Hi Ray
Questions inline…
From: Rayson Ho <raysonlogin_at_gmail.com<mailto:raysonlogin_at_gmail.com>>
Date: Mon, 24 Mar 2014 13:40:14 -0400
To: David Stuebe <dstuebe_at_asascience.com<mailto:dstuebe_at_asascience.com>>
Cc: "starcluster_at_mit.edu<mailto:starcluster_at_mit.edu>" <starcluster_at_mit.edu<mailto:starcluster_at_mit.edu>>
Subject: Re: [StarCluster] Administration of StarCluster with AWS IAM
On Mon, Mar 24, 2014 at 1:13 PM, David Stuebe <DStuebe_at_asascience.com<mailto:DStuebe_at_asascience.com>> wrote:
I am planning to setup an HPC cluster for an operational forecasting
project. I have created a new AWS account for this purpose and setup up IAM
for various users on the project to have access and control over resources
with proper unique users, role separation and least privilege.
What are best practices for sharing administration of StarCluster resources?
Note that StarCluster bootstraps an HPC cluster in EC2 for you. After
the cluster has been started, StarCluster exits cleanly unless you
need the StarCluster load balancer:
http://star.mit.edu/cluster/docs/latest/manual/load_balancer.html
Yes – I am specifically asking about sharing a config file to allow different IAM users to manage a cluster via:
starcluster restart mycluster
starcluster stop mycluster
starcluster terminate mycluster
starcluster addnode mycluster
On the other hand, if you are talking about the administration of the
HPC cluster, then it is a different story. You will likely want to
learn Grid Engine for your job scheduling policy, and use Linux
commands to setup new users, and may want to add a parallel
filesystem, etc.
When I create a config file I can share it with other users as long as I get
my AWS credentials from my ENV variables.
What about the user id?
Does this have to be the root AWS account ID or can I use my User ARN (of
the form: arn:aws:iam::123456789012:user/username)
Can I set this as an environment variable as well?
StarCluster does not need the power of the full AWS root account. You
can just create an IAM user with "EC2 full access" in the Policy
Template.
Is this "User ARN" the correct ID to use? Should I use a group ID or a user ID?
Thanks for the quick response!
David
If you want finer control, you can fire up the IAM Policy Generator
and pick which ec2 APIs the IAM user can issue. StarCluster does not
use the AWS ELB nor the ASG (SC has its implementations of them).
However, since we introduce VPC support, the list of APIs that SC
needs is slightly larger.
What about PEM files - what is ec2_cert in the config file used for?
That's for the permission to create a new AMI, IIRC.
Rayson
==================================================
Open Grid Scheduler - The Official Open Source Grid Engine
http://gridscheduler.sourceforge.net/
http://gridscheduler.sourceforge.net/GridEngine/GridEngineCloud.html
David Stuebe
Scientist & Software Engineer
55 Village Square Drive
South Kingstown, RI 02879-8248
Tel: +1 (401) 789-6224
Email: David.Stuebe_at_rpsgroup.com<mailto:David.Stuebe_at_rpsgroup.com>
www: asascience.com | rpsgroup.com
A member of the RPS Group plc
_______________________________________________
StarCluster mailing list
StarCluster_at_mit.edu<mailto:StarCluster_at_mit.edu>
http://mailman.mit.edu/mailman/listinfo/starcluster
Received on Mon Mar 24 2014 - 14:02:11 EDT