[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Questions about Security on Windows Install

We have set up a condor host on a Windows XP machine and currently have about 40 slots/clients in the pool. I have been reading various documents (and manuals) for Condor 7.3 to try and understand how the security can be configured. I am not an IT or computer science expert, and therefore, I have been working with our IT group to help understand what precautions we need to take to safely run condor in a relatively secure environment. My questions are the following:

1. The pool password allows communication between client machines and condor_cred. Is this authentication used so matchmaking can occur or is it so certain machines can submit jobs? The documentation (6.2.4) states that the pool password is for communication between execute machines and condor_credd, but then states the password needs to be installed on all machines in the pools--hence the confussion.

2. If run_as_owner is used, is the pool password not required?

3. If a pool password is used, does it not have access to the registry?

4. We are concerned about how passwords are stored in the registry and how they are passed across the ethernet. When a user adds their credentials, my understanding is that it is stored on the registry (encrypted via eSSPI). When a user submits a job, how is this users' credentials being authenticated? In other words is encryption occuring across the ethernet as well or is the password passed over the network more than once? Can someone help me understand this encryption process?

5. Does condor support AD, AD/LDAP, or a Radius server? We are wondering if it is possible to avoid typing in passwords and having these passed over the ethernet and it was suggested that using AD/LDAP would eliminate this security concern.

I appologize in advance for the ignorant questions/comments? If anyone can help me understand how to best configure condor and minimize security risks, I would greatly appreciate the assistance. As of now, our condor pool resides within a firewall and no one can submit jobs from outside. We are also restricting submiting jobs to a couple machines. Because I work for the government, we need to ensure that condor will be a minimal security risk, which is why I want to understand this as much as possible.

Thank you for the help,