38,760
edits
Automation in the context of multifactor authentication/en: Difference between revisions
Jump to navigation
Jump to search
Automation in the context of multifactor authentication/en (view source)
Revision as of 16:09, 11 March 2024
, 7 months agoUpdating to match new version of source page
(Updating to match new version of source page) |
(Updating to match new version of source page) |
||
| Line 3: | Line 3: | ||
Automated workflows which connect to the clusters without human intervention cannot make use of a second authentication factor. In order to execute such workflows after MFA becomes a requirement, you must request access to one of our special nodes. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform. | Automated workflows which connect to the clusters without human intervention cannot make use of a second authentication factor. In order to execute such workflows after MFA becomes a requirement, you must request access to one of our special nodes. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform. | ||
= Increased security | = Increased security constraints = | ||
== Available only by request == | == Available only by request == | ||
Users who need to make use of automated workflows for their research must first contact our [[technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation. | Users who need to make use of automated workflows for their research must first contact our [[technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation. | ||
== Available only through | == Available only through constrained SSH keys == | ||
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. | The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. | ||
| Line 20: | Line 20: | ||
== Convenience wrapper scripts to use for <code>command=</code> == | == Convenience wrapper scripts to use for <code>command=</code> == | ||
<code>command</code> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based on which command is being called. You can write your own script, but for convenience, we provide a number of such scripts which | <code>command</code> constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based on which command is being called. You can write your own script, but for convenience, we provide a number of such scripts which allow common actions. These scripts are defined in [https://github.com/ComputeCanada/software-stack-custom/tree/main/bin/computecanada/allowed_commands this git repository]. | ||
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</code> | * <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh</code> allows only file transfers, such as <code>scp</code>, <code>sftp</code> or <code>rsync</code>. | ||
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</code> | * <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh</code> allows commands to archive files, such as <code>gzip</code>, <code>tar</code> or <code>dar</code>. | ||
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</code> | * <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh</code> allows commands to manipulate files, such as <code>mv</code>, <code>cp</code> or <code>rm</code>. | ||
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</code> | * <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh</code> allows the <code>git</code> command. | ||
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</code> | * <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh</code> allows some Slurm commands, such as <code>squeue</code>, <code>sbatch</code>. | ||
* <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</code> | * <code>/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh</code> allows all of the above. | ||
== Examples of accepted SSH keys == | == Examples of accepted SSH keys == | ||
| Line 41: | Line 41: | ||
{{Warning|title=Warning|content= | {{Warning|title=Warning|content= | ||
The | The constraints must be added directly as text in front of your key, before uploading the complete string in [https://ccdb.alliancecan.ca/ssh_authorized_keys your account]. | ||
}} | }} | ||