JASMIN Help Site logo JASMIN Help Site logo
  • Docs 
  • Guides 
  • Training 
  • Discussions   

  •   Search this site  

Can't find what you're looking for?

Try our Google custom search, across all JASMIN sites

Docs
  • getting started
    • get started with jasmin
    • generate ssh key pair
    • get jasmin portal account
    • get login account
    • beginners training workshop
    • how to contact us about jasmin issues
    • jasmin status
    • jasmin training accounts
    • tips for new users
    • how to login
    • multiple account types
    • present ssh key
    • reconfirm email address
    • reset jasmin account password
    • ssh auth
    • storage
    • understanding new jasmin storage
    • update a jasmin account
  • interactive computing
    • interactive computing overview
    • check network details
    • login servers
    • login problems
    • graphical linux desktop access using nx
    • sci servers
    • tenancy sci analysis vms
    • transfer servers
    • jasmin notebooks service
    • jasmin notebooks service with gpus
    • creating a virtual environment in the notebooks service
    • project specific servers
    • dask gateway
    • access from vscode
  • batch computing
    • lotus overview
    • slurm scheduler overview
    • slurm queues
    • lotus cluster specification
    • how to monitor slurm jobs
    • how to submit a job
    • how to submit an mpi parallel job
    • example job 2 calc md5s
    • orchid gpu cluster
    • slurm status
    • slurm quick reference
  • software on jasmin
    • software overview
    • quickstart software envs
    • python virtual environments
    • additional software
    • community software esmvaltool
    • community software checksit
    • compiling and linking
    • conda environments and python virtual environments
    • conda removal
    • creating and using miniforge environments
    • idl
    • jasmin sci software environment
    • jasmin software faqs
    • jaspy envs
    • matplotlib
    • nag library
    • name dispersion model
    • geocat replaces ncl
    • postgres databases on request
    • running python on jasmin
    • running r on jasmin
    • rocky9 migration 2024
    • share software envs
  • data transfer
    • data transfer overview
    • data transfer tools
    • globus transfers with jasmin
    • bbcp
    • ftp and lftp
    • globus command line interface
    • globus connect personal
    • gridftp ssh auth
    • rclone
    • rsync scp sftp
    • scheduling automating transfers
    • transfers from archer2
  • short term project storage
    • apply for access to a gws
    • elastic tape command line interface hints
    • faqs storage
    • gws etiquette
    • gws scanner ui
    • gws scanner
    • gws alert system
    • install xfc client
    • xfc
    • introduction to group workspaces
    • jdma
    • managing a gws
    • secondary copy using elastic tape
    • share gws data on jasmin
    • share gws data via http
    • using the jasmin object store
    • configuring cors for object storage
  • long term archive storage
    • ceda archive
  • mass
    • external access to mass faq
    • how to apply for mass access
    • moose the mass client user guide
    • setting up your jasmin account for access to mass
  • for cloud tenants
    • introduction to the jasmin cloud
    • jasmin cloud portal
    • cluster as a service
    • cluster as a service kubernetes
    • cluster as a service identity manager
    • cluster as a service slurm
    • cluster as a service pangeo
    • cluster as a service shared storage
    • adding and removing ssh keys from an external cloud vm
    • provisioning tenancy sci vm managed cloud
    • sysadmin guidance external cloud
    • best practice
  • workflow management
    • rose cylc on jasmin
    • using cron
  • uncategorized
    • mobaxterm
    • requesting resources
    • processing requests for resources
    • acknowledging jasmin
    • approving requests for access
    • working with many linux groups
    • jasmin conditions of use
  • getting started
    • get started with jasmin
    • generate ssh key pair
    • get jasmin portal account
    • get login account
    • beginners training workshop
    • how to contact us about jasmin issues
    • jasmin status
    • jasmin training accounts
    • tips for new users
    • how to login
    • multiple account types
    • present ssh key
    • reconfirm email address
    • reset jasmin account password
    • ssh auth
    • storage
    • understanding new jasmin storage
    • update a jasmin account
  • interactive computing
    • interactive computing overview
    • check network details
    • login servers
    • login problems
    • graphical linux desktop access using nx
    • sci servers
    • tenancy sci analysis vms
    • transfer servers
    • jasmin notebooks service
    • jasmin notebooks service with gpus
    • creating a virtual environment in the notebooks service
    • project specific servers
    • dask gateway
    • access from vscode
  • batch computing
    • lotus overview
    • slurm scheduler overview
    • slurm queues
    • lotus cluster specification
    • how to monitor slurm jobs
    • how to submit a job
    • how to submit an mpi parallel job
    • example job 2 calc md5s
    • orchid gpu cluster
    • slurm status
    • slurm quick reference
  • software on jasmin
    • software overview
    • quickstart software envs
    • python virtual environments
    • additional software
    • community software esmvaltool
    • community software checksit
    • compiling and linking
    • conda environments and python virtual environments
    • conda removal
    • creating and using miniforge environments
    • idl
    • jasmin sci software environment
    • jasmin software faqs
    • jaspy envs
    • matplotlib
    • nag library
    • name dispersion model
    • geocat replaces ncl
    • postgres databases on request
    • running python on jasmin
    • running r on jasmin
    • rocky9 migration 2024
    • share software envs
  • data transfer
    • data transfer overview
    • data transfer tools
    • globus transfers with jasmin
    • bbcp
    • ftp and lftp
    • globus command line interface
    • globus connect personal
    • gridftp ssh auth
    • rclone
    • rsync scp sftp
    • scheduling automating transfers
    • transfers from archer2
  • short term project storage
    • apply for access to a gws
    • elastic tape command line interface hints
    • faqs storage
    • gws etiquette
    • gws scanner ui
    • gws scanner
    • gws alert system
    • install xfc client
    • xfc
    • introduction to group workspaces
    • jdma
    • managing a gws
    • secondary copy using elastic tape
    • share gws data on jasmin
    • share gws data via http
    • using the jasmin object store
    • configuring cors for object storage
  • long term archive storage
    • ceda archive
  • mass
    • external access to mass faq
    • how to apply for mass access
    • moose the mass client user guide
    • setting up your jasmin account for access to mass
  • for cloud tenants
    • introduction to the jasmin cloud
    • jasmin cloud portal
    • cluster as a service
    • cluster as a service kubernetes
    • cluster as a service identity manager
    • cluster as a service slurm
    • cluster as a service pangeo
    • cluster as a service shared storage
    • adding and removing ssh keys from an external cloud vm
    • provisioning tenancy sci vm managed cloud
    • sysadmin guidance external cloud
    • best practice
  • workflow management
    • rose cylc on jasmin
    • using cron
  • uncategorized
    • mobaxterm
    • requesting resources
    • processing requests for resources
    • acknowledging jasmin
    • approving requests for access
    • working with many linux groups
    • jasmin conditions of use
  1.   For Cloud Tenants
  1. Home
  2. Docs
  3. For Cloud Tenants
  4. Cluster-as-a-Service - Identity Manager

