SuperCloud Lite in the Cloud - lightweight, secure, self-service, on-demand mechanisms for creating customizable research computing environments

Abstract

We describe and examine an automation for deploying on-demand, OAuth2 secured virtual machine instances. Our approach does not require any expert security and web service knowledge to create a secure instance. The approach allows non-experts to launch web-accessible virtual machine services that are automatically secured through OAuth2 authentication, an authentication standard widely employed in academic and enterprise environments. We demonstrate the approach through an example of creating secure commercial cloud instances of the MIT SuperCloud modern research computing oriented software stack. A small example of a use case is examined and compared with native MIT SuperCloud experience as a preliminary evaluation. The example illustrates several useful features. It retains OAuth2 security guarantees and leverages a simple OAuth2 proxy architecture that in turn employs simple DNS based service limits to manage access to the proxy service. The system has the potential to provide a default secure environment in which access is, in theory, limited to a narrow trust circle. It leverages WebSockets to provide a pure browser enabled, zero install base service. For the user, it is entirely self-service so that a non-expert, non-privileged user can launch instances, while supporting access to a familiar environment on a broad selection of hardware, including high-end GPUs and isolated bare-metal resources. The environment includes pre-configured browser based desktop GUI and notebook configurations. It can provide the option of end-user privileged access to the VM for flexible customization. It integrates with a simplified cost-monitoring and machine management framework that provides visibility to commercial cloud charges and some budget guard rails, and supports instance stop, restart, and pausing features to allow intermittent use and cost reduction.