This information is partly historical and describes some facilities that were never working properly. Currently the only fully useful security method is CSP, and it should normally be used, as the system is highly insecure otherwise. The GSS method is partly functional and the hooks for it could be used for checking authentication tokens generated by systems other than GSS ones.
In default mode Grid Engine is installed without any additional security measures. The assumption is made that the Grid Engine cluster is not exposed to any malicious attacks, and anyone who can access the qmaster on a submission host can impersonate any other user on execution hosts on which the other user is allowed to run jobs.
The hosts that belong to the Grid Engine cluster are classified into four categories, where a host can belong to more than one of them:
Apart from the host based access restrictions the users are classified into the categories:
These mechanisms rely on the assumption that the user is who he claims to be and the host is the host that it claims to be and that this information can be trusted.
To enhance the security standard there exist currently three approaches (but only the CSP/OpenSSL one works and is actually secure — see below):
NB. This mechanism is only of historical interest. It is no longer supported, and the programs are not designed to be installed setuid.
The simplest security mechanism is the communication
between Grid Engine components over reserved ports. So any client who is
from a priviledged port number is rejected. The
mechanism used is very similar to the authentication mechanism known from
the rsh/rlogin command suite.
To make use of this security mechanism the following steps are necessary:
What can you expect ?
The communication over reserved ports assures
that only messages that are send from a port in the range 0-1023 are accepted.
This means that only
a program that has been setuid root can send
such messages. So it can be assured that the client programs you are using
are the ones that have been
installed by the Grid Engine administrator.
This implies that the following criteria must be valid:
Here are the steps that are performed by a Grid Engine command as qsub using reserved ports:
This applies to any other client command.
This GSS-API Kerberos implementation was used regularly in Grid Engine 5.3 development and test environments and is used full-time at at least one production site which is running Grid Engine 5.3. This implementation is different than the Enhanced Security Using Kerberos implementation described below in that it is not a full Kerberos implementation but uses Kerberos to authenticate users submitting jobs and to forward user credentials with the job by calling security sub-programs at the appropriate times.
Note that this isn't used to authenticate qconf admin commands, just job submission, and there is no mechanism for "babysitting" tickets needing renewal. It doesn't currently work properly because the hook mechanism for calling the sub-programs is partially broken. It will work within its limits if that is fixed but it may need the interface changing.
This implementation does not require recompiling Grid Engine. It consists of security modules which can be compiled separately and are called by Grid Engine to do authentication and to forward the Kerberos credentials. The security sub-modules are called by client commands (e.g. qsub) and by the Grid Engine daemons (sge_qmaster, sge_execd) at the appropriate times to get and store credentials. The GSS-API modules are used by Grid Engine when it is running in GSS-API mode. The source code for this implementation is located in the directory gridengine/source/security/gss. The source code is not dependent on other Grid Engine components or libraries and can be compiled stand-alone. Details on how to use this implementation can be found in gridengine/source/security/gss/doc/gss_customer.html.
Before you start digging into this, make sure you know how Kerberos/DCE functions
in general. There are many good sites out there in Netland.
Grid Engine can be run in a Kerberos/DCE environment using the corresponding authentication mechanisms. A detailed description how to integrate Grid Engine in such an enviroment can be found here.
This implementation isn't really usable in its current form. This code was developed around 1997 for a Raytheon customer which required Kerberos security at their site. This was a full Kerberos implementation which used the Kerberos libraries for all communication between the daemons and clients. However, the code was never put into production and has not been used at any production sites. It was not fully tested and it has not been kept up-to-date with the many changes that have been put into Grid Engine since that time. The Kerberos support compiled into Grid Engine should be considered experimental. There were several reasons for not finishing this implementation (e.g. time and money), but the main reason was the impracticality of supporting this version as a product back then (long before Grid Engine was open source) because of export restrictions on Kerberos itself and other practical considerations. At that time, allowing the customer to compile the code on his own was simply not an option, because we didn't supply the source code to customers.
If you need Kerberos to authenticate users who are submitting jobs to allow Grid Engine jobs to run with Kerberos credentials (which have been forwarded and are protected by encryption), then the Enhanced Security Using Kerberos/DCE Authentication implementation is the way to go. Full authentication and encrypted communication via Kerberos between all Grid Engine clients (e.g. qmon, qstat) and deamons would require using the Kerberos code in security/krb, but sure this would involve a significant amount of further testing and development. A description of the integration and a setup example can be found in the following documents:
A prototype of Grid Engine supporting SSL was developed in the context of a diploma thesis. The original diploma thesis (in German) outlining the architecture of this security approach can be found here.
The Certificate Security Protocol has been reworked and a description how to deploy this version can be found here.
Copyright 2001 Sun Microsystems, Inc. All rights reserved.