[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Grokking Authentication and Authorization



Jonathan D. Proulx wrote:
Hi All

I have a condor pool (6.8) that's been running with Kerberos
authentication for about a year.

I'm now looking to add some execute nodes without keytabs, so I'm
attempting to use password authentication for those.  I have this
configured on a test system and the central manager so the execute
node becomes part of the cluster.

But it seems all the submit nodes need to share an authentication
method with the execute nodde as well, which is reasonable.

I'd rather not push the password to every submit system and cannot put
keytabs on the new execute hosts.  I'm not too worried about someone
faking an execute host, but don't want the less trusted execute hosts
to be submit hosts.

what bits should I be looking at to enable these systems as execute
hosts but limit thier ability to hose other things?

I'm looking at this in the context of dynamicly creating EC2 based
execute hosts to handle peaks in the damand cycle.

Thanks,
-Jon

You could deny your EC2 nodes ADVERTISE_SCHEDD. This will keep them from showing up in your Collector and thus being considered during negotiation.

Best,


matt