A collection of administrative tools for OpenOnDemand (OOD) at Idaho National Laboratory.
Brandon Biggs (Brandon.Biggs@inl.gov) - Idaho National Laboratory
Please reach out if you run into any issues.
public_ondemand_admin/
├── bin/
│ └── ood_auth_map.regex # Bash script for authentication mapping
├── user_impersonation_dashboard/
│ ├── env # Environment configuration
│ ├── initializers/
│ │ ├── admin.rb # Rails controller and model logic
│ │ └── routes.rb # Route configuration with access control
│ └── views/
│ └── index.html.erb # Web UI template
├── LICENSE
├── NOTICE.txt
└── README.md
A web-based admin page accessible directly from the OOD interface that allows HPC cluster administrators to:
- Impersonate any user account in the OpenOnDemand environment
- Record audit logs of all impersonation attempts with required justification
- Dynamically update authentication mappings for the impersonated user
A Bash script that handles the core authentication mapping mechanism:
- Decodes the current login username
- Checks if the user matches a configured service account pattern (e.g.,
ood-service-hpcuser) - Retrieves and applies the impersonated username from environment variables
- Returns the appropriate username for the session
You will need to update this to work with your current authentication mapping.
A Ruby on Rails integration that adds admin routes to the OpenOnDemand dashboard:
- Access Control: Routes are only available to users in the
OOD_ADMIN_GROUP - Form Interface: Provides fields for target username and impersonation reason
- Audit Logging: Records all impersonation attempts with timestamps and justifications
-
Copy the
user_impersonation_dashboarddirectory contents to your OOD dashboard configuration:cp -r user_impersonation_dashboard/* /etc/ood/config/apps/dashboard/ -
Copy the authentication mapping script to the OOD auth map directory. PLEASE double check this as to not overwrite your potentially custom settings.
cp bin/ood_auth_map.regex /opt/ood/ood_auth_map/bin/ chmod +x /opt/ood/ood_auth_map/bin/ood_auth_map.regex
-
Create the log file with appropriate permissions. This may change depending on what you set in
ENV.touch /var/log/ood-impersonation.log chown apache:apache /var/log/ood-impersonation.log chmod 664 /var/log/ood-impersonation.log
-
Ensure the
OOD_ADMIN_GROUPenvironment variable is set in your OOD configuration to specify which group has admin access.
The env file contains the following environment variables:
| Variable | Description | Default |
|---|---|---|
OOD_DASHBOARD_ADMIN_AUTH_MAP_FILE |
Path to the authentication mapping script | /opt/ood/ood_auth_map/bin/ood_auth_map.regex |
OOD_DASHBOARD_ADMIN_AUTH_LOG_FILE |
Path to the impersonation audit log | /var/log/ood-impersonation.log |
- Log into the OpenOnDemand dashboard as an admin user (member of
OOD_ADMIN_GROUP) - Navigate to
/adminin the dashboard - Enter the username to impersonate
- Provide a reason for the impersonation (e.g., ticket number, debugging purpose)
- Submit the form
The system will update the authentication mapping and log the action. The next session created through the configured service account will run as the impersonated user.
- Access Control: Admin routes are only loaded for users in the designated admin group
- Audit Trail: All impersonation attempts are logged with:
- Timestamp
- Admin user performing the action
- Target user being impersonated
- Stated reason/justification
- Input Validation: Both username and reason fields are required