[Beowulf] Blue-sky cluster security [was CLuster - Mpich - tstmachines - Heeelp !!!!!!!!]

Erik Paulson epaulson at cs.wisc.edu
Sat Jul 29 16:51:01 PDT 2006


On Sat, Jul 29, 2006 at 12:34:42PM -0400, Mark Hahn wrote:
> >>it would be interesting to try this - connecting to the cluster gets you
> >>a VM or containerized environment where you can't see anyone else,
> >>and where the only access you have to the cluster is through queue
> >>commands.  your jobs would then run in a similar VM/container cloned
> >>when you submit them.  I suppose some people would like this, but it
> >
> >Just brainstorming, what would the best method be? Poach some of the
> >globus stuff? A chroot scheme? Xen?
> 
> I've never quite understood the value of Globus.  obviously, within a single
> admin domain, it's no better than any other scheme.  afaikt, it's main
> purpose is to permit me, as a resource owner, to hand over control of some 
> resources to some other domain.  this is very gridish, of course, but would
> you really want to do that?  I'd like to require that everything that runs 
> in my domain can authenticate within my domain - this allows me to report 
> to my funding agency, for instance, which Nature papers were accomplished 
> with
> which mega-cpu-hour. 

This is all still possible. Globus doesn't require you to surrender 
any control to anyone else. 

> in particular, this isn't necessarily any more
> difficult - if my org undertakes an agreement with another org, I'm 
> perfectly happy automatically creating accounts for their users within my 
> domain...
> 

Yes, but the remote users really don't want to learn Yet Another Account Name
and password. Globus lets them use their Globus name, and you as the resource
owner to create whatever accounts you want. Globus does the translating 
between the two, so everyone is happy. 

-Erik



More information about the Beowulf mailing list