Re: [HTCondor-users] dirty AFS hook stuff?

[Pek Daniel <pekdaniel@xxxxxxxxx>]

Thanks for your answers.

Yes Rich, we definitely need a secure solution, so this one won't work
out. But also, we definitely need AFS too.

I see two possibilities: working around this limitation somehow by
scripting and hooking around - if it's possible at all. Or simply
implement support for AFS token passing and renewal in Condor. I
didn't really have the time to investigate how much work would be to
do one of these. I thought, first I'll ask around if anybody have
experience in this field.

Thanks anyway,
Daniel

2013/11/10 Rich Pieri <ratinox@xxxxxxx>:
> The general solution is to create a dedicated service user and grant
> this user access to users' directories via AFS ACLs. The Globus example
> is a specific case of this. The problem with doing this for all of your
> users' entire home directories is that a single AFS user -- the one that
> all of your users are effectively running as -- has access to everything
> without any authentication at all. What's the worst that could happen?
> An ignorant user could run "rm -rf /" and wipe out the entire AFS
> storage space. A malicious user could steal or corrupt or destroy a
> rival's data or results.
>
> You /really/ don't want to go there. You'll be much better off using NFS
> automounts or a central NFS server for staging submissions.
>
> --
> Rich Pieri <ratinox@xxxxxxx>
> MIT Laboratory for Nuclear Science
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/