Presentation is loading. Please wait.

Presentation is loading. Please wait.

Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.

Published byJohnathan Gallagher Modified over 9 years ago

Similar presentations

Presentation on theme: "Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows."— Presentation transcript:

1 Greg Quinn Computer Sciences Department University of Wisconsin-Madison gquinn@cs.wisc.edu http://www.cs.wisc.edu/condor Condor on Windows

2 www.cs.wisc.edu/condor Overview › Latest features › Running jobs as submitting user › Cross-platform authentication methods (Kerberos, SSL, Password) › Running condor in an unprivileged account

3 www.cs.wisc.edu/condor Running Jobs as the Submitting User

4 www.cs.wisc.edu/condor condor_store_cred add C:\>condor_store_cred add Account: gquinn@CROW Enter password: Operation succeeded. › Contacts local schedd and asks it to securely store a user’s password › Password is placed encrypted in a registry location y0urs myp4sswd

5 www.cs.wisc.edu/condor condor_store_cred query C:\>condor_store_cred query Account: gquinn@CROW A credential is stored and is valid. › Checks if password is stored for your user name › Also makes sure password is up to date (by making sure it can be used to log in)

6 www.cs.wisc.edu/condor condor_store_cred delete C:\>condor_store_cred delete Account: gquinn@CROW Enter password: Operation succeeded. › Removes password from secure password store

7 www.cs.wisc.edu/condor Job Execution: Submit Side schedd submit shadow y0urs myp4sswd Secure Password Store

8 www.cs.wisc.edu/condor Job Execution: Execute Side starter condor_exec.exe Jobs run using a Condor-specific account with minimal privileges. condor-reuse-vm1

9 www.cs.wisc.edu/condor Job Execution: Execute Side starter condor_exec.exe y0urs myp4sswd schedd VM1_USER = CROW\gquinn VM2_USER = CROW\gquinn

10 www.cs.wisc.edu/condor It’d be nice if… › My jobs could access my files just like the condor_shadow can › I didn’t have to tie my execute machines to a single account › I didn’t have to run condor_store_cred from every machine where my credential is needed

11 www.cs.wisc.edu/condor The Windows CredD y0urs myp4sswd C:\>condor_store_cred add Account: gquinn@CROW Enter password: Operation succeeded. credd › A centralized repository for user passwords “store password”

12 www.cs.wisc.edu/condor The Windows CredD y0urs myp4sswd schedd shadow Submit machines can use the CredD to impersonate the user in the shadow “fetch password”

13 www.cs.wisc.edu/condor The Windows CredD y0urs myp4sswd starter condor_exec.exe Execute machines can use the CredD to run jobs as the submitting user! “fetch password”

14 www.cs.wisc.edu/condor Running Jobs as Submitting User universe = vanilla executable = whoami.exe log = whoami.log output = whoami.out run_as_owner = true queue › Example submit file:

15 www.cs.wisc.edu/condor Running Jobs as Submitting User CREDD_HOST = vault.cs.wisc.edu STARTER_ALLOW_RUNAS_OWNER = True CREDD_CACHE_LOCALLY = True SEC_CLIENT_AUTHENTICATION_METHODS = \ NTSSPI, PASSWORD › In config file on submit and execute nodes:

16 www.cs.wisc.edu/condor Running Jobs as Submitting User › See example config file included with Condor: condor_config.local.credd # Set security settings so that full security to the credd is required CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED # Require PASSWORD auth for password fetching CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD # Only honor password fetch requests to the trusted "condor_pool" user CREDD.ALLOW_DAEMON = condor_pool@($UID_DOMAIN)

17 www.cs.wisc.edu/condor Securing the CredD y0urs myp4sswd C:\>condor_store_cred add Account: gquinn@CROW Enter password: Operation succeeded. credd › NTSSPI can be used to authenticate to CredD and send the password encrypted over the network “store password”

18 www.cs.wisc.edu/condor Securing the CredD y0urs myp4sswd starter condor_exec.exe “fetch password” Condor normally runs as SYSTEM, and therefore can’t use NTSSPI

19 www.cs.wisc.edu/condor Securing the CredD › Options for securing password fetch operations Kerberos / SSL authentication Password authentication Run the Condor service as a normal account and use NTSSPI

20 www.cs.wisc.edu/condor Password Authentication

21 www.cs.wisc.edu/condor Password Authentication › Mutual authentication of Condor daemons possessing a shared “pool password” › Good for small pools where more heavyweight methods aren’t desirable

22 www.cs.wisc.edu/condor Password Authentication › Pool password can be stored with new “-c” argument to condor_store_cred › Can also be done remotely with “-n” argument C:\> condor_store_cred –c add C:\> condor_store_cred –n crow.cs.wisc.edu –c add

23 www.cs.wisc.edu/condor Using an Unprivileged Account for Condor

24 www.cs.wisc.edu/condor Personal Condor › Allows creating a 1-machine Condor pool as any user C:\> SET CONDOR_CONFIG=c:\condor\condor_config C:\> condor_master -f

25 www.cs.wisc.edu/condor Unprivileged Service › Condor still runs using the Service Control Manager (SCM)

26 www.cs.wisc.edu/condor Uncovered Questions?

27 www.cs.wisc.edu/condor Windows BOF › Thursday, 11:30 - 12:30 › Room 219

28 www.cs.wisc.edu/condor Questions?

29 www.cs.wisc.edu/condor condor_store_cred C:\>condor_store_cred add Account: gquinn@CROW Enter password: Operation failed. Make sure your HOSTALLOW_WRITE setting includes this host. › Indicates communications error between condor_store_cred and the schedd

Download ppt "Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows."

Similar presentations

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
Building a secure Condor ® pool in an open academic environment Bruce Beckles University of Cambridge Computing Service.

Building a secure Condor ® pool in an open academic environment Bruce Beckles University of Cambridge Computing Service.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.

Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.
Greg Thain Computer Sciences Department University of Wisconsin-Madison Condor Parallel Universe.

Greg Thain Computer Sciences Department University of Wisconsin-Madison Condor Parallel Universe.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Setting up of condor scheduler on computing cluster Raman Sehgal NPD-BARC.

Setting up of condor scheduler on computing cluster Raman Sehgal NPD-BARC.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2007 Signed.

Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2007 Signed.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.

Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machine Universe in.

Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machine Universe in.
Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Flexible Data Placement Mechanisms in Condor.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Flexible Data Placement Mechanisms in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
Condor Project Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Jaime Frey Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Jaime Frey Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.

Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.

Similar presentations

Ads by Google