none
Handling ever changing credentials to HPC Cluster database

    Question

  • Dear all, 

    With one of our clients, we are required to call the centralize service & get the database credentials whenever we access the database. This means that database authentication are dynamic and they cannot be statically configured.

    We want to use Windows HPC pack, and to access job database HPC pack will need to access this credential provider service. How to do this? Is there any way we can override the HPC database connectivity module? Is there any way we can inject some script to update the credentials before windows HPC make any calls? Please help us here.

    Thanks,

    Puneet

    Friday, February 10, 2017 9:32 PM

All replies

  • If it is local DB on the headnode, I think it should be okay?

    If it is remote DB, HPC Pack service will get the DB connection string from the registry key (Please check this), the connection string is loaded by the service during service startup. Thus, if may possible to update the registry key and restart corresponding service every time the key has been expired.

    Currently I don't think we have a capability to inject or override the HPC connectivity module. And do does every SQL call needs a new credential?


    Qiufang Shi

    Monday, February 13, 2017 7:58 AM
  • Hi Qiufang,

    Thanks for the prompt reply. Let me explain the situation in more detail. If some enterprise is using CyberArk privileged account security system then it's always mandatory to request refreshed/updated passwords from the CyberArk service whenever older passwords have been changed due to security reasons.

    Can we extend HPC pack in such a way that if access to job database has been denied due to changed credential then the HPC system can request updated password from this service and access the job database again without restarting the head/master node service. HPC system can also cache this new password for further usage until it gets expired.

    Please let me know if this is any way to achieve this scenario.

    Thanks, Puneet  

    Monday, February 13, 2017 12:46 PM
  • Hi Puneet,

      Short answer to you: this is not possible before HPC Pack 2016. I'll check whether it is possible in HPC Pack 2016 new HA infra.

      And this is the first time we receive this requirement, could you tell us more about your usage scenario (Email hpcpack@microsoft.com ), things like: whether you are going to use cloud, what type of appliations will be running on the cluster, and how big the cluster will it be. Whether HA/DR is required, whether you plan to migrate to HPC Pack 2016 if we provide the fix in HPC Pack 2016?


    Qiufang Shi

    Tuesday, February 14, 2017 1:17 AM
  • Hi Qiufang,

    Thanks a lot for your continuous support. I have sent an email to "hpcpack@microsoft.com" group, and its title is "Can Windows HPC Pack 2016 work with CyberArk Privileged Account Security System".  Please review it and let me know if more information is needed.

    Regarding HPC Pack 2016 adoption, we are completely open to it if it can solve this CyberArk problem. Please guide me to the appropriate documentation if needed.

    Thanks,

    Puneet

    Tuesday, February 14, 2017 11:14 PM
  • Thanks Puneet for reaching us, as discussed through the email, we will try to provide a plugin in our HPC Pack 2016 Update 1 release.

    Qiufang Shi

    Thursday, February 16, 2017 2:20 AM