Cluster-as-a-Service - Identity Manager

 

Share via
JASMIN Help Site
Link copied to clipboard

Cluster-as-a-Service - Identity Manager

On this page
Introduction   Cluster configuration   Managing users   Creating a user   Adding an SSH public key   Changing a user’s password   Deleting a user   Managing groups   Creating a new group   Adding and removing users   The admins group   Managing OpenID Connect clients  

This article describes how to deploy and use the JASMIN Cluster-as-a-Service (CaaS) Identity Manager.

Introduction  

The Identity Manager consists of a FreeIPA  server, a Keycloak  server and a gateway/proxy server that work together to provide a single identity across all cluster types, whether via a web-browser, SSH or custom CLI tools like kubectl.

FreeIPA  is an open-source identity management system specifically designed to manage Linux hosts and the user accounts on those hosts. To do this, It integrates LDAP  , Kerberos  , NTP  , DNS  and a certificate authority  into a single unit that is easy to install and configure.

Keycloak  is an open-source product that provides single sign-on (SSO) using OpenID Connect  and SAML  , primarily aimed at web-based services.

FreeIPA and Keycloak are powerful systems, and a full discussion of their capabilities is beyond the scope of this article. This article focuses on their use within the CaaS system, and will be sufficient for the vast majority of users. Any usage that deviates from that described in the JASMIN CaaS documentation is not explicitly supported, should something go wrong.

All hosts deployed using CaaS are registered with the FreeIPA instance for your tenancy, and FreeIPA provides DNS, user/group management and access control policies for those hosts. FreeIPA is also the single source of truth for users and groups on your clusters. It is not possible to link with other accounts, including JASMIN accounts. Keycloak is used to provide OpenID Connect support for web applications, and for Kubernetes authentication. Although Keycloak can manage its own users and groups, in the Identity Manager setup it consumes the users and groups from FreeIPA via the LDAP integration in order to provide a single user account across all clusters.

The web interfaces for FreeIPA and Keycloak are exposed through a single gateway/proxy host. This host is also configured to allow SSH access for all active users, which means it can be used with SSH agent forwarding  as a jump host  for SSH access to clusters without an external IP (similar to the way that the MISSING LINK work.)

The Identity Manager does not have self-service user registration or password reset - these operations must be performed by an admin on behalf of the user.

