Difference between revisions of "Managing ETH groups"

From ScientificComputing
Jump to: navigation, search
(Updates to pointers for ISGs.)
(Adding a subgroup to an ETH group: IAM issue is fixed.)
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Introduction==
 
==Introduction==
  
Using [https://www1.ethz.ch/id/services/list/nethz_db/index_EN NETHZ groups] for user management is the recommended practice on our HPC clusters. A [[NETHZ]] group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group ''DEPT-ISG-GROUP'' that includes all members in the group's Leitzahl as well as semester students and visiting guests.
+
Using [https://www.ethz.ch/services/de/it-services/katalog/identitaet-zugang/identity-access-management.html ETH groups] for user management is the recommended practice on our HPC clusters. An ETH group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group ''DEPT-ISG-GROUP'' that includes all members in the group's Leitzahl as well as semester students and visiting guests.
  
==Managing NETHZ groups for use on our HPC clusters==
+
==Managing ETH groups for use on the central HPC clusters==
Our cluster can make use of [[NETHZ]] groups. As an ISG you can define a group in the [http://password.ethz.ch NETHZ admin tool] (main screen→Admin Tasks→Gruppen verwalten) and export it to LDAPS. Don't forget to click on the [[Media:Aktualisieren-link.png|''aktualisieren'']] link ''after'' updating the group!
+
Our cluster can make use of LDAP groups defined via the [https://www.password.ethz.ch/ ETH Identity and Access Management] system. As an ISG you can define a group in the [https://www.password.ethz.ch IAM admin tool] (main screen→Group management) and export it to LDAPS (Owner & Presence → Target Systems: LDAPS).
  
 
Keep the following points in mind:
 
Keep the following points in mind:
 
;Type of group
 
;Type of group
:The NETHZ group needs to be exported to '''LDAPS'''. For consistency it is recommended to export it to AD (Active Directory), too.
+
:The ETH group needs to be exported to '''LDAPS'''. For consistency it is recommended to export it to AD (Active Directory), too.
;Sync the changes
 
:You '''need''' to click on the [[Media:Aktualisieren-link.png|''aktualisieren'']] link for the changes to take effect!
 
 
;Do not change the group name
 
;Do not change the group name
:Avoid changing the name of any NETHZ group or contact us if you plan to do so.
+
:Avoid changing the name of any group or contact us if you plan to do so.
 
;Use only the ETH-wide LDAPS subtree
 
;Use only the ETH-wide LDAPS subtree
 
:An ETH-wide group defined by any ISG will be in the<br><tt>ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch</tt><br>subtree of LDAPS. Groups specific to a department '''can not''' be used.
 
:An ETH-wide group defined by any ISG will be in the<br><tt>ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch</tt><br>subtree of LDAPS. Groups specific to a department '''can not''' be used.
Line 18: Line 16:
 
|LDAPS and AD groups || For consistency it is recommended to export it to AD (Active Directory), too.
 
|LDAPS and AD groups || For consistency it is recommended to export it to AD (Active Directory), too.
 
|-
 
|-
|Syncing changes || Don't forget to click on the [[Media:Aktualisieren-link.png| ''aktualisieren'']] link after making changes.
+
|Changing group names || Avoid changing the name of any group.
|-
 
|Changing group names || Avoid changing the name of any NETHZ group.
 
 
|-
 
|-
 
|LDAPS hierarchy || An ISG-defined group will be in the<br><tt>ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch</tt><br>subtree of LDAPS.
 
|LDAPS hierarchy || An ISG-defined group will be in the<br><tt>ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch</tt><br>subtree of LDAPS.
Line 27: Line 23:
 
We can only use groups from the
 
We can only use groups from the
  
  ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
+
  ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
 +
 
 +
subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. Please contact us if you have any questions regarding using the IAM and/or LDAPS groups with our HPC clusters.
 +
 
 +
== Exporting an ETH group to LDAPS ==
  
subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. From these, we only use the ''lz'' and ''custom'' [[NETHZ]] subtrees:
+
[[File:IAM1.png|thumb|ETH group management]]
  
ou=lz,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
+
[[File:IAM2.png|thumb|Export ETH group to LDAPS]]
  
and
+
<div style="clear: both"></div>
  
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
+
== Adding a subgroup to an ETH group ==
 +
 
 +
An ETH group used for cluster access can include entire subgroups. This makes it easy to include, for example, an entire Leitzahl of a shareholder as well as individual guests to the top ETH group since changes to the subgroups are automatically reflected in the top group.
 +
 
 +
<!-- '''At the moment there is an issue if you add a ''Leitzahl'' (0xxxx or Txxxx) group as a subgroup. If you add a ''Leitzahl'' subgroup, you will need to contact [http://smartdesk.ethz.ch the IAM team] and request that the users from the Leitzahl subgroup are synchronized to the parent group.''' -->
 +
 
 +
Step-by-step instructions for an example of adding the ID-HPC-BETA subgroup to the ID-HPC-EULER top group are shown below. After this is done, ID-HPC-EULER includes everyone in ID-HPC-BETA.
 +
 
 +
1. Go to the [https://www.password.ethz.ch IAM admin tool]. From the main screen select “Group management” and then “Select group”:<br>
 +
[[File:Iam-subgroup.2.png|555px|Home screen → “Group management” → “Select group”]]<br>The group search page (“Select a Role”) will open.
 +
 
 +
2. Enter the name of the the '''top group''' and click the green “Search” button:<br>
 +
[[File:Iam-subgroup.3.png|555px|Enter the name of the the top group and click the green “Search” button.]]<br>The group information page (“Role - Summary”) for the top group will open if the group is found.
 +
 
 +
3. Edit the group by clicking on the pencil icon:<br>
 +
[[File:Iam-subgroup.4.png|555px|Click the pencil icon to edit the top group.]]<br>The group modification page (“Modify Role Data”) will show open.
  
