Integration of HPC with Open OnDemand + FreeIPA

Get Help
1

I’m not familiar with HPC or Open OnDemand, as I work as an IAM engineer. One of our clients has an HPC setup and currently uses FreeIPA for login and authentication against Active Directory (AD) credentials. They are planning to integrate Open OnDemand, but we are unsure how this integration will work—specifically, whether it will be standalone or built on top of FreeIPA.

Could someone from the Open OnDemand team provide video tutorials or documentation on how OpenID is integrated for accessing HPC?

Additionally, the client has an affiliate organization that needs access to the HPC cluster. Currently, Organization A has created accounts for the affiliate Organization B in their Active Directory. However, they want users from Organization B to access the HPC directly without needing to manage their identities.

We are considering an OIDC integration between Open OnDemand and their IAM tool, such as Okta or Entra, which would allow users to authenticate through Open OnDemand. However, I need clarification on whether Open OnDemand requires local user accounts in the HPC cluster. If so, how can these users be added before they log in?

If the client integrates Open OnDemand on top of FreeIPA, will Open OnDemand be able to access the local accounts? If so, what configurations are necessary on the Open OnDemand side?

I’m quite confused about the exact requirements for Open OnDemand to authenticate users and allow them access to the cluster. We plan to pass the GID of Organization B users; will that work? Does Open OnDemand need to verify that the GID exists in the cluster?

2

Hi and welcome!

Open OnDemand utilizes apache httpd for it’s frontend. So for any authentication integration questions - you can really swap Open OnDemand with apache httpd.

Now to user mapping - with a link below to our documentation.

Yes it does. Basically apache will return the REMOTE_USER after logging in. This REMOTE_USER has to map to a local (or LDAP) user. Open OnDemand boots a per user nginx (PUN) for each user and this webserver is what serves HTML pages and interacts with the scheduler as that user (by issuing CLI commands like sbatch or squeue). There is no root-like service switching for the user. Instead nginx is running as that local or LDAP user and interacting with the scheduler as that user.

You can pass a UID as the REMOTE_USER to map to a string username, but I don’t think GID (group IDs) will work.

Besides even if you could let everyone in Organization B login - what account/user would they use to interact with the scheduler? AFAIK every scheduler requires an actual linux user to submit jobs - not just a group GID. You do not want every member of Organization B mapping to one single user as that’s likely to cause conflicts not only with OnDemand but with the files they would all use (they’d all share the same $HOME as that 1 single user).