Cluster configuration  

The following variables are available when creating an Identity Manager:

Variable Description Required? Can be updated?
External IP The external IP that will be attached to the gateway host. This is the the IP that can be used as a jump host for SSH access. Yes No
Admin password The password for the admin account. When the Identity Manager is created, this is the only user that exists. Please make sure you choose a secure password. WARNING: This password cannot be changed. Changing the admin password in the FreeIPA web interface will break cluster configuration for all clusters. Yes No
Admin IP ranges One or more IP ranges from which admins will access the FreeIPA and Keycloak web interfaces, in CIDR notation  . Any attempt to access the admin interfaces froman IP address that is not in these ranges will be blocked. FreeIPA and Keycloak allow the creation and modification of users and permissions for all your clusters, so it is recommended that this range be as small as possible. If you are not sure what value to use here, contact your local network administrator to find out the appropriate value for your network. Yes Yes
FreeIPA size The machine size to use for the FreeIPA server. Yes No
Keycloak size The machine size to use for the Keycloak server. Yes No
Gateway size The machine size to use for the gateway server. Yes No
Gateway domain The domain to use for the gateway server.
If left empty, <dashed-gateway-ip>.sslip.io is used (this uses the sslip.io  service). For example, if the selected gateway IP is 192.171.139.83, the domain will be 192-171-139-83.sslip.io.
If given, the domain must already be configured to point to the External IP , otherwise configuration will fail. Only use this option if you have control over your own DNS entries - the CaaS system will not create a DNS entry for you.
No No

Once configuration is complete, the FreeIPA web interface will be available at https://<gateway domain>. You should be able to authenticate with the username admin and the password that was given at deployment time:

FreeIPA web interface
FreeIPA web interface

The Keycloak web interface is available at https://<gateway domain>/auth/. You should be able to authenticate with the same username and password as FreeIPA.

Keycloak web interface
Keycloak web interface

Managing users  

The users of your clusters are not related in any way to JASMIN users - in fact, there is no requirement that the users of your clusters have a JASMIN account. The pattern we encourage is that one or more admins with JASMIN accounts and access to the JASMIN Cloud Portal deploy and maintain clusters on behalf of their users. Those admins can then create user accounts and grant access to clusters for their own users without those users even needing to be aware of JASMIN.

Creating a user  

To add a new user, first log in to the FreeIPA interface. Do not add users via the Keycloak interface. You will be taken to the users panel, where you click the Add button:

FreeIPA interface: adding a new user
FreeIPA interface: adding a new user

This will pop up a dialogue for you to populate some basic information about the user. The User login , First name , Last name and New/Verify password fields are the ones that need to be populated. Pick a strong password for the user - they can change this later via the FreeIPA interface if they wish:

User information dialogue
User information dialogue

Click Add to create the user. You must then securely distribute this password to the user - if possible, write it down and give it to them in person, otherwise use an encrypted email.

The first time they log in, they will be asked to set a new password. Make sure they do this as soon as possible:

Update password dialogue
Update password dialogue

The newly added user cannot do anything except view the users and modify some of their own information. They can see, but not edit, their group memberships.

View of user info
View of user info

Adding an SSH public key  

Adding an SSH public key can be done either by the user themselves or by an admin. First, navigate to the details page for the user. In the Account Settings section, there is an item called SSH public keys. Click the Add button next to it:

Adding an SSH key (1)
Adding an SSH key (1)

This will open a dialogue where the SSH public key can be entered:

Adding an SSH key (2)
Adding an SSH key (2)

After clicking Set , the user interface will show New: key set under the SSH public keys item. However, the key is not preserved until the user is saved by clicking the Save button:

Adding an SSH key (3)
Adding an SSH key (3)

Once saved, the content of the SSH public keys item will change to a fingerprint, which means the key was saved correctly. The key can be updated or deleted at any point in the future if the associated private key is compromised or lost:

Adding an SSH key (4)
Adding an SSH key (4)

Changing a user’s password  

FreeIPA has no facility for self-service password reset, however users can change their own password or an admin can reset it on their behalf. The procedure is the same in both cases, except that when changing their own password the user is required to provide their current password as well as the new one.

To change a user’s password, first navigate to the user details page then select Reset password from the Actions dropdown:

Reset password (1))
Reset password (1))

This will open a dialogue where a new password can be entered. An admin changing the password on behalf of another user will only see the New/Verify Password fields:

Reset password (2)
Reset password (2)

A user resetting their own password will also see Current Password and OTP fields. The current password must be provided. OTP can be ignored.

User resetting own password
User resetting own password

After clicking Reset Password , the password is changed.

If a user’s password is reset by an admin, the user will be asked to change their password the first time they log in, like when a new user is created.

