[Beowulf] Blue-sky cluster security [was CLuster - Mpich - tstmachines - Heeelp !!!!!!!!]

Gerry Creager N5JXS gerry.creager at tamu.edu
Sat Jul 29 18:33:15 PDT 2006


At the risk of initiating a flamefest, we're seeing an interesting 
number of scientific users who can find their way around a workstation 
or cluster just fine, thank you very much, but who appear to check their 
intelligence at the door of the lab when they want a grid-enabled 
application to run.  I've been told it's too hard, not intuitive enough, 
doesn't look like my Windows (or Mac!) desktop, etc.

And, further, wandering into security, folks who I've known and 
respected for years appear to abandon all control over their security to 
a Pix now for grid-enabled clusters.  Go figure.

Globus, viewed as a framework of applications, is making some good moves 
to alleviate some of the problems I've been hearing about.  That's a 
good thing.  I've also learned recently of work by the Global Grid Forum 
on security with particular interest in grid-capable (whatever that 
really means) firewalls.  I'm gonna follow that activity with some 
degree of interest.

gerry

Mark Hahn wrote:
>> This is all still possible. Globus doesn't require you to surrender
>> any control to anyone else.
> 
> 
> but if you don't use the sort of trust-delegation stuff, what's the point?
> I'm pretty happy with ssh, which is secure, and requires no configuration.
> 
>> Yes, but the remote users really don't want to learn Yet Another 
>> Account Name
>> and password. Globus lets them use their Globus name, and you as the 
>> resource
>> owner to create whatever accounts you want. Globus does the translating
>> between the two, so everyone is happy.
> 
> 
> hmm, I find that users can most often have the same username everywhere,
> and identity+agent-based ssh means never needing passwords.
> 
> but I don't think the choice of auth method really matters to this 
> discussion: a user authenticates to a login node and submits jobs;
> the user is trusting that the job system will create the same environment
> when the job is run.  if either the login or execution nodes are 
> compromised, the user is pretty much vulnerable...
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit 
> http://www.beowulf.org/mailman/listinfo/beowulf

-- 
Gerry Creager -- gerry.creager at tamu.edu
Texas Mesonet -- AATLT, Texas A&M University	
Cell: 979.229.5301 Office: 979.458.4020 FAX: 979.862.3983
Office: 1700 Research Parkway Ste 160, TAMU, College Station, TX 77843



More information about the Beowulf mailing list