[Beowulf] Blue-sky cluster security [was CLuster - Mpich - tstmachines - Heeelp !!!!!!!!]
Gerry Creager N5JXS
gerry.creager at tamu.edu
Sat Jul 29 18:33:15 PDT 2006
At the risk of initiating a flamefest, we're seeing an interesting
number of scientific users who can find their way around a workstation
or cluster just fine, thank you very much, but who appear to check their
intelligence at the door of the lab when they want a grid-enabled
application to run. I've been told it's too hard, not intuitive enough,
doesn't look like my Windows (or Mac!) desktop, etc.
And, further, wandering into security, folks who I've known and
respected for years appear to abandon all control over their security to
a Pix now for grid-enabled clusters. Go figure.
Globus, viewed as a framework of applications, is making some good moves
to alleviate some of the problems I've been hearing about. That's a
good thing. I've also learned recently of work by the Global Grid Forum
on security with particular interest in grid-capable (whatever that
really means) firewalls. I'm gonna follow that activity with some
degree of interest.
Mark Hahn wrote:
>> This is all still possible. Globus doesn't require you to surrender
>> any control to anyone else.
> but if you don't use the sort of trust-delegation stuff, what's the point?
> I'm pretty happy with ssh, which is secure, and requires no configuration.
>> Yes, but the remote users really don't want to learn Yet Another
>> Account Name
>> and password. Globus lets them use their Globus name, and you as the
>> owner to create whatever accounts you want. Globus does the translating
>> between the two, so everyone is happy.
> hmm, I find that users can most often have the same username everywhere,
> and identity+agent-based ssh means never needing passwords.
> but I don't think the choice of auth method really matters to this
> discussion: a user authenticates to a login node and submits jobs;
> the user is trusting that the job system will create the same environment
> when the job is run. if either the login or execution nodes are
> compromised, the user is pretty much vulnerable...
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit
Gerry Creager -- gerry.creager at tamu.edu
Texas Mesonet -- AATLT, Texas A&M University
Cell: 979.229.5301 Office: 979.458.4020 FAX: 979.862.3983
Office: 1700 Research Parkway Ste 160, TAMU, College Station, TX 77843
More information about the Beowulf