[gridengine users] Installing GE in CSP mode?
d.love at liverpool.ac.uk
Sat May 26 14:02:07 UTC 2012
Stuart Barkley <stuartb at 4gh.net> writes:
> It seems that CSP mode is the only current way to run a reasonably
> secure Grid Engine configuration. For some definition of "reasonably
> secure"... (see below for mine).
> In April, there was a flap over a security issue in Grid Engine, but
> there are more fundamental flaws in the default security that most
> installation appear to use (i.e. not using CSP mode).
Yes, though that one potentially gave remote root on any execution host.
There was also bad information and probably still considerable confusion
> It isn't a bad idea to improve underlying security when possible and
> the LD_LIBRARY_PATH/LD_PRELOAD issues are good to be fixed.
[They aren't properly fixed unless the fix at least cover canonical lists
of sensitive variables from what I published, and it clearly actually
needs a different approach.]
> For our clusters CSP mode seems to be overkill and administrative
> heavy. It's been a while since I looked at CSP mode, but like many
> certificate based systems I've seen, it lacks any functional
> revocation model. (I may be wrong, let me know.)
There's a CRL, but can't you just replace the keys on the master? [I
don't want to defend X.509-type schemes generally.]
> Our clusters run on isolated networks with all of the systems under
> single administrative control. I would like to see the some other
> simpler security model (using reserved ports, munge or even system
> certificates instead of user certificates).
The best approach is probably to use SASL
<https://arc.liv.ac.uk/trac/SGE/ticket/1376>, but integrating MUNGE, for
instance, should be relatively straightforward. It doesn't seem as if
anyone else is interested in working on such things; I'd welcome help
and requirements/advice. I'm planning to clean up the GSS stuff, at
> We are still running 6.2u5 but are starting to evaluate alternatives.
> Addressing host based security will be a requirement, especially for
> any purchased product.
It might be possible to use the GSS hooks (not necessarily for GSS),
depending on what's required.
Community Grid Engine: http://arc.liv.ac.uk/SGE/
More information about the users