User impersonation and API-to-CLI conversion

Problem: As described in Authentication and Authorization, jobs are submitted as the service user rather than the user who created the task.

However, traditional HPC schedulers require job submissions to run as the actual end user who initiated the task, as various functions may depend on it (for example, file permissions, storage quotas, job, and cost accounting, and QoS). Furthermore, these schedulers primarily use Command-Line Interfaces (CLI), whereas HPS services communicate via APIs.

In ideal circumstances, cloud-native services would talk API to API, passing along tokens to make sure that this occurred. Unfortunately, LSF, Slurm, PBS, and UGE do not currently provide or treat an API as a first-class citizen along with their CLI. Therefore, an API-to-CLI conversion mechanism is needed to allow this type of job submission to happen. This “converter” is called the Process Launcher.

Solution: The Process Launcher acts as a secure bridge. It receives API requests from HPS services containing the end user's validated authentication token (from Keycloak). It then translates this request into the appropriate scheduler CLI command (for example, sbatch, qsub) and, using its elevated privileges, executes that command as the original end user.

User mapping

Problem: Often in HPC environments, the username used for signing into HPS via Keycloak/IAM (for example, jane.doe@company.com) might differ from the username required on the HPC cluster (for example, jdoe01).

Solution: The Process Launcher provides a configurable mapping to translate the authenticated username from the token into the corresponding local HPC username before submitting the job.