Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] linux, windows security

Date: Wed, 26 May 2010 13:56:08 -0400
From: "SMITH Michael" <msmith@xxxxxxxxxxx>
Subject: Re: [Condor-users] linux, windows security

Todd,

In your suggested approach, is it still necessary to run
condor_store_cred for each execution node?

Mike

-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx
[mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Todd Tannenbaum
Sent: Tuesday, May 25, 2010 12:00 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] linux, windows security

SMITH Michael wrote:
> 
> 
> Hello,
> 
> I want to submit a job on a linux submit node with requirements to run

> on a windows node under the credentials of a given a local account
added 
> to each windows execution node.  I want to do this because I want to
run 
> After Effects to have it render a composition and send the output to a

> network file share.
> 
>  
> 
> How is this done correctly?
> 
>  
> 
> I've tried using +Owner and +NTDomain.  It works only for a domain 
> account not for a local account.  However when a job runs the output 
> files cannot be written to the linux file system because the +Owner 
> cannot be found on the linux machine.  Even though this can be made to

> work, it does not feel correct.
> 
>  
> 
> Thank you very much,
> 
> Mike
>

Mike,

I think the problem space could be greatly simplified if
   1) your login id was consistent across your linux submit machine and 
your windows machines, and
   2) the UID_DOMAIN setting in condor_config was the same across both 
your windows and linux machines, telling Condor that user "mikes" (or 
whatever) is the same user across all machines in that UID_DOMAIN

If it is easy for you to make the above happen, I'd suggest doing so. 
If it is difficult/impossible, then some options would be:

   a) have your job on windows run as some dedicated login id via config

setting SLOTx_USER, one that has the proper permissions to read/write on

your to the required folders on your shared filesystem.    See
http://www.cs.wisc.edu/condor/manual/v7.4/3_6Security.html#sec:RunAsNobo
dy
You could even make a "dedicated slot" specific to After Effects jobs,
see
https://condor-wiki.cs.wisc.edu/index.cgi/wiki?p=HowToReserveSlotForSpec
ialJobs

or

   b) use Condor's authentication map file and an authentication 
mechanism that is in common on Linux and Windows to "map" your Windows 
ID to an appropriate Linux ID.  This option could be made very secure, 
but likely will require more configuration complexity than the above 
options. See
http://www.cs.wisc.edu/condor/manual/v7.4/3_6Security.html#SECTION004640
00000000000000

regards,
Todd

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with
a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/

References:
- [Condor-users] linux, windows security
  - From: SMITH Michael
- Re: [Condor-users] linux, windows security
  - From: Todd Tannenbaum

Prev by Date: [Condor-users] Call for Participation: 19th ACM International Symposium on High Performance Distributed Computing (HPDC) 2010
Next by Date: [Condor-users] ERROR “Assertion ERROR on (m_lock->isLocked())” at line 1312 in file read_user_log.cpp
Previous by thread: Re: [Condor-users] linux, windows security
Next by thread: Re: [Condor-users] linux, windows security
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [Condor-users] linux, windows security