[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Condor Security

On Wed, 7 Sep 2005, Matt Hope wrote:

Really hacky but I think should work for per machine blocking.

Place firewall between the negotiator/collector machine, you then
block their ports.
You then have to manually allow the execute and schedd machines
(though adding a machine as one implicitly adds it as another.

Like I said hacky but in your complete control.

Of course, this relies on you having control over the IP addresses of machines on your network, or having a network on which IP address "spoofing" is impossible. That's a lot harder than it sounds, since these days even the script kiddies know how to spoof BOTH IP addresses *AND* ethernet hardware (MAC) addresses. (David: If your university is anything like ours, then IP address spoofing will be rampant anyway...)

per user blocking is rather more tricky. traditionally within condor
that is done on a per execute machine basis (i.e. via the START
expression for the startd...

If you can restrict your execute machines to accept jobs *only* from your submit machines, AND you tightly control access to those submit machines, then you can do per user restrictions at the submit machine end. Since usually execute machines outnumber submit machines (or are the same as the submit machines), it might be easier to do user access control at the submit machine end than on the execute machines.

David: It's hard to say very much without a clearer idea of how your pool, and the underlying network, is set up. If you don't want to talk about that on this mailing list then I'm happy to take this discussion off list, if you feel that would be useful.

	-- Bruce

Bruce Beckles,
e-Science Specialist,
University of cambridge Computing Service.