Federated Identity with Globus ID
Globus ID (Globus ID) is an identity provider operated Globus.org, a cloud based bulk data transfer solution used by AHPCC. A Globus ID account is required to use the Globus data transfer system, which is the recommended solution for Moving Data to and from Pinnacle storage. The same Globus ID account can be used to log into AHPCC clusters. Globus ID's are free to create and can be linked to multiple identities, including those from schools which are members of InCommon federation.
NOTE: To log into Pinnacle, both a Globus ID and an associated local Pinnacle account have to exist. Simply having a Globus ID account will not be enough to log into AHPCC clusters.
Using a Globus ID to log into AHPCC
oauth-ssh client is needed to authorized a host machine to connect to the AHPCC cluster using a Globus ID. The oauth-ssh is a python package that can be installed using pip (python package manager):
[pawel@frontdesk ~]$ pip3 install oauth-ssh Defaulting to user installation because normal site-packages is not writeable Collecting oauth-ssh Using cached oauth_ssh-0.14-py2.py3-none-any.whl (15 kB) Collecting click<8,>=7.0 Using cached click-7.1.2-py2.py3-none-any.whl (82 kB) Requirement already satisfied: requests<3,>=2.5.0 in /usr/local/lib/python3.6/site-packages (from oauth-ssh) (2.27.1) Requirement already satisfied: paramiko<3,>=2.5.0 in /usr/local/lib/python3.6/site-packages (from oauth-ssh) (2.11.0) Requirement already satisfied: bcrypt>=3.1.3 in /usr/local/lib64/python3.6/site-packages (from paramiko<3,>=2.5.0->oauth-ssh) (3.2.2) Requirement already satisfied: pynacl>=1.0.1 in /usr/local/lib64/python3.6/site-packages (from paramiko<3,>=2.5.0->oauth-ssh) (1.5.0) Requirement already satisfied: cryptography>=2.5 in /usr/local/lib64/python3.6/site-packages (from paramiko<3,>=2.5.0->oauth-ssh) (37.0.4) Requirement already satisfied: six in /usr/local/lib/python3.6/site-packages (from paramiko<3,>=2.5.0->oauth-ssh) (1.16.0) Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/local/lib/python3.6/site-packages (from requests<3,>=2.5.0->oauth-ssh) (1.26.10) Requirement already satisfied: idna<4,>=2.5 in /usr/local/lib/python3.6/site-packages (from requests<3,>=2.5.0->oauth-ssh) (3.3) Requirement already satisfied: charset-normalizer~=2.0.0 in /usr/local/lib/python3.6/site-packages (from requests<3,>=2.5.0->oauth-ssh) (2.0.12) Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python3.6/site-packages (from requests<3,>=2.5.0->oauth-ssh) (2022.6.15) Requirement already satisfied: cffi>=1.1 in /usr/local/lib64/python3.6/site-packages (from bcrypt>=3.1.3->paramiko<3,>=2.5.0->oauth-ssh) (1.15.1) Requirement already satisfied: pycparser in /usr/local/lib/python3.6/site-packages (from cffi>=1.1->bcrypt>=3.1.3->paramiko<3,>=2.5.0->oauth-ssh) (2.21) Installing collected packages: click, oauth-ssh Successfully installed click-7.1.2 oauth-ssh-0.14 [pawel@frontdesk ~]$
Once oauth-ssh client is installed, your client machine (the host from which your are logging into Pinnacle) has to be authorized to connect to the Pinnacle login node, login.hpc.uark.edu:
[pawel@frontdesk ~]$ oauth-ssh-token authorize login.hpc.uark.edu Please go to this URL and login: https://auth.globus.org/v2/oauth2/authorize?redirect_uri=https%3A%2F%2Fauth.globus.org%2Fv2%2Fweb%2Fauth-code&client_id=b373be16-f444-45f7-a144-e2c99a8ab704&access_type=offline&state=_default&code_challenge=oCnX1sCh7PKBXbifG1F_y8l5QmTjeicXeNbyuKQU7Cc&code_challenge_method=S256&response_type=code&scope=https%3A%2F%2Fauth.globus.org%2Fscopes%2Flogin.hpc.uark.edu%2Fssh Please enter the code you get after login here:
The oauth-ssh-token authorize login.hpc.uark.edu command generates a link to a Globus login page. Copy and paste this link into your browser.
From the drop down menu, select your school/Organization. After pressing continue you will be redirected to your school's/organization's identity provider login. If your school/organization is not listed int the drop down menu, click on the “Sign in with Globus ID” button to create a separte Globus ID account, or use the “Sign in with Google” or “Sign in with ORCID” links. University of Arkansas is listed in the menu. Below an example of logging in using the University of Arkansas's idp:
After a successful authentication you will be redirected to a page with a temporary token:
Copy and paste this token into your terminal window:
[pawel@frontdesk ~]$ oauth-ssh-token authorize login.hpc.uark.edu Please go to this URL and login: https://auth.globus.org/v2/oauth2/authorize?redirect_uri=https%3A%2F%2Fauth.globus.org%2Fv2%2Fweb%2Fauth-code&client_id=b373be16-f444-45f7-a144-e2c99a8ab704&access_type=offline&state=_default&code_challenge=R9N64HSJVhRqt0zesM0rtzpkbg2YHe3bXW3F5S0Q9Ew&code_challenge_method=S256&response_type=code&scope=https%3A%2F%2Fauth.globus.org%2Fscopes%2Flogin.hpc.uark.edu%2Fssh Please enter the code you get after login here: MZzXX5GhCw7hr7uH80nU4StddODSQV [pawel@frontdesk ~]$
Your host is now authorized for logging into login.hpc.uark.edu for 48 hours. To log in, you can either use oauth-ssh client:
[pawel@frontdesk ~]$ oauth-ssh login.hpc.uark.edu
Last failed login: Wed Jul 27 08:14:45 CDT 2022 from 184.180.249.7 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Wed Jul 27 08:12:10 2022 from 184.180.249.7
Welcome to login.hpc.uark.edu - Globus Authentication test login VM
-bash-4.2$
or your regular ssh client, by copying and pasting the output of oauth-ssh-token show token login.hpc.uark.edu at the OAuth token prompt:
[pawel@frontdesk ~]$ oauth-ssh-token show token login.hpc.uark.edu
Ay525VXDNakMxKGVJ8dx0B5gl95mlj0ldjkngVdqQOOeaJ3ouVCB1gWOYkQrOKYW0oYnaX52dbOzIW92B1XHQ5mXj
[pawel@frontdesk ~]$ ssh pwolinsk@login.hpc.uark.edu
Enter your OAuth token:
Last login: Wed Jul 27 09:39:10 2022 from 10.172.0.199
Welcome to login.hpc.uark.edu - Globus Authentication test login VM
-bash-4.2$
