Advanced Access Control
The Gateway & Ticket Model: Job-Based Authorization and Federated Identity.
Isolating Jobs, Not Machines
In enterprise IT, you isolate machines. In HPC, you must isolate jobs while allowing them to span thousands of nodes. Our "Gateway & Ticket" model moves beyond static SSH keys to a dynamic, short-lived certificate architecture that secures the cluster without blocking scientific progress.
1. The "Gateway & Ticket" Architecture
The Gateway (Perimeter)
Users enter via an SSH Certificate Authority (CA). Static keys are prohibited. Access is granted via SSO (Okta/AD) + MFA, issuing a 12-hour signed certificate.
The Ticket (Internal)
Internal movement is tied to the active job. Users have no "ticket" to access a compute node unless the scheduler has reserved it for them.
2. Eliminating "Node Hopping"
A common vulnerability is "Node Hopping"—users logging into idle nodes to snoop or run unauthorized tasks. We implement pam_slurm_adopt to enforce a hard deny for anyone without an active job on that specific node.
account required pam_slurm_adopt.so action_no_jobs=deny
This creates a "Hard Shell" around every node, protecting CPU cycles and memory for those who reserved them.
Federated Identity (CILogon)
For cross-institutional collaboration, creating local accounts is a management nightmare. We implement CILogon to bridge university credentials with local Linux accounts.
- Auth Flow: SSO at Home Institution → CILogon Token → Local HPC Mapping.
- Audit: Full visibility of external identities within your local security logs.
HPC Access Control Checklist
| Control | Target | Technology / Method |
|---|---|---|
| Perimeter Auth | Login Nodes | HashiCorp Vault SSH CA |
| Compute Isolation | Compute Nodes | pam_slurm_adopt (action_no_jobs=deny) |
| Federated Auth | Web Portals | CILogon / OpenID Connect |
| Internal Trust | Fabric-wide | MUNGE (Annual Key Rotation) |
Secure Your Infrastructure
Download our "Ansible Playbook for pam_slurm_adopt" and "User Transition Communication Plan" to upgrade your cluster access today.
Download Implementation Toolkit (.zip)