Authentication and Authorization

The Virtual Cluster uses OpenLDAP for user authentication. The OpenLDAP server is hosted by the “service” instance, but interaction with the service is possible from any other instance of the Virtual Cluster. The vc-account-manager tool used to interact with the server is available on all instances.

Authorization Levels

There are two authorization levels on a Virtual Cluster: “admin” and “user”. The “admin” authorization level allows to impersonate other users without knowing their access credentials and allows privileged access to all systems of the Virtual Cluster. Only the “admin” account has this authorization level by default, but other users can be granted this authorization level as well.

Warning

The “admin” authorization level should only be granted to users who are experienced in interacting with cluster systems and services. Executing commands with “admin” permissions can severely damage the system.

Creating, Modifying, Listing, and Deleting User Accounts

Accounts can be managed using the vc-account-manager tool which needs to be executed as root user or using sudo.

A new user account can be created using the following command:

sudo vc-account-manager create -u <username> -a <auth-level> ...

where “” should be replaced with the username of the created account. The vc-account-manager program will interactively query for the password of the new user account. The “” specifies whether the user account is created with the “user” authorization level (default) or with the “admin” authorization level (see Authorization Levels). The program is available on all instances of the Virtual Cluster.

Some properties (e.g., password and authorization level) can be changed after creation using:

sudo vc-account-manager modify -u <username> ...

A user account can be deleted using the following command:

sudo vc-account-manager delete -u <username> ...

The command:

sudo vc-account-manager list

shows a list of all user accounts and their authorization levels.