Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] linux, windows security

SMITH Michael wrote:



Hello,
I want to submit a job on a linux submit node with requirements to run on a windows node under the credentials of a given a local account added to each windows execution node. I want to do this because I want to run After Effects to have it render a composition and send the output to a network file share. 


How is this done correctly?
I’ve tried using +Owner and +NTDomain. It works only for a domain account not for a local account. However when a job runs the output files cannot be written to the linux file system because the +Owner cannot be found on the linux machine. Even though this can be made to work, it does not feel correct. 


Thank you very much,

Mike



Mike,

I think the problem space could be greatly simplified if
1) your login id was consistent across your linux submit machine and your windows machines, and 2) the UID_DOMAIN setting in condor_config was the same across both your windows and linux machines, telling Condor that user "mikes" (or whatever) is the same user across all machines in that UID_DOMAIN
If it is easy for you to make the above happen, I'd suggest doing so. If it is difficult/impossible, then some options would be:
a) have your job on windows run as some dedicated login id via config setting SLOTx_USER, one that has the proper permissions to read/write on your to the required folders on your shared filesystem. See 
http://www.cs.wisc.edu/condor/manual/v7.4/3_6Security.html#sec:RunAsNobody
You could even make a "dedicated slot" specific to After Effects jobs, see
https://condor-wiki.cs.wisc.edu/index.cgi/wiki?p=HowToReserveSlotForSpecialJobs

or
b) use Condor's authentication map file and an authentication mechanism that is in common on Linux and Windows to "map" your Windows ID to an appropriate Linux ID. This option could be made very secure, but likely will require more configuration complexity than the above options. See 
http://www.cs.wisc.edu/condor/manual/v7.4/3_6Security.html#SECTION00464000000000000000


regards,
Todd