[ci skip] Autodoc commit for 51f49d7a63424ccd0b195012fbe2ad676a842977.

ubuntu-24.04/.buildinfo

@@ -0,0 +1,4 @@
+# Sphinx build info version 1
+# This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done.
+config: 68bf2896e8985bb2d9ae485c4a79ebe4
+tags: 645f666f9bcd5a90fca523b33c5a78b7

ubuntu-24.04/_sources/architecture.rst.txt

@@ -0,0 +1,115 @@
+.. _architecture:
+
+Architecture
+============
+
+Below are some diagrams of OnDemand's architecture:
+
+#. Overview is a high level visual generated from Powerpoint.
+#. System context and Container context diagrams below follow the `C4 <https://c4model.com/>`_.
+   model for software diagrams, are more technically detailed and are built using draw.io
+#. Request flow diagram is a sequence diagram built using plantuml.
+
+Overview
+--------
+
+
+.. figure:: /architecture/ood_overview.png
+
+#. Apache is the server front end, running as the Apache user, and accepting all requests from users and serves four primary functions:
+
+   #. Authenticates user.
+   #. Starts Per-User NGINX processes (PUNs).
+   #. Reverse proxies each user to her PUN via Unix domain sockets.
+   #. Reverse proxies to interactive apps running on compute nodes (RStudio, Jupyter, VNC desktop) via TCP sockets.
+
+#. The Per-User NGINX serves web apps in Ruby and NodeJS and is how users submit jobs and start interactive apps.
+
+
+System context
+-----------------------
+
+Users use OnDemand to interact with their HPC resources through a web browser.
+
+.. figure:: /architecture/ood_system_view.png
+
+All the gray components are specific to a given site and outside the OnDemand
+system.
+
+Container context
+-----------------------
+
+.. tip::
+
+   In the C4 nomenclature, 'containers' are one level below the system context. This is
+   not to be confused with Linux containers via cgroups and namespaces (i.e. Docker or
+   Singularity or `OCI containers <https://www.opencontainers.org/>`_).
+
+The Front-end proxy is the only component that is shared with all clients.
+The Front-end proxy will create Per User Nginx (PUN) processes (light blue boxes labeled "Per User Instance").
+
+.. figure:: /architecture/ood_container_view.png
+
+* Everything contained in the dotted line is a part of the OnDemand system (see blue box in System context diagram).
+* Everything outside of it in gray is site specific components.
+* The "Per User Instance" light blue boxes are replicated for every user accessing the system.
+
+Request Flow
+-------------
+
+This is the request flow through the OnDemand system. A user initiates a
+request through a browser and this illustrates how that request propagates
+through the system to a particular application (including the dashboard).
+
+.. uml:: architecture/request-flow.uml
+
+Other Request Flow Diagrams
+----------------------------
+
+================
+Dashboard Access
+================
+
+.. figure:: /app-flow-diagrams/flow_access_dashboard.png
+
+=============
+Passenger App
+=============
+
+.. figure:: /app-flow-diagrams/flow_access_passenger_app.png
+
+================
+User App Sharing
+================
+
+.. figure:: /app-flow-diagrams/flow_access_usr_app_via_app_sharing.png
+
+==============
+Authentication
+==============
+
+.. figure:: /app-flow-diagrams/flow_authentication.png 
+
+==================
+Linux Host Adapter
+==================
+
+.. figure:: /app-flow-diagrams/flow_linux_host_adapter.png
+
+===========
+Rstudio Job
+===========
+
+.. figure:: /app-flow-diagrams/flow_rstudio_job.png
+
+=============
+Shell Session
+=============
+
+.. figure:: /app-flow-diagrams/flow_start_shell_session.png
+
+===============
+VNC Desktop Job
+===============
+
+.. figure:: /app-flow-diagrams/flow_vnc_desktop_job.png

ubuntu-24.04/_sources/authentication.rst.txt

@@ -0,0 +1,44 @@
+.. _authentication:
+
+Authentication
+==============
+
+Open OnDemand supports most authentication modules that work with Apache HTTP
+Server version 2.4. The following :ref:`authentication-overview` section
+provides an introduction to setting up these generic authentication modules
+with an Open OnDemand installation. Tutorials will also be provided with the
+focus on setting up some of the more common authentication modules (e.g.,
+OpenID Connect with KeyCloak).
+
+After installing Open OnDemand you **must** add authentication of some kind
+to generate the correct Apache configuration.  When no authentication is
+supplied Apache will only serve a static page that directs you here.
+
+No Open OnDemand functionality is available without authentication.
+
+.. note::
+
+   If you managed to install an Apache authentication module at your center
+   that currently does not have a tutorial listed below we would greatly
+   appreciate it if you could take the time to contribute a detailed
+   walkthrough.
+
+
+.. tip::
+
+    :ref:`Dex <authentication-dex>` is a very good starting option if you can connect
+    to LDAP or Active Directory and not an institutional Single Sign-On service.
+
+.. toctree::
+   :maxdepth: 2
+
+   authentication/overview
+   authentication/oidc
+   authentication/dex
+   authentication/shibboleth
+   authentication/cas
+   authentication/tutorial-oidc-keycloak-rhel7
+   authentication/duo-2fa-with-keycloak
+   authentication/adfs-with-auth-mellon
+   authentication/nsf-access
+   authentication/insecure

