==== Federated Identity with Globus ID ====
Globus ID ([[https://www.globusid.org/faq|Globus ID]]) is an identity provider operated [[https://www.globus.org|Globus.org]], a cloud based bulk data transfer solution used by AHPCC. A Globus ID account is required to use the Globus data transfer system, which is the recommended solution for [[moving_data | Moving Data]] to and from Pinnacle storage. The same Globus ID account can be used to log into AHPCC clusters. Globus ID's are free to create and can be linked to multiple identities, including those from schools which are members of [[https://www.incommon.org/federation/|InCommon]] federation.
**NOTE:** To log into Pinnacle, both a Globus ID and an associated local Pinnacle account have to exist. Simply having a Globus ID account will not be enough to log into AHPCC clusters.
==== Using a Globus ID to log into AHPCC ====
**oauth-ssh** client is needed to authorized a host machine to connect to the AHPCC cluster using a Globus ID. The **oauth-ssh** is a python package that can be installed using **pip** (python package manager):
[pawel@frontdesk ~]$ pip3 install oauth-ssh
Defaulting to user installation because normal site-packages is not writeable
Collecting oauth-ssh
Using cached oauth_ssh-0.14-py2.py3-none-any.whl (15 kB)
Collecting click<8,>=7.0
Using cached click-7.1.2-py2.py3-none-any.whl (82 kB)
Requirement already satisfied: requests<3,>=2.5.0 in /usr/local/lib/python3.6/site-packages (from oauth-ssh) (2.27.1)
Requirement already satisfied: paramiko<3,>=2.5.0 in /usr/local/lib/python3.6/site-packages (from oauth-ssh) (2.11.0)
Requirement already satisfied: bcrypt>=3.1.3 in /usr/local/lib64/python3.6/site-packages (from paramiko<3,>=2.5.0->oauth-ssh) (3.2.2)
Requirement already satisfied: pynacl>=1.0.1 in /usr/local/lib64/python3.6/site-packages (from paramiko<3,>=2.5.0->oauth-ssh) (1.5.0)
Requirement already satisfied: cryptography>=2.5 in /usr/local/lib64/python3.6/site-packages (from paramiko<3,>=2.5.0->oauth-ssh) (37.0.4)
Requirement already satisfied: six in /usr/local/lib/python3.6/site-packages (from paramiko<3,>=2.5.0->oauth-ssh) (1.16.0)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/local/lib/python3.6/site-packages (from requests<3,>=2.5.0->oauth-ssh) (1.26.10)
Requirement already satisfied: idna<4,>=2.5 in /usr/local/lib/python3.6/site-packages (from requests<3,>=2.5.0->oauth-ssh) (3.3)
Requirement already satisfied: charset-normalizer~=2.0.0 in /usr/local/lib/python3.6/site-packages (from requests<3,>=2.5.0->oauth-ssh) (2.0.12)
Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python3.6/site-packages (from requests<3,>=2.5.0->oauth-ssh) (2022.6.15)
Requirement already satisfied: cffi>=1.1 in /usr/local/lib64/python3.6/site-packages (from bcrypt>=3.1.3->paramiko<3,>=2.5.0->oauth-ssh) (1.15.1)
Requirement already satisfied: pycparser in /usr/local/lib/python3.6/site-packages (from cffi>=1.1->bcrypt>=3.1.3->paramiko<3,>=2.5.0->oauth-ssh) (2.21)
Installing collected packages: click, oauth-ssh
Successfully installed click-7.1.2 oauth-ssh-0.14
[pawel@frontdesk ~]$
Once **oauth-ssh** client is installed, your client machine (the host from which your are logging into Pinnacle) has to be authorized to connect to the Pinnacle login node, **login.hpc.uark.edu**:
[pawel@frontdesk ~]$ oauth-ssh-token authorize login.hpc.uark.edu
Please go to this URL and login: https://auth.globus.org/v2/oauth2/authorize?redirect_uri=https%3A%2F%2Fauth.globus.org%2Fv2%2Fweb%2Fauth-code&client_id=b373be16-f444-45f7-a144-e2c99a8ab704&access_type=offline&state=_default&code_challenge=oCnX1sCh7PKBXbifG1F_y8l5QmTjeicXeNbyuKQU7Cc&code_challenge_method=S256&response_type=code&scope=https%3A%2F%2Fauth.globus.org%2Fscopes%2Flogin.hpc.uark.edu%2Fssh
Please enter the code you get after login here:
The **oauth-ssh-token authorize login.hpc.uark.edu** command generates a link to a Globus login page. Copy and paste this link into your browser.
{{::globus-login.png?600|}}
From the drop down menu, select your school/Organization. After pressing continue you will be redirected to your school's/organization's identity provider login. If your school/organization is not listed int the drop down menu, click on the "Sign in with Globus ID" button to create a separte Globus ID account, or use the "Sign in with Google" or "Sign in with ORCID" links. University of Arkansas is listed in the menu. Below an example of logging in using the University of Arkansas's idp:
{{::login-uaf-idp.png?600|}}
After a successful authentication you will be redirected to a page with a temporary token:
{{::globus-token.png?600|}}
Copy and paste this token into your terminal window:
[pawel@frontdesk ~]$ oauth-ssh-token authorize login.hpc.uark.edu
Please go to this URL and login: https://auth.globus.org/v2/oauth2/authorize?redirect_uri=https%3A%2F%2Fauth.globus.org%2Fv2%2Fweb%2Fauth-code&client_id=b373be16-f444-45f7-a144-e2c99a8ab704&access_type=offline&state=_default&code_challenge=R9N64HSJVhRqt0zesM0rtzpkbg2YHe3bXW3F5S0Q9Ew&code_challenge_method=S256&response_type=code&scope=https%3A%2F%2Fauth.globus.org%2Fscopes%2Flogin.hpc.uark.edu%2Fssh
Please enter the code you get after login here: MZzXX5GhCw7hr7uH80nU4StddODSQV
[pawel@frontdesk ~]$
Your host is now authorized for logging into login.hpc.uark.edu for 48 hours. To log in, you can either use **oauth-ssh** client:
[pawel@frontdesk ~]$ oauth-ssh login.hpc.uark.edu
Last failed login: Wed Jul 27 08:14:45 CDT 2022 from 184.180.249.7 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Wed Jul 27 08:12:10 2022 from 184.180.249.7
Welcome to login.hpc.uark.edu - Globus Authentication test login VM
-bash-4.2$
or your regular ssh client, by copying and pasting the output of **oauth-ssh-token show token login.hpc.uark.edu** at the OAuth token prompt:
[pawel@frontdesk ~]$ oauth-ssh-token show token login.hpc.uark.edu
Ay525VXDNakMxKGVJ8dx0B5gl95mlj0ldjkngVdqQOOeaJ3ouVCB1gWOYkQrOKYW0oYnaX52dbOzIW92B1XHQ5mXj
[pawel@frontdesk ~]$ ssh pwolinsk@login.hpc.uark.edu
Enter your OAuth token:
Last login: Wed Jul 27 09:39:10 2022 from 10.172.0.199
Welcome to login.hpc.uark.edu - Globus Authentication test login VM
-bash-4.2$