Usability: Document AiiDA support of two-factor/multi-factor authentication (2FA/MFA)

[giovannipizzi]

Motivation

In order to increase security and reduce possible downtimes due to security breaches, many supercomputer centres have a MFA approach in place (or are putting one in place).
By design, a MFA approach requires human intervention, and this is colliding with the automation needs of AiiDA to connect to supercomputers (to submit, monitor, parse, retrieve jobs) without human supervision.
We also highlight that every center has different requirements and implementation approaches, so no single solution is possible.

Desired Outcome

Document clearly how and to which extent AiiDA supports MFA, using examples usecases from centres we know to discuss the various options. Have a dedicated documentation page that guides users through the various options, and what actions (and possibly discussions) need to be taken in interaction with their supercomputer to support the use of AiiDA in their centres.

Impact

This will automatically address the typical question of users of how AiiDA supports these usecases, and provide a clear guidance to users on how to proceed, as well as some guidelines that can be read by (or provided directly to) the supercomputer admins to facilitate discussions.

Complexity

I would consider this task finalised when at least the usecases that we know are documented; therefore, I consider the complexity low, it's mostly documentation of known use cases.

Background

A few options I see, to be discussed

• minimal requirements to be asked to the supercomputer centre: how an external code (in this case AiiDA) can automatically connect and manage calculations without user intervention
  • If there is a way, we can check if AiiDA supports that approach. The ones we currently support:
    • CSCS, keys that are generated and last for a fixed number of hours
    • FireCREST
    • direct installation in some computer/VM inside the supercomputer network, so then connection to the clusters is without 2FA
  • if there is no way, keep discussing with the admins: if they don't allow a machine to connect to their computers, there is not much we can do from the AiiDA side (and we don't work to make unaccepted workarounds, it should be a solution accepted by the supercomputer admins).

Progress

• CSCS provides a 2FA where the key is generated and has a short validity (e.g. 24h). This is quite transparent to AiiDA: it's a standard SSH connection, and when the key expires, it is similar to a non-working connection
• other centres provide a way to add a 2FA token to each ssh connection. This is harder to work around (in a way that is accepted by the security team of the centres). One might want to suggest to discuss with the supercomputer and install AiiDA inside the 2FA fences (i.e. you connect with 2FA first to the AiiDA server, and then AiiDA does not need to use 2FA to connect to the cluster)
  • issue More options for using AiiDA with locked-down supercomputers aiida-core#3929 discusses a number of usecases, probably also including the point above
• @sphuber worked on a US centre to support AiiDA, where in the end AiiDA was installed within the centre that would provide e.g. RabbitMQ, PostgreSQL, ... and he can document his use case. I think the people from he centre were interested also in sharing their experience with AiiDA.
• FirecREST support to AiiDA is being developed and constitutes one secure way to connect without SSH, at least at CSCS (and possibly in the future also elsewhere)