1 / 29

Condor on Windows

Condor on Windows. Overview. Latest features Running jobs as submitting user Cross-platform authentication methods (Kerberos, SSL, Password) Running condor in an unprivileged account. Running Jobs as the Submitting User. myp4sswd. y0urs. condor_store_cred add.

libitha
Download Presentation

Condor on Windows

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Condor on Windows

  2. Overview • Latest features • Running jobs as submitting user • Cross-platform authentication methods (Kerberos, SSL, Password) • Running condor in an unprivileged account

  3. Running Jobs as the Submitting User

  4. myp4sswd y0urs condor_store_cred add • Contacts local schedd and asks it to securely store a user’s password • Password is placed encrypted in a registry location C:\>condor_store_cred add Account: gquinn@CROW Enter password: Operation succeeded.

  5. condor_store_cred query • Checks if password is stored for your user name • Also makes sure password is up to date (by making sure it can be used to log in) C:\>condor_store_cred query Account: gquinn@CROW A credential is stored and is valid.

  6. condor_store_cred delete • Removes password from secure password store C:\>condor_store_cred delete Account: gquinn@CROW Enter password: Operation succeeded.

  7. Job Execution: Submit Side schedd Secure Password Store submit myp4sswd y0urs submit shadow

  8. Job Execution: Execute Side starter Jobs run using a Condor-specific account with minimal privileges. condor_exec.exe condor-reuse-vm1

  9. Job Execution: Execute Side starter schedd myp4sswd y0urs condor_exec.exe VM1_USER = CROW\gquinn VM2_USER = CROW\gquinn

  10. It’d be nice if… • My jobs could access my files just like the condor_shadow can • I didn’t have to tie my execute machines to a single account • I didn’t have to run condor_store_cred from every machine where my credential is needed

  11. The Windows CredD • A centralized repository for user passwords C:\>condor_store_cred add Account: gquinn@CROW Enter password: Operation succeeded. myp4sswd y0urs “store password” credd <password>

  12. The Windows CredD schedd myp4sswd “fetch password” y0urs <password> shadow Submit machines can use the CredD to impersonate the user in the shadow

  13. The Windows CredD starter “fetch password” myp4sswd y0urs <password> condor_exec.exe Execute machines can use the CredD to run jobs as the submitting user!

  14. Running Jobs as Submitting User • Example submit file: universe = vanilla executable = whoami.exe log = whoami.log output = whoami.out run_as_owner = true queue

  15. Running Jobs as Submitting User • In config file on submit and execute nodes: CREDD_HOST = vault.cs.wisc.edu STARTER_ALLOW_RUNAS_OWNER = True CREDD_CACHE_LOCALLY = True SEC_CLIENT_AUTHENTICATION_METHODS = \ NTSSPI, PASSWORD

  16. Running Jobs as Submitting User • See example config file included with Condor: condor_config.local.credd # Set security settings so that full security to the credd is required CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED # Require PASSWORD auth for password fetching CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD # Only honor password fetch requests to the trusted "condor_pool" user CREDD.ALLOW_DAEMON = condor_pool@($UID_DOMAIN)

  17. Securing the CredD • NTSSPI can be used to authenticate to CredD and send the password encrypted over the network C:\>condor_store_cred add Account: gquinn@CROW Enter password: Operation succeeded. myp4sswd y0urs credd “store password”

  18. Securing the CredD starter myp4sswd “fetch password” y0urs condor_exec.exe Condor normally runs as SYSTEM, and therefore can’t use NTSSPI

  19. Securing the CredD • Options for securing password fetch operations • Kerberos / SSL authentication • Password authentication • Run the Condor service as a normal account and use NTSSPI

  20. Password Authentication

  21. Password Authentication • Mutual authentication of Condor daemons possessing a shared “pool password” • Good for small pools where more heavyweight methods aren’t desirable

  22. Password Authentication • Pool password can be stored with new “-c” argument to condor_store_cred • Can also be done remotely with “-n” argument C:\> condor_store_cred –c add C:\> condor_store_cred –n crow.cs.wisc.edu –c add

  23. Using an Unprivileged Account for Condor

  24. Personal Condor • Allows creating a 1-machine Condor pool as any user C:\> SET CONDOR_CONFIG=c:\condor\condor_config C:\> condor_master -f

  25. Unprivileged Service • Condor still runs using the Service Control Manager (SCM)

  26. Uncovered Questions? What's USE_VISIBLE_DESKTOP? What Window Station does my job use? How do I run a Perl script? How do I handle WM_CLOSE? What about Cygwin? What's up with Desktop Heap?

  27. Windows BOF • Thursday, 11:30 - 12:30 • Room 219

  28. Questions?

  29. condor_store_cred C:\>condor_store_cred add Account: gquinn@CROW Enter password: Operation failed. Make sure your HOSTALLOW_WRITE setting includes this host. • Indicates communications error between condor_store_cred and the schedd

More Related