Condor on Windows - PowerPoint PPT Presentation

About This Presentation
Title:

Condor on Windows

Description:

ondor. C. Greg Quinn. Computer Sciences Department. University of Wisconsin-Madison ... Pool password can be stored with new '-c' argument to condor_store_cred ... – PowerPoint PPT presentation

Number of Views:15
Avg rating:3.0/5.0
Slides: 30
Provided by: Miron1
Category:

less

Transcript and Presenter's Notes

Title: Condor on Windows


1
Condor on Windows
2
Overview
  • Latest features
  • Running jobs as submitting user
  • Cross-platform authentication methods (Kerberos,
    SSL, Password)
  • Running condor in an unprivileged account

3
Running Jobs as the Submitting User
4
condor_store_cred add
  • Contacts local schedd and asks it to securely
    store a users password
  • Password is placed encrypted in a registry
    location
  • C\gtcondor_store_cred add
  • Account gquinn_at_CROW
  • Enter password
  • Operation succeeded.

5
condor_store_cred query
  • Checks if password is stored for your user name
  • Also makes sure password is up to date (by making
    sure it can be used to log in)
  • C\gtcondor_store_cred query
  • Account gquinn_at_CROW
  • A credential is stored and is valid.

6
condor_store_cred delete
  • Removes password from secure password store

C\gtcondor_store_cred delete Account
gquinn_at_CROW Enter password Operation succeeded.
7
Job Execution Submit Side
schedd
Secure Password Store
submit
myp4sswd
y0urs
submit
shadow
8
Job Execution Execute Side
starter
Jobs run using a Condor-specific account with
minimal privileges.
condor_exec.exe
condor-reuse-vm1
9
Job Execution Execute Side
starter
schedd
myp4sswd
y0urs
condor_exec.exe
VM1_USER CROW\gquinn VM2_USER CROW\gquinn
10
Itd be nice if
  • My jobs could access my files just like the
    condor_shadow can
  • I didnt have to tie my execute machines to a
    single account
  • I didnt have to run condor_store_cred from every
    machine where my credential is needed

11
The Windows CredD
  • A centralized repository for user passwords

myp4sswd
y0urs
store password
  • C\gtcondor_store_cred add
  • Account gquinn_at_CROW
  • Enter password
  • Operation succeeded.

credd
ltpasswordgt
12
The Windows CredD
schedd
myp4sswd
fetch password
y0urs
ltpasswordgt
shadow
Submit machines can use the CredD to impersonate
the user in the shadow
13
The Windows CredD
starter
fetch password
myp4sswd
y0urs
ltpasswordgt
condor_exec.exe
Execute machines can use the CredD to run jobs as
the submitting user!
14
Running Jobs as Submitting User
  • Example submit file

universe vanilla executable whoami.exe log
whoami.log output whoami.out run_as_owner
true queue
15
Running Jobs as Submitting User
  • In config file on submit and execute nodes

CREDD_HOST vault.cs.wisc.edu STARTER_ALLOW_RUNA
S_OWNER True CREDD_CACHE_LOCALLY
True SEC_CLIENT_AUTHENTICATION_METHODS \
NTSSPI, PASSWORD
16
Running Jobs as Submitting User
  • See example config file included with Condor
    condor_config.local.credd

Set security settings so that full security to
the credd is required CREDD.SEC_DEFAULT_AUTHENTICA
TION REQUIRED CREDD.SEC_DEFAULT_ENCRYPTION
REQUIRED CREDD.SEC_DEFAULT_INTEGRITY
REQUIRED CREDD.SEC_DEFAULT_NEGOTIATION
REQUIRED Require PASSWORD auth for password
fetching CREDD.SEC_DAEMON_AUTHENTICATION_METHODS
PASSWORD Only honor password fetch requests
to the trusted "condor_pool" user CREDD.ALLOW_DAEM
ON condor_pool_at_(UID_DOMAIN)
17
Securing the CredD
  • NTSSPI can be used to authenticate to CredD and
    send the password encrypted over the network

myp4sswd
y0urs
  • C\gtcondor_store_cred add
  • Account gquinn_at_CROW
  • Enter password
  • Operation succeeded.

credd
store password
18
Securing the CredD
starter
myp4sswd
fetch password
y0urs
condor_exec.exe
Condor normally runs as SYSTEM, and therefore
cant use NTSSPI
19
Securing the CredD
  • Options for securing password fetch operations
  • Kerberos / SSL authentication
  • Password authentication
  • Run the Condor service as a normal account and
    use NTSSPI

20
Password Authentication
21
Password Authentication
  • Mutual authentication of Condor daemons
    possessing a shared pool password
  • Good for small pools where more heavyweight
    methods arent desirable

22
Password Authentication
  • Pool password can be stored with new -c
    argument to condor_store_cred
  • Can also be done remotely with -n argument

C\gt condor_store_cred c add
C\gt condor_store_cred n crow.cs.wisc.edu c add
23
Using an Unprivileged Account for Condor
24
Personal Condor
  • Allows creating a 1-machine Condor pool as any
    user

C\gt SET CONDOR_CONFIGc\condor\condor_config C\
gt condor_master -f
25
Unprivileged Service
  • Condor still runs using the Service Control
    Manager (SCM)

26
Uncovered Questions?
What's USE_VISIBLE_DESKTOP?
What Window Station does my job use?
How do I run a Perl script?
How do I handle WM_CLOSE?
What about Cygwin?
What's up with Desktop Heap?
27
Windows BOF
  • Thursday, 1130 - 1230
  • Room 219

28
Questions?
29
condor_store_cred
C\gtcondor_store_cred add Account
gquinn_at_CROW Enter password Operation
failed. Make sure your HOSTALLOW_WRITE setting
includes this host.
  • Indicates communications error between
    condor_store_cred and the schedd
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Condor on Windows" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!