Please contact us if you have any questions regarding using [[NETHZ]] and/or LDAPS groups with our HPC clusters.
+
4. Find the “Subgroup” text box in the “Group role references” section. It is the last box on the page. Click the “''(click here to add value)''” text line in the box. If the top group already includes several subgroups, then you will need to scroll to the bottom of this text box to find the “''(click here to add value)''” text line.<br>
 +
[[File:Iam-subgroup.5.png|555px|Click on the “(click here to add value)” line in the “Subgroup” box of the “Group role references” section.]]<br>The text line turns into two icons.
  
==Defining share membership==
+
5. Click on the people icon:<br>
By default only members of your LZ (''Leitzahl'') group are members of your share. You can manage membership in your shareholder group using LDAPS groups exported from [[NETHZ]]. Any number of LDAPS groups can be associated with your share. In addition, individual users can be added to the share or blocked from the share.
+
[[File:Iam-subgroup.6.png|555px|Click on the people icon.]]<br>A page to select the subgroup (“Select a Privilege”) will show up.
  
==New and parting users==
+
6. Enter the name of the '''subgroup''' and click on the green “Search” button:<br>
New members of the specified LDAPS group(s) will be automatically associated with your share while members who lose membership in the specified LDAPS groups are removed from your shareholder group. By default users are removed after 1&nbsp;month, though can be changed upon request. These individual changes to the shareholder groups are ''only'' for share management and not file permission management.
+
[[File:Iam-subgroup.7.png|555px|Enter the name of the subgroup and click on the “Search” icon.]]<br>If the group is found then it will be displayed in the table below.
  
==Delegating management==
+
7. Click on the name of the '''subgroup''':<br>
You can also name one or more people to be the share manager. This person is then generally our contact person regarding the share and, more importantly, has authority to request or confirm changes to the share. In addition a manager also gets the monthly accounting report for the share. You can also request that a user receives the monthly accounting report but no management authority.
+
[[File:Iam-subgroup.8.png|555px|Clock on the name of the subgroup.]]<br>The top group's modification page will be shown again (see step 4). You will now see the name of the subgroup in the “Subgroup” text box on the bottom of the page. Click on the blue “Save” button:<br>
 +
[[File:Iam-subgroup.10.png|555px|Click on the blue “Save” button.]]

Latest revision as of 15:38, 21 July 2022

Introduction

Using ETH groups for user management is the recommended practice on our HPC clusters. An ETH group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group DEPT-ISG-GROUP that includes all members in the group's Leitzahl as well as semester students and visiting guests.

Managing ETH groups for use on the central HPC clusters

Our cluster can make use of LDAP groups defined via the ETH Identity and Access Management system. As an ISG you can define a group in the IAM admin tool (main screen→Group management) and export it to LDAPS (Owner & Presence → Target Systems: LDAPS).

Keep the following points in mind:

Type of group
The ETH group needs to be exported to LDAPS. For consistency it is recommended to export it to AD (Active Directory), too.
Do not change the group name
Avoid changing the name of any group or contact us if you plan to do so.
Use only the ETH-wide LDAPS subtree
An ETH-wide group defined by any ISG will be in the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree of LDAPS. Groups specific to a department can not be used.

We can only use groups from the

ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch

subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. Please contact us if you have any questions regarding using the IAM and/or LDAPS groups with our HPC clusters.

Exporting an ETH group to LDAPS

ETH group management
Export ETH group to LDAPS

Adding a subgroup to an ETH group

An ETH group used for cluster access can include entire subgroups. This makes it easy to include, for example, an entire Leitzahl of a shareholder as well as individual guests to the top ETH group since changes to the subgroups are automatically reflected in the top group.


Step-by-step instructions for an example of adding the ID-HPC-BETA subgroup to the ID-HPC-EULER top group are shown below. After this is done, ID-HPC-EULER includes everyone in ID-HPC-BETA.

1. Go to the IAM admin tool. From the main screen select “Group management” and then “Select group”:
Home screen → “Group management” → “Select group”
The group search page (“Select a Role”) will open.

2. Enter the name of the the top group and click the green “Search” button:
Enter the name of the the top group and click the green “Search” button.
The group information page (“Role - Summary”) for the top group will open if the group is found.

3. Edit the group by clicking on the pencil icon:
Click the pencil icon to edit the top group.
The group modification page (“Modify Role Data”) will show open.

4. Find the “Subgroup” text box in the “Group role references” section. It is the last box on the page. Click the “(click here to add value)” text line in the box. If the top group already includes several subgroups, then you will need to scroll to the bottom of this text box to find the “(click here to add value)” text line.
Click on the “(click here to add value)” line in the “Subgroup” box of the “Group role references” section.
The text line turns into two icons.

5. Click on the people icon:
Click on the people icon.
A page to select the subgroup (“Select a Privilege”) will show up.

6. Enter the name of the subgroup and click on the green “Search” button:
Enter the name of the subgroup and click on the “Search” icon.
If the group is found then it will be displayed in the table below.

7. Click on the name of the subgroup:
Clock on the name of the subgroup.
The top group's modification page will be shown again (see step 4). You will now see the name of the subgroup in the “Subgroup” text box on the bottom of the page. Click on the blue “Save” button:
Click on the blue “Save” button.