Re: [HTCondor-users] dirty AFS hook stuff?

[Zachary Miller <zmiller@xxxxxxxxxxx>]

On Mon, Nov 11, 2013 at 12:05:01PM -0500, Rich Pieri wrote:
> Brian Bockelman wrote:
> > This means that an implementation is mostly a matter of finding
> > someone who understands AFS and HTCondor well enough to copy/paste
> > the relevant code.
> 
> Doing it right is not that simple at all. It's not a matter of copying
> code. It's a matter of forwarding Kerberos tickets to every node in a
> Condor pool, nodes that may not be secure.
> 
> I'm running a desktop pool. Most of the nodes in my pool are on or under
> users' desks. These nodes have little or no physical access controls. It
> would be trivial for a malicious user to install a compromised version
> of the Condor daemons that send copies of forwarded Kerberos tickets to
> that malicious user. At this point said malicious user can masquerade as
> anyone who's jobs run on those compromised nodes.

Even if HTCondor did this delegation for you (and I have investigated adding
support for just that), my recommendation would be that you do not use your
regular AFS credential for HTCondor usage.  Adminstrators should create
separate principals for HTCondor usage, and users should set the AFS ACLs to
allow "rlidwk" for just a specific subdirectory of your home directory.


Cheers,
-zach