[Beowulf] Blue-sky cluster security [was CLuster - Mpich - tstmachines - Heeelp !!!!!!!!]

Erik Paulson epaulson at cs.wisc.edu
Sat Jul 29 18:00:14 PDT 2006


On Sat, Jul 29, 2006 at 08:16:43PM -0400, Mark Hahn wrote:
> >This is all still possible. Globus doesn't require you to surrender
> >any control to anyone else.
> 
> but if you don't use the sort of trust-delegation stuff, what's the point?
> I'm pretty happy with ssh, which is secure, and requires no configuration.
> 

I think we need to keep it a little more concrete than 'sort of
trust-delegation stuff'. If you've ever had users submit through
Globus, I think you'll find that it's as secure as ssh and about as easy
to setup (yes, ssh is now universally installed by default, so it's hard to get 
easier than that.) In the simplest mode of operation, the "trust delegation"
that Globus does is identical to that of ssh, albeit with a different
protocol and software stack.

> >Yes, but the remote users really don't want to learn Yet Another Account 
> >Name
> >and password. Globus lets them use their Globus name, and you as the 
> >resource
> >owner to create whatever accounts you want. Globus does the translating
> >between the two, so everyone is happy.
> 
> hmm, I find that users can most often have the same username everywhere,
> and identity+agent-based ssh means never needing passwords.
> 

You'll certainly concede that it's not always true that user names are unique,
right? As someone who used Globus to submit jobs to clusters different 
institutions, I can assure you that the underlying accounts did not have
the same UNIX username :)

Also, not everyone submits jobs via 
`ssh remote-login-point /usr/bin/batch_submit job.script` - if you run
any sort of very complicated workflow you'll quickly at least wrap your
ssh command in a script - and for any robust script you'll start writing
lots and lots of error handling for the ssh commands (dealing with commands
that hang, recovering from network disconnection, etc etc) - eventually
your robust script gets to be as complicated as Globus...

> but I don't think the choice of auth method really matters to this 
> discussion: a user authenticates to a login node and submits jobs;

Actually, I haven't been paying much attention to the main thread, I
just jumped in at the Globus tangent because I think you mis-represented
what Globus does. I'd be happy to go into more specifics with you,
my impression is that you've never had it installed on your system
and had serious users, and may not be familiar with it in detail. I'm
perfectly willing to leave this discussion at 'Globus allows you to
create complicated authentication schemes, for many clusters there's
really no reason to do so.'


> the user is trusting that the job system will create the same environment
> when the job is run.  if either the login or execution nodes are 
> compromised, the user is pretty much vulnerable...

I agree for the way I imagine most members of the list run their clusters,
this is absolutely true.

-Erik




More information about the Beowulf mailing list