[GE users] Any reason not to have all user's workstations as submit hosts?

prentice prentice at ias.edu
Wed Apr 14 18:24:10 BST 2010


fx wrote:
> jlb <jlb at salilab.org> writes:
> 
>> Not quite.  As Ben pointed out, it's wouldn't be overly difficult for 
>> someone without root to hack up an SGE client which would allow him or her 
>> to submit jobs as any valid SGE user.
> 
> And presumably similarly on a normal cluster head.
> 
>> Properly administered CSP can help with that.
> 
> Is there any current work on Kerberos integration which would be
> preferable for several reasons (see, e.g., Friebel's talk at the 2007
> workshop)?

Kerberos is good for many reasons. However, when would the kerberos
authentication take place? If it takes place only when the job us
submitted to the queuing system - no problem. However, if the user needs
to be authenticated when the job actually starts execution on the host
in addition to submission time, you run the risk of the kerberos tickets
expiring before the job starts executing.

In a previous life, I set up an SGE 5.x system where SSH authentication
was handled by GSSAPI (Kerberos) for just this reason. Then I realized
that if a job is queued longer than the lifetime of a kerberos ticket's
lifetime, this wouldn't work.

So SGE/SSH/Kerberos wouldn't work. Since now SGE has it's own mechanism
for launching jobs that doesn't use SSH, it's possible depending on
when/where the authentication occurs.

> 
> Somewhat related to this, there's a clear need for a sane (i.e. not
> Globus, not `web services'), fully remote submission system that would
> probably amount to authenticated remote DRMAA.  I can't remember if I've
> asked before, but has anyone done that yet?
> 

-- 
Prentice

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253411

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list