Re: [Condor-users] Kerberos: forwarding tickets

["Jonathan D. Proulx" <jon@xxxxxxxxxxxxx>]

On Tue, Oct 09, 2007 at 02:15:05PM -0700, David Konerding wrote:
:> I'd love it too, but UW has been developing Condor for a long time and
:> (presumably) has been an AFS shop for a long time.  Is there actually
:> and reason to hope for this?
:>
:
:Perhaps it's a matter of up-prioritizing this feature.  There are lots
:of things to do,
:not so much developer time.

No doubt.  I don't fault anyone for this at all, I want to be clear on
that point.


:> I understand some of the difficulties, for example credentials
:> expiring mid job or while the job is in the queue, and I don't see a
:> fix for this.  Time limited credentials are central to the security
:> Kerberos provides, but this is a fundamental problem for batch queued
:> systems and long running jobs.
:>
:
:Don't renewable tickets address this problem?

not entirely.  Tickets have a max renewable life time too.  Extending
this trades off security for convenience as many things do (powering
your comuter on or connecting to the internet). I don't know what
common practice is but here 14days is what we decided was a good
balance for us. This would probably be enough for most situations, but
what happens when it isn't remains a lingering question for me.

If the choice is making remnewable life practically infinate or using
subnet based AFS ACLs the later is preferable for me as it only
exposes data in specific subdirerctories to additional risk rather
than the whole authentication realm.

so I expect (Gnarly Problems) + (Common work arounds) == (low to zero
priority), this isn't a fault just my expectation based on what I
would do given the current situation and finite developer time.  Maybe
there is someone for whom (Gnarly Problem) == (Research Project)?


-Jon