Skip to content

User Sessions

The Virtual Cluster is accessed through a web application which allows for either terminal (SSH) or graphical sessions. Graphical desktop sessions can be accessed if the Virtual Cluster is equipped with a “session” partition. The web application is based on Guacamole. The web interface can be accessed by entering the public DNS name (if defined) or the public IP address of the “frontend” instance in the address bar of a web browser.

The web application relies on the OpenLDAP user database for authentication, i.e., once users have been created as described in Authentication and Authorization they will be able to log in and use the Virtual Cluster. This chapter describes how to manage the SSH and graphical sessions using the tool vc-session-manager found on the “service” instance.

Terminal Sessions#

Terminal (SSH) sessions do not rely on the existence of the “session” partition, i.e., this type of sessions is available for all configurations of the Virtual Cluster. The command:

sudo -i vc-session-manager -a add -u <username> -t ssh

can be used to allow access to a SSH session for user <username>. If the command completes successfully, the SSH session for the user has been added to the connection database of the Virtual Cluster and the user can access the SSH session from the web frontend.

To deny SSH access for a user, execute the following command:

sudo vc-session-manager -a delete -u <username> -t ssh

Please note that this will not terminate any active sessions, but only deny creation of a new SSH session for the particular user. The state of a SSH session for a user can be found by executing the following command:

sudo vc-session-manager -a status -u <username> -t ssh

Graphical Sessions#

If the Virtual Cluster is configured with a Virtual Desktop Infrastructure (VDI), i.e., a “session” partition (see Virtual Cluster Architecture), users can get access to graphical sessions to use the Schrödinger Suite frontend (Maestro) and other graphical programs. The sessions themselves as well as instances hosting the sessions are automatically managed by the Virtual Cluster based on user demand, i.e., if a user is allowed to log in to a graphical session a log in triggers the creation of an instance which can host the graphical desktop unless such an instance is already up and running.

Note

One instance in the “session” partition can host more than one graphical session. To minimize the cost for these resources the number of graphical sessions per instance is maximized accordingly by the workload management system.

As the creation of a new instance may need up to a few minutes, a user may need to wait for the graphical desktop to appear until the instance is ready.

The following commands can be used to interact with the session database and the active sessions to change or query these permissions.

To allow a user to create a graphical session, the following command can be executed:

sudo -i vc-session-manager -a add -u <username> -t vnc

An active graphical session can be terminated using the command:

sudo -i vc-session-manager -a terminate -u <username> -t vnc

A session is also terminated automatically, once the user closes the tab in the browser connected with the session or by explicitly logging out using the controls of the web application. Instances in the “session” partition are terminated automatically after being idle for a few minutes, i.e., if they’re not hosting any graphical sessions anymore.

Data Transfer#

Data can be transferred between the Virtual Cluster and a client system via the web application. In order to start a data transfer users need to be authenticated and logged in to a session. The file transfer function can be accessed by pressing Ctrl`+`Alt`+`Shift and clicking on the “Devices” section of the sidebar (see image).

./images/web-app-file-handling.svg
Side bar of the web application. The control responsible for the file transfer is highlighted with a red frame.

Multi-factor Authentication#

Multi-factor authentication is enabled by default in most configurations of a Virtual Cluster. This adds additional security as a successful login requires possession of a “second factor” in addition to the login credentials. The second factor is typically a smartphone application such as “Google Authenticator”, “Authy”, “Microsoft Authenticator” or other similar applications. A user is requested to enroll a second factor upon first login to the system. The multi-factor authentication can be reset using the vc-session-manager program:

sudo -i vc-session-manager -a reset-mfa -u <username>

This is useful when a user lost access to the second factor. Resetting the multi-factor authentication requests the user to register a new second factor upon the next login.