[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Kerberos: forwarding tickets

On Tue, Oct 09, 2007 at 03:51:08PM -0500, Erik Paulson wrote:

:Alas, no. It's a goal, but it's not present yet. 
:The UW is entirely Kerberos and AFS, so having ticket forwarding would
:be very helpful for the Condor developers, so I'm hopeful it will be 
:implemented someday. 

I'd love it too, but UW has been developing Condor for a long time and
(presumably) has been an AFS shop for a long time.  Is there actually
and reason to hope for this?

I understand some of the difficulties, for example credentials
expiring mid job or while the job is in the queue, and I don't see a
fix for this.  Time limited credentials are central to the security
Kerberos provides, but this is a fundamental problem for batch queued
systems and long running jobs.

What is achievable (in my mind atleast :) is having the queue daemons
authenticated so you could easily ACL a directory for that, weak
though it is, or even system:authuser which is effectively what that
permission would be since any authenicated user could submit a
batch job that would get that ID.

<ramble ramble>

Anyway is any work being done in this direction, or are IP based ACLs
"good enough" for the developers?