[GE users] SGE authentication

Brooks Davis brooks at aero.org
Tue Apr 13 01:39:40 BST 2004


Better yet, use CSP which uses PKI to validate users.  Due to the way it
operates, it still assumes the filesystem is secure, but doesn't require
that you trust every host on the network.

Without either of these features (or kerberos support) enabled, SGE will
allow anyone to run jobs as anyone else if they fake up a client or use
a normal client with the right tricks (think port forwarding).  The
default mode is actually worse then rsh.

It would be nice if the GSSAPI support were expanded to include GSI
support.  That would be really useful in grid enabled shops.

-- Brooks

On Mon, Apr 12, 2004 at 05:02:56PM -0700, Ron Chen wrote:
> By default, SGE does not use privileged ports for the
> job submission utility, mainly due to NFS issues with
> setuid binaries.
> 
> If higher security is needed, you just need to pass
> "-resport" to the install scripts when setting up the
> cluster.
> 
> For details about "-resport" and other security
> methods:
> http://gridengine.sunsource.net/unbranded-source/browse/~checkout~/gridengine/source/security/security.html?rev=1.4&content-type=text/html
> 
>  -Ron
> 
> --- canon at nersc.gov wrote:
> > 
> > I had a quick question.  How does SGE know to trust
> > a job submission?
> > LSF uses privileged ports and suid binaries to
> > provide some
> > "authentication".  What does SGE do?  Could someone
> > modify qsub
> > and submit jobs as anyone?
> > 
> > --Shane
> > 
> >
> ------------------------------------------------------------------------
> > Shane Canon                             voice:
> > 510-486-6981
> > PSDF Project Lead                       fax:  
> > 510-486-7520
> > National Energy Research Scientific
> >   Computing Center                       
> > 1 Cyclotron Road Mailstop 943-256
> > Berkeley, CA 94720                     
> > canon at nersc.gov
> >
> ------------------------------------------------------------------------
> > 
> > 
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > users-unsubscribe at gridengine.sunsource.net
> > For additional commands, e-mail:
> > users-help at gridengine.sunsource.net
> > 
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - File online by April 15th
> http://taxes.yahoo.com/filing.html
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
> For additional commands, e-mail: users-help at gridengine.sunsource.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list