ubuntu-24.04/_sources/authentication/adfs-with-auth-mellon.rst.txt

@@ -0,0 +1,113 @@
+.. _authentication-adfs-with-auth-mellon:
+
+SAML Authentication with Active Directory Federated Services (ADFS) and mod_auth_mellon
+========================================================================================
+
+The following details how to use ADFS infrastructure via SAML authentication to authenticate to an OpenOnDemand deployment. 
+
+Prepare the Host
+--------------------------------------------------
+Before beginning, retrieve the following information from the ADFS administrator:
+
+#. The SAML 2.0 service URL (e.g., https://adfs.organization.com/ADFS/ls)
+#. The IdP metadata URL (e.g., https://adfs.organization.com/ADFS/metadata.xml)
+#. Ensure SSL is properly configured and any organizational certificate authorities are properly integrated into the host's trust store, see :ref:`add-ssl`
+
+Install mod_auth_mellon
+--------------------------------------------------
+
+#. Ensure Software Collections is enabled on the system
+#. Install the mod_auth_mellon module:
+
+.. tabs::
+
+  .. tab:: EL7
+
+    .. code-block:: shell
+
+      yum install httpd24-mod_auth_mellon httpd24-mod_ssl
+
+  .. tab:: EL8+
+
+    .. code-block:: shell
+
+      yum install mod_auth_mellon mod_ssl
+
+  .. tab:: Ubuntu
+
+    .. code-block:: shell
+
+      apt install libapache2-mod-auth-mellon
+
+Configure mod_auth_mellon
+--------------------------------------------------
+
+Note that this configuration assumes that SAML has been configured such that the returned NameID directly maps to a Unix user on the OOD host. For more information, see https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html
+
+#. Download the IDP metadata file
+
+   .. code-block:: shell
+
+      cd /etc/httpd/mellon/
+      wget https://adfs.organization.com/ADFS/metadata.xml -O idpmetadata.xml
+
+#. Generate the mellon metadata
+
+   .. code-block:: shell
+
+      export mellon_endpoint="https://$(hostname)/mellon"
+      /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh "${mellon_endpoint}/metadata" "${mellon_endpoint}"
+      mv *.cert ./mellon.cert
+      mv *.key ./mellon.key
+      mv *.xml ./mellon_metadata.xml
+
+#. Create a mellon configuration file
+
+   .. code-block:: shell
+
+      vi /etc/httpd/conf.d/00-mellon.conf
+
+#. Add the following to the ``00-mellon.conf`` file
+
+   .. code-block:: xml
+
+      <Location />
+        MellonSPPrivateKeyFile /etc/httpd/mellon/mellon.key
+        MellonSPCertFile /etc/httpd/mellon/mellon.cert
+        MellonSPMetadataFile /etc/httpd/mellon/mellon_metadata.xml
+        MellonIdPMetadataFile /etc/httpd/mellon/idpmetadata.xml
+
+        MellonEndpointPath /mellon
+        MellonEnable "auth"
+      </Location>
+
+#. Convert the key and cert files into pfx format
+
+   .. code-block:: shell
+
+      openssl pkcs12 -export -inkey /etc/httpd/mellon/mellon.key -in /etc/httpd/mellon/mellon.cert -out /etc/httpd/mellon/mellon.pfx
+
+#. Provide the ``mellon.pfx`` and ``mellon_metadata.xml`` files to your ADFS administrator. The files can then be imported into the ADFS system. 
+
+Configure OOD
+--------------------------------------------------
+
+#. Edit the ``ood_portal.yml`` file to include the following:
+
+   .. code-block:: yaml
+
+      # /etc/ood/config/ood_portal.yml
+      ---
+      # ...
+      # Your other custom configuration options...
+      # ...
+
+      auth:
+        - 'AuthType Mellon'
+        - 'Require valid-user'
+
+#. Restart the HTTPD
+
+   .. code-block:: shell
+
+      systemctl restart httpd

ubuntu-24.04/_sources/authentication/cas.rst.txt

@@ -0,0 +1,13 @@
+.. _authentication-cas:
+
+CAS
+---
+
+Several HPC centers running OnDemand have successfully configured authentication using Central Authentication Service (CAS).
+
+See `this Discourse <https://discourse.osc.edu/t/implementing-authentication-via-cas/34>`__ topic regarding several different examples configuring CAS authentication with OnDemand.
+
+Related links:
+
+- `mod_auth_cas <https://github.com/apereo/mod_auth_cas>`__
+- `CAS project website <https://www.apereo.org/projects/cas>`__