Skip to main content

User Management

HPCBOX supports both OSLogin and locally created users on the HPCBOX cluster, i.e users who don't have to identities in the Google cloud project.

Regular Users

HPCBOX supports OSLogin, SSH Metadata Keys and Username/Password authentication for regular users. When using Username/Password authentication, the created users are local to the HPCBOX cluster and do not need to be created in Google IAM. Additionally, SSH Keys can be easily created using HPCBOX Connect Application when logging in for the first time.

  • Set up SSH Keys for the regular users following documentation here
  • Make sure the user has the necessary roles as described in the Google documentation.
  • Users can then generate SSH Keys and have them added to enable OSLogin using gcloud CLI as documented here

Accessing the HPCBOX Cluster

If your HPCBOX cluster has dedicated Login Nodes, regular users can access the Login Nodes and work from there. If you do not have Login Nodes, then all users can use the Head/Management Node to access the HPCBOX cluster. However, all users other than the first Administrator user need configuration for accessing the Head/Management Node.

Allow users to access the Head/Management Node

warning

Although users who can access the head node will not have sudo access when they are removed from the google-sudoers group and/or /etc/sudoers.d/hpcbox, any user who can log on to the head node can perform HPCBOX management operations like Shutdown on the cluster.

When using SSH Metadata Keys or local user/name passwords on the head node

Once deployed, logon to the head/management node (prefixed with -m-01) as the admin user and allow other users to access the management node following the steps below:

  • Get a root terminal by executing sudo -i

  • Make sure the .ssh exists for the user under their HOME directory, for example, if the new user is drzuser3

 ls -la /data/home/drzuser3/.ssh  
drwx------. 2 drzuser3 drzuser3  29 Apr 16 13:16 .
drwx------. 4 drzuser3 drzuser3  90 Apr 16 13:16 ..
-rw-------. 1 drzuser3 drzuser3 580 Apr 16 13:16 authorized_keys

  • Sometimes the management node needs a reboot before it can import the SSH Metadata keys

  • Edit /etc/ssh/sshd_config and add additional users to the AllowUsers section, for example, the following setting allows both drzadm and drzuser3 to access the management node.

    AllowUsers drzadm drzuser3

  • Restart the sshd daemon with systemctl restart sshd

warning

By default, Google adds the users to the google-sudoers group. If you do not want to users to have sudo power on the Head/Management node, make sure you remove the user from the google-sudoers group. For example, remove sudo access for the user drzuser3 gpasswd --delete drzuser3 google-sudoers

When using OS-Login

Google automatically adds the user's SSH keys to the head and worker nodes when using OS-Login. However, to allow SSH access to the head/management node, we need to explicitly allow SSH access to the head node.

Once deployed, logon to the head/management node (prefixed with -m-01) as the admin user and allow other users to access the management node following the steps below:

  • Get a root terminal by executing sudo -i

  • Edit /etc/ssh/sshd_config and add additional users to the AllowUsers section, for example, the following setting allows both ext_drz_drizti_com and adm_drizti_com to access the management node.

    AllowUsers ext_drz_drizti_com adm_drizti_com

  • Restart the sshd daemon with systemctl restart sshd

tip

Users who need sudo access on the head node can have entries for their user accounts in /etc/sudoers.d/hpcbox.