Chris Jewell <[email protected]> writes: > Interesting. So what *is* the best security model for use with GE?
I'm not sure that's the right question. Generally, you're constrained by your environment, e.g. who controls the policies for your authZ service and authN on the resources you want to submit, e.g. for how long can you renew a Kerberos ticket for access to your NFS4 resource, given a method of doing it. This period typically is/should be short compared with maximum run times and typical wait times. (It isn't here, and Unixy people don't influence Active Directory or Windows filesystem policy, unfortunately.) > Are we stuck with plain old NIS? Great for private clusters, but what > about campus-wide grids? There's no problem accessing facilities using Kerberos authZ and LDAP authN to submit a job, via gssapi-enabled ssh for instance, if all that matters is access to resources in the cluster, and you're not relying on Kerberos security withing it. The problem is access to resources some time later with a valid Kerberos ticket forwarded as necessary. (AFS seems more common in these situations than NSF4; when I last saw assessments, it was a better choice unless you need stronger encryption.) The batch -- or experimental, in the case I was originally concerned with -- facility can only arbitrarily maintain tickets if you trust it with your credential, which you're probably only going to be happy with on a known well-adminned local system. _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
