

Updated by Peter Amstutz about 4 years ago

  • Subject changed from arvados glibc nss module for users to support NIS or glibc NSS passwd service
Actions #2

Updated by Peter Amstutz about 4 years ago

  • Description updated (diff)
  • Subject changed from support NIS or glibc NSS passwd service to support NIS, varlink or glibc NSS passwd service
Actions #3

Updated by Peter Amstutz about 4 years ago

  • Description updated (diff)
  • Subject changed from support NIS, varlink or glibc NSS passwd service to support dynamic arvados users on shell nodes
Actions #4

Updated by Peter Amstutz about 4 years ago

  • Description updated (diff)
Actions #5

Updated by Peter Amstutz about 4 years ago

  • Description updated (diff)
Actions #6

Updated by Peter Amstutz about 4 years ago

  • Description updated (diff)
Actions #7

Updated by Peter Amstutz about 4 years ago

  • Subject changed from support dynamic arvados users on shell nodes to support dynamic arvados users on shell nodes (NSS)
Actions #8

Updated by Peter Amstutz over 1 year ago

  • Release set to 60
Actions #9

Updated by Peter Amstutz 7 months ago

  • Target version set to Future
Actions

Also available in: Atom PDF