Merge branch 'main' into dev

2026-06-24 20:40:40 +02:00 · 2026-06-19 11:34:50 +02:00
parent 5ff1b13591 ed6affaa25
commit 0a86ee7b7f
3 changed files with 240 additions and 44 deletions
@@ -1,13 +1,8 @@
 data/job-archive
 data/job-archive/**
-data/influxdb
 data/sqldata
 data/cc-metric-store
 data/cc-metric-store-source
-data/ldap
-data/mariadb
 data/slurm
-data
-cc-backend
 cc-backend/**
 .vscode
@@ -0,0 +1,239 @@
+# ClusterCockpit Bootstrap LDAP Directory
+# =========================================
+# Domain: dc=example,dc=com  (LDAP_DOMAIN=example.com in docker-compose.yml)
+# Admin DN: cn=admin,dc=example,dc=com  (set via LDAP_ADMIN_PASSWORD env)
+#
+# All test user passwords: "password"
+#   {SHA} hash verification: slappasswd -h {SHA} -s password
+#
+# Suggested cc-backend ldap config (config.json):
+#   "url":         "ldap://ldap:389"
+#   "user-base":   "ou=people,dc=example,dc=com"
+#   "search-dn":   "uid=ccbinduser,ou=people,dc=example,dc=com"
+#   "user-bind":   "uid={username},ou=people,dc=example,dc=com"
+#   "user-filter": "(&(objectclass=posixAccount)(!(uid=ccbinduser)))"
+#   "username-attr": "gecos"
+#   "uid-attr":    "uid"
+#   "sync-password": "password"
+#
+# ClusterCockpit roles (from cc-lib/schema/user.go):
+#   anonymous < api < user < manager < support < admin
+# =========================================
+
+# ---------------------------------------------------------------------------
+# Organizational Units
+# ---------------------------------------------------------------------------
+
+dn: ou=people,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: top
+ou: people
+description: HPC user accounts
+
+dn: ou=groups,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: top
+ou: groups
+description: HPC project groups and ClusterCockpit role groups
+
+# ---------------------------------------------------------------------------
+# Service account used by cc-backend for LDAP search binding
+# ---------------------------------------------------------------------------
+
+dn: uid=ccbinduser,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: CC Bind User
+sn: BindUser
+uid: ccbinduser
+uidNumber: 500
+gidNumber: 500
+homeDirectory: /home/ccbinduser
+description: Service account for cc-backend LDAP search
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+# ---------------------------------------------------------------------------
+# Test users
+# Role membership is tracked via cc-role-* groups below.
+# ---------------------------------------------------------------------------
+
+# admin01 — ClusterCockpit admin
+dn: uid=admin01,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: Admin User
+sn: User
+uid: admin01
+uidNumber: 1001
+gidNumber: 1001
+homeDirectory: /home/admin01
+gecos: Admin User
+mail: admin01@example.com
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+# support01 — ClusterCockpit support staff
+dn: uid=support01,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: Support User
+sn: User
+uid: support01
+uidNumber: 1002
+gidNumber: 1001
+homeDirectory: /home/support01
+gecos: Support User
+mail: support01@example.com
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+# manager01 — ClusterCockpit project manager
+dn: uid=manager01,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: Manager User
+sn: User
+uid: manager01
+uidNumber: 1003
+gidNumber: 1001
+homeDirectory: /home/manager01
+gecos: Manager User
+mail: manager01@example.com
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+# user01 — regular HPC user
+dn: uid=user01,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: Regular User 01
+sn: User
+uid: user01
+uidNumber: 1010
+gidNumber: 1001
+homeDirectory: /home/user01
+gecos: Regular User 01
+mail: user01@example.com
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+# user02 — regular HPC user (also member of a project group)
+dn: uid=user02,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: Regular User 02
+sn: User
+uid: user02
+uidNumber: 1011
+gidNumber: 1001
+homeDirectory: /home/user02
+gecos: Regular User 02
+mail: user02@example.com
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+# user03 — regular HPC user (also member of a project group)
+dn: uid=user03,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: Regular User 03
+sn: User
+uid: user03
+uidNumber: 1012
+gidNumber: 1001
+homeDirectory: /home/user03
+gecos: Regular User 03
+mail: user03@example.com
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+# apiuser01 — programmatic/service API access
+dn: uid=apiuser01,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: API User 01
+sn: User
+uid: apiuser01
+uidNumber: 1020
+gidNumber: 1001
+homeDirectory: /home/apiuser01
+gecos: API User 01
+mail: apiuser01@example.com
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+# ---------------------------------------------------------------------------
+# ClusterCockpit role groups
+# These map to cc-lib Role constants:  admin, support, manager, user, api
+# cc-backend can use these for group-based user filtering or future role sync.
