Authentication#

The ICE ClusterWare™ cluster administrator authentication method is controlled in the /opt/scyld/clusterware/conf/base.ini file by the plugins.auth variable and is initially set to "appauth". The scyld-install installation adds the current user to the auth.tmpadmins variable in that same file (unless passed the --no-tools argument). The comma-separated list of user names, corresponding to system accounts on the head node, are allowed in without additional authentication checks. The auth.tmpadmins variable is only intended to be used during early installation, for small experimental clusters, or when recovering from some sort of failure, and is commented out by the installer during the installation process.

After installation, any administrator can add additional administrators through the scyld-adminctl command whose arguments match the other scyld-*ctl commands as described in ICE ClusterWare Command Line Tools. See Configure Additional Cluster Administrators for details. In the event of recovery, we suggest that administrators add accounts for themselves through this tool, and thereafter comment out or clear the auth.tmpadmins variable.

The "appauth" plugin executes the command defined in the appauth.app_path variable as user root. The default implementation of that command is provided by /opt/scyld/clusterware/bin/pam_authenticator. This implementation interfaces with the PAM authentication system using the /etc/pam.d/cw_check_user configuration file. The contents of this file initially use local system authentication, although this can be modified to authenticate against any mechanism available through the PAM system. For details, see the PAM documentation provided by your distro, the main PAM project, and the Red Hat https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/pluggable_authentication_modules documentation.

Administrators can provide authentication methods beyond PAM by implementing a script or application and providing it via the appauth.app_path variable. Appropriate applications should start with no arguments, read a username and password separated by a newline from stdin , and reply with either yes or no followed by a newline on stdout. For example, a test run of pam_authenticator looks like:

[example@head ~] sudo /opt/scyld/clusterware/bin/pam_authenticator
tester
not_the_password
no

Assign Temporary Permissions#

If an issue occurs and you need to grant temporary administrative permissions to a user or list of users:

  1. SSH into a head node.

  2. Modify the base.ini file:

    auth.tmpadmins = <comma-separated list of usernames>

  3. Restart the clusterware service for the change to take effect:

    systemctl restart clusterware

    The list of users should have FullAdmin privileges.

  4. Fix the issue.

  5. Modify the base.ini file to remove the list of users who should not have FullAdmin privileges.

  6. Restart the clusterware service for the change to take effect.