Resources for IT Professionals >
Forums Home
>
Windows HPC (High Performance Computing) Forums
>
Windows HPC Server Job Submission and Scheduling
>
Using Kerberos Protocol Transition to submit jobs on behalf of users
Using Kerberos Protocol Transition to submit jobs on behalf of users
- Hi Guys,
We are writing software that interacts with HPC Server and we would like to be able to submit jobs on behalf of users without knowing their password. So far the two options that appear to be viable are to either store a list of the user passwords on the submission node (not particularly secure!), or attempt to use kerberos protocol transition as documented here:
http://technet.microsoft.com/en-us/library/cc739587(WS.10).aspx
Has anyone ever tried this? Any thoughts or suggestions?
Thanks,
Mark
Answers
- Unfortunately, the HPC scheduler requires the users username/password to run their job. We investigated Protocol Transition as the means for getting jobs started on a user's behalf but there are limitations in it which made it unsuitable.
We are aware that requiring a Username/Password to run jobs can be onerous in certain circumstances, and are (and have been!) actively looking for a solution in a future version of the HPC Pack.
Thanks,
Josh
-Josh- Marked As Answer byJosh BarnardMSFT, OwnerThursday, November 19, 2009 1:15 AM
- Proposed As Answer byJosh BarnardMSFT, OwnerWednesday, October 28, 2009 10:11 PM
- Mark,
I think that is the approach most people are taking, that's actually what we do internal to the scheduler (carefully encrypted of course!).
More details on this can be found in our security guide: http://technet.microsoft.com/en-us/library/cc707383(WS.10).aspx
Thanks,
Josh
-Josh- Marked As Answer byJosh BarnardMSFT, OwnerThursday, November 19, 2009 1:15 AM
All Replies
- Unfortunately, the HPC scheduler requires the users username/password to run their job. We investigated Protocol Transition as the means for getting jobs started on a user's behalf but there are limitations in it which made it unsuitable.
We are aware that requiring a Username/Password to run jobs can be onerous in certain circumstances, and are (and have been!) actively looking for a solution in a future version of the HPC Pack.
Thanks,
Josh
-Josh- Marked As Answer byJosh BarnardMSFT, OwnerThursday, November 19, 2009 1:15 AM
- Proposed As Answer byJosh BarnardMSFT, OwnerWednesday, October 28, 2009 10:11 PM
- Hi Josh,
Thanks for the quick response. Do you happen to know if there is any documentation available regarding your findings? I also noticed that the moab folks have gone with a solution involving having the user upload their password to a service which stores it in a (hopefully encrypted) database. Is this the approach most people are taking right now?
Thanks,
Mark - Mark,
I think that is the approach most people are taking, that's actually what we do internal to the scheduler (carefully encrypted of course!).
More details on this can be found in our security guide: http://technet.microsoft.com/en-us/library/cc707383(WS.10).aspx
Thanks,
Josh
-Josh- Marked As Answer byJosh BarnardMSFT, OwnerThursday, November 19, 2009 1:15 AM
