[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Kerberos: forwarding tickets
- Date: Tue, 9 Oct 2007 17:10:28 -0400
- From: "Jonathan D. Proulx" <jon@xxxxxxxxxxxxx>
- Subject: Re: [Condor-users] Kerberos: forwarding tickets
On Tue, Oct 09, 2007 at 03:51:08PM -0500, Erik Paulson wrote:
:Alas, no. It's a goal, but it's not present yet.
:The UW is entirely Kerberos and AFS, so having ticket forwarding would
:be very helpful for the Condor developers, so I'm hopeful it will be
I'd love it too, but UW has been developing Condor for a long time and
(presumably) has been an AFS shop for a long time. Is there actually
and reason to hope for this?
I understand some of the difficulties, for example credentials
expiring mid job or while the job is in the queue, and I don't see a
fix for this. Time limited credentials are central to the security
Kerberos provides, but this is a fundamental problem for batch queued
systems and long running jobs.
What is achievable (in my mind atleast :) is having the queue daemons
authenticated so you could easily ACL a directory for that, weak
though it is, or even system:authuser which is effectively what that
permission would be since any authenicated user could submit a
batch job that would get that ID.
Anyway is any work being done in this direction, or are IP based ACLs
"good enough" for the developers?