[GE users] Any reason not to have all user's workstations as submit hosts?

prentice prentice at ias.edu
Fri Apr 16 15:30:06 BST 2010


fx wrote:
> prentice <prentice at ias.edu> writes:
> 
>>> Is there any current work on Kerberos integration which would be
>>> preferable for several reasons (see, e.g., Friebel's talk at the 2007
>>> workshop)?
>> Kerberos is good for many reasons. However, when would the kerberos
>> authentication take place? If it takes place only when the job us
>> submitted to the queuing system - no problem. However, if the user needs
>> to be authenticated when the job actually starts execution on the host
>> in addition to submission time, you run the risk of the kerberos tickets
>> expiring before the job starts executing.
> 
> Indeed.  See Friebel's talk, for instance, and what I said elsewhere in
> this thread.  The problems may be mitigated if you have control of all
> the relevant security realms, but you typically don't (e.g. AFS or KDCs
> operated by other people, often highly qualified MCSEs in the case of
> KDCs, unfortunately).  GSSAPI authentication for job submission and
> credential management mechanisms would still be useful, and not
> necessarily confined to Kerberos if one must use GSI, for instance.
> 
>> In a previous life, I set up an SGE 5.x system where SSH authentication
>> was handled by GSSAPI (Kerberos) for just this reason. Then I realized
>> that if a job is queued longer than the lifetime of a kerberos ticket's
>> lifetime, this wouldn't work.
> 
> What threat does doing that internally address?  Incidentally, for
> anything like this there's a non-trivial issue with distributing keytabs
> (or private keys generally, such as CSP ones) securely to nodes during
> startup of a stateless system.
> 
>> So SGE/SSH/Kerberos wouldn't work. Since now SGE has it's own mechanism
>> for launching jobs that doesn't use SSH, it's possible depending on
>> when/where the authentication occurs.
> 
> What's "it"?  As far as I know, the internal mechanism currently doesn't
> do credential forwarding, for instance.

I fear we may have gone off-topic and gone into an entirely academic
discussion.

I was speaking in hypothetical terms - not what's actually possible
today. Sorry if I confused/misled you.

Since SGE has it's own mechanism for launching jobs independent of
SSH/RSH, it's possible to extend the job launch mechanism so SGE could
do authentication/authorization at job submission time only.

If SGE was still relying on SSH/Kerberos, the SSH daemon or
configuration would have to be modified, which could lead to undesired
effects outside of SGE.

-- 
Prentice

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253676

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list