[GE users] Any reason not to have all user's workstations as submit hosts?
bill at baddogconsulting.com
Mon Apr 12 21:30:06 BST 2010
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-10" character set. ]
[ Some characters may be displayed incorrectly. ]
On Mon, Apr 12, 2010 at 1:12 PM, benmwebb <ben at salilab.org> wrote:
> On 04/08/2010 04:00 PM, rayson wrote:
>> Mainly related to security.
>> On 4/8/10, bdbaddog<bill at baddogconsulting.com> wrote:
>>> Is there any technical/performance reason to not have every user's
>>> desktop as a submit host?
> As Reuti points out, this basically equates to giving the owners of
> these workstations privileged access to your cluster; an SGE submit host
> can run arbitrary code (SGE jobs) on any machine in your cluster as
> *any* valid SGE user, not just the owner of the workstation. Even if you
> could prevent your users from rooting the workstation and thus
> impersonating any user, the network protocol between submit host and SGE
> master trusts the submit host and does not require an originating port <
> 1024, so a cunning user can simply hack up their own SGE client and
> submit jobs as any user even without rooting the box.
> To at least partially solve this problem, you could deploy CSP:
> Each SGE user gets their own certificate (and those don't live under
> $SGE_ROOT) so you can then simply give our certificates only to the
> submit hosts that need them. Thus Bob can have a submit host on his
> workstation and he receives only the "bob" user certificate; thus even
> if he (or an intruder) roots that workstation, he can only submit jobs
> as the "bob" user. Of course your problem then is an increased
> administrative overhead (certificate management) plus the apparently
> much smaller number of people running SGE with CSP (we do, but I know of
> very few other sites).
I guess I don't see SGE's security concern over rooting a workstation
as being unique to SGE. That is, if a user roots a workstation,
basically all system security is likely subject to compromise.
While it's nice that SGE does provide a certificate based approach,
for many organizations, it would be a level of security which is not
worth the overhead cost based on the environment.
Thanks to all for all the responses.
Let me summarize:
1) There's no technical or performance issue with having all
workstations as submit hosts
2) There are security issues, based on a workstation being rooted and
the user assuming another user's identity and then submitting jobs
into the cluster with those rights (which can be somewhat mediated by
the use of CSP, at some administrative overhead cost)
Is that a reasonable summary?
To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
More information about the gridengine-users