Re: [HTCondor-users] dirty AFS hook stuff?

[Rich Pieri <ratinox@xxxxxxx>]

Zachary Miller wrote:
> Even if HTCondor did this delegation for you (and I have investigated
> adding support for just that), my recommendation would be that you do
> not use your regular AFS credential for HTCondor usage.

Precisely. Even setting a directory with system:anyuser rlidwk is better
than trying to bypass the Kerberos and AFS identity mechanisms. I still
recommend using dedicated volumes instead of users' home directories. At
the least it prevents users from blowing out their quotas and you can
easily exclude the execute volumes from routine backups.


Brian Bockelman wrote:
> If you send security tokens along with your HTCondor job, the
> workers in your HTCondor pool can act as your user within that
> security domain.  This is true regardless of AFS / KRB5 / GSI /
> sending shared passwords.

If I interpret the security section of the Condor manual correctly then
this isn't true at all. What Condor calls authentication is not
verification of a user's identity. It is verification of a user's
permissions to use the pool's resources.

-- 
Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science