Re: [Condor-users] Condor Security

[Bruce Beckles <mbb10@xxxxxxxxx>]

On Wed, 7 Sep 2005, Matt Hope wrote:

<snip>
> Really hacky but I think should work for per machine blocking.
>
> Place firewall between the negotiator/collector machine, you then
> block their ports.
> You then have to manually allow the execute and schedd machines
> (though adding a machine as one implicitly adds it as another.
>
> Like I said hacky but in your complete control.

Of course, this relies on you having control over the IP addresses of 
machines on your network, or having a network on which IP address 
"spoofing" is impossible.  That's a lot harder than it sounds, since these 
days even the script kiddies know how to spoof BOTH IP addresses *AND* 
ethernet hardware (MAC) addresses.  (David: If your university is anything 
like ours, then IP address spoofing will be rampant anyway...)

> per user blocking is rather more tricky. traditionally within condor
> that is done on a per execute machine basis (i.e. via the START
> expression for the startd...

If you can restrict your execute machines to accept jobs *only* from your 
submit machines, AND you tightly control access to those submit machines, 
then you can do per user restrictions at the submit machine end.  Since 
usually execute machines outnumber submit machines (or are the same as the 
submit machines), it might be easier to do user access control at the 
submit machine end than on the execute machines.

David: It's hard to say very much without a clearer idea of how your pool, 
and the underlying network, is set up.  If you don't want to talk about 
that on this mailing list then I'm happy to take this discussion off list, 
if you feel that would be useful.

	-- Bruce

--
Bruce Beckles,
e-Science Specialist,
University of cambridge Computing Service.