+# Example user-filter to restrict login to group members:
+#   (&(objectclass=posixAccount)(memberOf=cn=cc-users,ou=groups,dc=example,dc=com))
+# Note: memberOf requires the memberof overlay; use memberUid for posixGroup.
+# ---------------------------------------------------------------------------
+
+dn: cn=cc-admins,ou=groups,dc=example,dc=com
+objectClass: posixGroup
+objectClass: top
+cn: cc-admins
+gidNumber: 2000
+description: ClusterCockpit administrators (role: admin)
+memberUid: admin01
+
+dn: cn=cc-support,ou=groups,dc=example,dc=com
+objectClass: posixGroup
+objectClass: top
+cn: cc-support
+gidNumber: 2001
+description: ClusterCockpit support staff (role: support)
+memberUid: support01
+
+dn: cn=cc-managers,ou=groups,dc=example,dc=com
+objectClass: posixGroup
+objectClass: top
+cn: cc-managers
+gidNumber: 2002
+description: ClusterCockpit project managers (role: manager)
+memberUid: manager01
+
+dn: cn=cc-users,ou=groups,dc=example,dc=com
+objectClass: posixGroup
+objectClass: top
+cn: cc-users
+gidNumber: 2003
+description: ClusterCockpit regular users (role: user)
+memberUid: user01
+memberUid: user02
+memberUid: user03
+
+dn: cn=cc-api,ou=groups,dc=example,dc=com
+objectClass: posixGroup
+objectClass: top
+cn: cc-api
+gidNumber: 2004
+description: ClusterCockpit API/service accounts (role: api)
+memberUid: apiuser01
+
+# ---------------------------------------------------------------------------
+# HPC project groups (for testing manager project-scoping)
+# A manager assigned to project hpc_proj_alpha can view all jobs in that project.
+# ---------------------------------------------------------------------------
+
+dn: cn=hpc_proj_alpha,ou=groups,dc=example,dc=com
+objectClass: posixGroup
+objectClass: top
+cn: hpc_proj_alpha
+gidNumber: 3001
+description: HPC project alpha
+memberUid: manager01
+memberUid: user01
+memberUid: user02
+
+dn: cn=hpc_proj_beta,ou=groups,dc=example,dc=com
+objectClass: posixGroup
+objectClass: top
+cn: hpc_proj_beta
+gidNumber: 3002
+description: HPC project beta
+memberUid: manager01
+memberUid: user03
@@ -59,22 +59,6 @@ services:
    restart: always
    command: --verbose start --optimized

-  mariadb:
-    container_name: mariadb
-    image: mariadb:latest
-    command: ["--default-authentication-plugin=mysql_native_password"]
-    environment:
-      MARIADB_ROOT_PASSWORD: root
-      MARIADB_DATABASE: slurm_acct_db
-      MARIADB_USER: slurm
-      MARIADB_PASSWORD: demo
-    ports:
-      - "0.0.0.0:3306:3306"
-    volumes:
-      - ${DATADIR}/mariadb:/docker-entrypoint-initdb.d
-    cap_add:
-      - SYS_NICE
-
  slurmctld:
    container_name: slurmctld
    hostname: slurmctld
@@ -128,25 +112,3 @@ services:
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "6818:6818"
-
-  slurmrestd:
-    container_name: slurmrestd
-    hostname: slurmrestd
-    build:
-      context: ./slurm/rest
-    environment:
-      - SLURM_JWT=daemon
-      - SLURMRESTD_DEBUG=9
-    depends_on:
-      - slurmctld
-    privileged: true
-    volumes:
-      - ${DATADIR}/slurm/home:/home
-      - ${DATADIR}/slurm/secret:/.secret
-      - ./slurm/controller/slurm.conf:/home/config/slurm.conf
-      - ./slurm/rest/slurmrestd.conf:/home/config/slurmrestd.conf
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    ports:
-      - "6820:6820"
-