Deleting a user  

To delete a user, navigate to the Identity > Users > Active users page. On this page, check the box next the user you want to disable, then click the Delete button:

Deleting a user (1)
Deleting a user (1)

In the confirmation dialogue that pops up, make sure to select preserve as the Delete mode - it is not recommended to permanently delete users:

Deleting a user (2)
Deleting a user (2)

Upon clicking the Delete button, the user will be moved to the Preserved users section:

Deleting a user (3)
Deleting a user (3)

They will no longer show up as a user on any CaaS hosts or in Keycloak. They can be easily restored by selecting the user and clicking the Restore button.

Managing groups  

When you deploy a cluster through CaaS, it may create one or more access control groups in FreeIPA as part of its configuration. Some clusters can also consume additional groups created in FreeIPA. This is discussed in more detail in the documentation for each cluster type, but the way you manage group membership is the same in all cases.

Creating a new group  

To create a new group, navigate to the Identity > Groups > User groups section and click the Add button:

Creating a new group (1)
Creating a new group (1)

In the resulting dialogue, set the Group name and, if you wish, a Description (recommended!). The Group Type can be left as POSIX , even if the group is only to be used for OpenID Connect. By leaving GID empty, a free GID will be allocated:

Creating a new group (2)
Creating a new group (2)

After clicking the Add button, the new group will be available for adding users.

Adding and removing users  

First, navigate to the Identity > Groups > User groups section:

Adding/removing users (1)
Adding/removing users (1)

Click on the group that you want to add/remove users for to get to the details page for that group. To add users, click the Add button:

Adding/removing users (2)
Adding/removing users (2)

In the dialogue that pops up, select the users you want to add and click the > button to move them from Available to Prospective :

Adding/removing users (3)
Adding/removing users (3)
Adding/removing users (4)
Adding/removing users (4)

Click Add to add the users to the group.

To remove users from a group, select them in the user list for the group and click Delete :

Adding/removing users (5)
Adding/removing users (5)

Upon confirmation, the users will be removed from the group.

The admins group  

There is one special group that is created in FreeIPA by default, called admins. This group is respected by all cluster types and members are granted permissions across all clusters deployed using CaaS, including (but not limited to):

  • Full admin access to the FreeIPA and Keycloak web interfaces
  • SSH access to all hosts deployed using CaaS
  • cluster-admin access to all Kubernetes clusters
  • Access to all Pangeo clusters

Managing OpenID Connect clients  

For an application to use OpenID Connect to authenticate users, it must first be registered as a client with Keycloak. Clients are issued with an ID and secret so that Keycloak knows which application is making an authorisation request.

To manage your OpenID Connect clients, go to Keycloak at https://<gateway domain>/auth/ and click Administration Console. Upon signing in with valid admin credentials (see The admins group above) you will be redirected to the Keycloak admin console. Click on Clients in the menu to see the list of clients:

Keycloak admin console
Keycloak admin console

Keycloak itself uses OpenID Connect to handle authentication for its web and command-line interfaces, so there are several clients related to Keycloak operations. CaaS will also automatically create new OpenID Connect clients for clusters that need them - most notably Kubernetes clusters - in which case the client will be named after the cluster. The client with Client ID kubernetes in the list above is an example of a client created by CaaS.

In order to configure an OpenID Connect client to talk to Keycloak, you also need the client secret. To find out the secret for a client, click on the client and then click on the Credentials tab:

Keycloak: credentials tab
Keycloak: credentials tab

The client secret is then shown in a disabled text box, where it can be copied from:

Keycloak: client secret
Keycloak: client secret
Last updated on 2024-09-05 as part of:  replacing refs using old syntax & tidied some other links (f03769a9c)
On this page:
Introduction   Cluster configuration   Managing users   Creating a user   Adding an SSH public key   Changing a user’s password   Deleting a user   Managing groups   Creating a new group   Adding and removing users   The admins group   Managing OpenID Connect clients  
Follow us

Social media & development

   

Useful links

  • CEDA Archive 
  • CEDA Catalogue 
  • JASMIN 
  • JASMIN Accounts Portal 
  • JASMIN Projects Portal 
  • JASMIN Cloud Portal 
  • JASMIN Notebooks Service 
  • JASMIN Community Discussions 

Contact us

  • Helpdesk
UKRI/STFC logo
UKRI/NERC logo
NCAS logo
NCEO logo
Accessibility | Terms and Conditions | Privacy and Cookies
Copyright © 2025 Science and Technology Facilities Council.
Hinode theme for Hugo licensed under Creative Commons (CC BY-NC-SA 4.0).
JASMIN Help Site
Code copied to clipboard