[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Condor Security
- Date: Wed, 7 Sep 2005 22:32:44 +0100 (BST)
- From: Bruce Beckles <mbb10@xxxxxxxxx>
- Subject: Re: [Condor-users] Condor Security
On Wed, 7 Sep 2005, Matt Hope wrote:
Really hacky but I think should work for per machine blocking.
Place firewall between the negotiator/collector machine, you then
block their ports.
You then have to manually allow the execute and schedd machines
(though adding a machine as one implicitly adds it as another.
Like I said hacky but in your complete control.
Of course, this relies on you having control over the IP addresses of
machines on your network, or having a network on which IP address
"spoofing" is impossible. That's a lot harder than it sounds, since these
days even the script kiddies know how to spoof BOTH IP addresses *AND*
ethernet hardware (MAC) addresses. (David: If your university is anything
like ours, then IP address spoofing will be rampant anyway...)
per user blocking is rather more tricky. traditionally within condor
that is done on a per execute machine basis (i.e. via the START
expression for the startd...
If you can restrict your execute machines to accept jobs *only* from your
submit machines, AND you tightly control access to those submit machines,
then you can do per user restrictions at the submit machine end. Since
usually execute machines outnumber submit machines (or are the same as the
submit machines), it might be easier to do user access control at the
submit machine end than on the execute machines.
David: It's hard to say very much without a clearer idea of how your pool,
and the underlying network, is set up. If you don't want to talk about
that on this mailing list then I'm happy to take this discussion off list,
if you feel that would be useful.
University of cambridge Computing Service.