Authentication

The ICE ClusterWare ™ cluster administrator authentication method is controlled in the /opt/scyld/clusterware/conf/base.ini file by the plugins.auth variable and is initially set to "appauth". The cw-install installation adds the current user to the auth.tmpadmins variable in that same file (unless passed the --no-tools argument). The comma-separated list of user names, corresponding to system accounts on the head node, are allowed in without additional authentication checks. The auth.tmpadmins variable is only intended to be used during early installation, for small experimental clusters, or when recovering from some sort of failure, and is commented out by the installer during the installation process.

After installation, any administrator can add additional administrators through the cw-adminctl command whose arguments match the other cw-*ctl commands as described in ICE ClusterWare Command Line Tools. See Configure Additional Cluster Administrators for details. In the event of recovery, we suggest that administrators add accounts for themselves through this tool, and thereafter comment out or clear the auth.tmpadmins variable.

The "appauth" plugin executes the command defined in the appauth.app_path variable as user root. The default implementation of that command is provided by /opt/scyld/clusterware/bin/pam_authenticator. This implementation interfaces with the PAM authentication system using the /etc/pam.d/cw_check_user configuration file. The contents of this file initially use local system authentication, although this can be modified to authenticate against any mechanism available through the PAM system. For details, see the PAM documentation provided by your distro, the main PAM project, and the Red Hat https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/pluggable_authentication_modules documentation.

Administrators can provide authentication methods beyond PAM by implementing a script or application and providing it via the appauth.app_path variable. Appropriate applications should start with no arguments, read a username and password separated by a newline from stdin , and reply with either yes or no followed by a newline on stdout. For example, a test run of pam_authenticator looks like:

[example@head ~] sudo /opt/scyld/clusterware/bin/pam_authenticator
tester
not_the_password
no

Login via SSH Keys

As an alternative to a standard login, you can load SSH keys for ClusterWare administrators.

Run the following command to load a SSH key, replacing admin1 with the administrator you want to update:

cw-adminctl -i admin1 update keys=@/home/admin1/.ssh/id_rsa.pub

The keys= argument can accept either the SSH key string or a path to a file preceded by an @ symbol. The example command above points to a file.

To use the key after it is loaded, the administrator needs to run ssh-agent using the following command:

eval `ssh-agent`; ssh-add

Once ssh-agent is running, the administrator can run ClusterWare commands and login is handled via the SSH key.

Assign Temporary Permissions

If an issue occurs and you need to grant temporary administrative permissions to a user or list of users:

1. SSH into a head node.

2. Modify the base.ini file:

   auth.tmpadmins = <comma-separated list of usernames>
   

3. Restart the clusterware service for the change to take effect:

   systemctl restart clusterware
   

   The list of users should have FullAdmin privileges.

4. Fix the issue.

5. Modify the base.ini file to remove the list of users who should not have FullAdmin privileges.

6. Restart the clusterware service for the change to take effect.