Am 18.05.2012 um 15:41 schrieb Rayson Ho: > On Fri, May 18, 2012 at 4:27 AM, Beat Rubischon <b...@0x1b.ch> wrote: >> On 17.05.12 18:51, Rayson Ho wrote: >>> Just want to understand your use case, what is the main reason you use >>> the CSP mode?? >> >> Security. The queuemaster fully trusts the username sent by the client >> binaries over the wire. > > That's the main reason people switch on CSP mode, I guess. But there > are other features in CSP mode that are not available in MUNGE or the > privileged port mode - eg. encrypted daemon communication, and > blocking all users without certificates from accessing Grid Engine. > > Torque uses the privileged port method, and I think Grid Engine should > add back the support for it as it is the most straightforward way of > authentication - it is well understood & easy to setup. > > If you have access to to the physical wire, then both MUNGE and > privileged ports are not good enough, as one can replay the network > packets or create a new packet by hand (I played with MUNGE before and > there's the timeout mechanism, however, it is not a one-time > password). You really need the public/private key protocol in CSP mode > to avoid this attack. > > Finally, blocking users without certificates from accessing Grid > Engine is really important as well. A site asked about the CSP mode > not because of the authentication of UID it provides, but only to use > it to block all users without a valid certificate from using Grid > Engine.
To use or access SGE? To avoid job submissions one could create an ACL and use it in the SGE configuration to avoid job submissions by not entitled users in (x)user_lists, nevertheless they can issue `qstat` or alike. -- Reuti _______________________________________________ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
