Re: [HTCondor-users] HTCondor User Able to Log In

[Rich Pieri <ratinox@xxxxxxx>]

Mike Ferraco wrote:
> I would like to just have condor run as the user that mounts the drives.
> Is it ok that this account can be logged into?  Why is this a major
> security breach and how can I make this type of set up secure.

No, this is not okay (certainly not on any system I'm responsible for).
As the documentation you quoted points out: "[...] the user condor could
submit jobs that run as any other user, providing complete access to the
user's data by the jobs." The condor user needs access to users files in
order to execute jobs and write out log files and such. It's how
HTCondor works. If you allow users to log in as this user then they are
this user with all of the rights and privileges that go with. To wit:
they would have access to other users' files.

You can't make it secure because you can't give the condor user the
privileges it requires while at the same time denying the condor user
these same privileges.

HTCondor + Kerberos + AFS is a little bit tricky. The good news is that
there was a discussion about how to authenticate HTCondor jobs with a
Kerberos realm a few months back. Search the mailing lists archives.
There are some recipes that you can use. Once a job has a Kerberos
ticket for your realm it can get an AFS token.

Or you could use NFS + automount for shared storage. I do this with my
pools so that my users don't have to worry about Kerberos authentication.

-- 
Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science