Authentication and Authorization
The Virtual Cluster uses OpenLDAP for user
authentication. The OpenLDAP server is hosted by the “service” instance.
The vc-account-manager tool used to interact with the server is
also available on the "service". It is strongly recommended to use this
tool to manage the user accounts on the Virtual Cluster.
Authorization Levels#
There are two authorization levels on a Virtual Cluster: “admin” and “user”. The “admin” authorization level allows to impersonate other users without knowing their access credentials and allows privileged access to all systems of the Virtual Cluster. Only the “admin” account has this authorization level by default, but other users can be granted this authorization level as well.
Warning
The “admin” authorization level should only be granted to users who are experienced in interacting with cluster systems and services. Executing commands with “admin” permissions can severely damage the system.
Creating, Modifying, Listing, and Deleting User Accounts#
Accounts can be managed using the vc-account-manager tool available on the
"service" instance. The tool needs to be executed as root user or using sudo.
A new user account can be created using the following command:
sudo -i vc-account-manager create -u <username> -a <auth-level> ...
where “vc-account-manager program will interactively query for the password of the
new user account.
The <auth-level> specifies whether the user account is created with the “user”
authorization level (default) or with the “admin” authorization level
(see Authorization Levels).
Some properties (e.g., password and authorization level) can be changed after creation using:
sudo -i vc-account-manager modify -u <username> ...
A user account can be deleted using the following command:
sudo -i vc-account-manager delete -u <username> ...
The command:
sudo -i vc-account-manager list
shows a list of all user accounts and their authorization levels.