User management in a TrinityX cluster
Root, admins and users
During the installation of TrinityX a group for admins is being created. The actual name can be changed in the group_vars/all.yml before the installation. Please see the Installation for more information. The users that are member of the admins group have elevated permissions and have access to use the Luna Graphical applications to modify the cluster.
In general TrinityX comes with a three-tier philosophy, where root should typically not be used unless needed. Root users should not be allowed to login directly into commandline or through the portal. For administrative purposes, the admins group does provide permissions to undertake day-to-day administration using the portal. When root permissions are required, sudo or su should be used.
Regular users have regular permissions, in normal situations access to their own files and a limited portal view compared to admins. (Admin) users are generally not generated and need to be done after the installation. The Open OnDemand section shows how to create an admin user for e.g. the portal usage.
User management in TrinityX is handled by a utility called obol. Obol is a simple wrapper around
LDAP commands to update the local LDAP directory installed by default. It supports both user and
group management almost the same way those would be handled by the default Linux utilities.
Obol
Obol can manage users and groups on the local LDAP directory and it supports the following attributes for users:
| Attribute | Description |
|---|---|
| password | User’s password |
| cn | User’s name (common name) |
| sn | User’s surname |
| givenName | User’s given name |
| group | The primary group the user belongs to |
| uid | The user’s ID |
| gid | The primary group’s ID |
| Email address of the user | |
| phone | Phone number |
| shell | Default shell |
| groups | A comma separated list of additional group names to add the user to. |
| expire | Number of days after which the account expires. If set to -1, the account will never expire |
To create or modify a user, run:
obol user add|modify ...
Please note that running obol commands requires root privileges.
Managing groups is similarly achieved using:
obol group [command] ....
Where [command] can either be add, show, delete, list, addusers, or delusers For the full list of the commands supported by Obol, run:
obol user -h
obol user [command] -h
obol group -h
obol group [command] -h
Graphical User management
For ease of use, TrinityX comes with a graphical user interface to manage users.
By default only users, member of the admins group have permission to use this application and as such, manage users.
Authentication backends
TrinityX installations come with an OpenLDAP directory by default. This directory is used for authentication across the cluster. TrinityX does support other backends as well like Active Directory (AD) or Native IPA.
Note: Luna has a secrets mechanism designed to store e.g. keytabs or any other node specific 'secret'.