Skip to content
This repository has been archived by the owner on Apr 11, 2023. It is now read-only.

Home

Jump to bottom
Jeremy Nicklas edited this page Jul 12, 2016 · 24 revisions

Documentation Guide

The Open OnDemand Project is an open-source software project, based on the Ohio Supercomputer Center's proven "OSC OnDemand" platform, that enables HPC centers to install and deploy advanced web and graphical interfaces for their users. More information can be found in the paper http://dx.doi.org/10.1145/2949550.2949644.

Components

Details of the components that make up the Open OnDemand infrastructure.

Proxy and PUN

The core of the infrastructure includes a proxy layer that all traffic passes through using the securely encrypted SSL protocol on port 443. The Apache proxy parses the URI and dynamically determines where to route the traffic to. In most cases the traffic will be routed to the per-user NGINX (PUN) web server.

The PUN is described as an NGINX server instance running as a system-level user listening on a Unix domain socket. File and directory permissions are used to restrict access to this Unix domain socket such that only the proxy daemon can communicate with the PUN.

Component Description
ood-portal-generator Generates an Open OnDemand portal config for an Apache server that defines the proxy interface.
mod_ood_proxy An Apache httpd module implementing the Open OnDemand proxy API.
nginx_stage Stages and controls the per-user NGINX (PUN) instances.

Authentication and Authorization

There is no required authentication mechanism built-into Open OnDemand, but we do provide a recommended solution. The recommended solution utilizes the mod_auth_openidc module within the Apache proxy to authenticate users against an OpenID Connect Provider for federated authentication.

After the user authenticates with their OpenID Connect Provider authorization is granted by mapping the user's authenticated username to a local system username. The Apache proxy handles this by calling a script that handles the user mapping lookup. If the mapping fails, the user can be taken to a registration page where he or she can set up a mapping.

Component Description
mapdn Scripts to setup/maintain mappings between Distinguished Names (DNs) to local usernames.
ood_auth_map The user mapping script employed by OSC for OnDemand and AweSim.
ood_auth_discovery Open ID Connect Discovery page for OSC OnDemand.
ood_auth_registration OSC OnDemand Open ID Connect registration page.

Installation

App Deployment Strategy

Clone this wiki locally