Answered by:
Using Kerberos Protocol Transition to submit jobs on behalf of users

Question
-
Hi Guys,
We are writing software that interacts with HPC Server and we would like to be able to submit jobs on behalf of users without knowing their password. So far the two options that appear to be viable are to either store a list of the user passwords on the submission node (not particularly secure!), or attempt to use kerberos protocol transition as documented here:
http://technet.microsoft.com/en-us/library/cc739587(WS.10).aspx
Has anyone ever tried this? Any thoughts or suggestions?
Thanks,
MarkWednesday, October 28, 2009 9:23 PM
Answers
-
Unfortunately, the HPC scheduler requires the users username/password to run their job. We investigated Protocol Transition as the means for getting jobs started on a user's behalf but there are limitations in it which made it unsuitable.
We are aware that requiring a Username/Password to run jobs can be onerous in certain circumstances, and are (and have been!) actively looking for a solution in a future version of the HPC Pack.
Thanks,
Josh
-Josh- Proposed as answer by Josh BarnardModerator Wednesday, October 28, 2009 10:11 PM
- Marked as answer by Josh BarnardModerator Thursday, November 19, 2009 1:15 AM
Wednesday, October 28, 2009 10:11 PMModerator -
Mark,
I think that is the approach most people are taking, that's actually what we do internal to the scheduler (carefully encrypted of course!).
More details on this can be found in our security guide: http://technet.microsoft.com/en-us/library/cc707383(WS.10).aspx
Thanks,
Josh
-Josh- Marked as answer by Josh BarnardModerator Thursday, November 19, 2009 1:15 AM
Thursday, November 19, 2009 1:15 AMModerator
All replies
-
Unfortunately, the HPC scheduler requires the users username/password to run their job. We investigated Protocol Transition as the means for getting jobs started on a user's behalf but there are limitations in it which made it unsuitable.
We are aware that requiring a Username/Password to run jobs can be onerous in certain circumstances, and are (and have been!) actively looking for a solution in a future version of the HPC Pack.
Thanks,
Josh
-Josh- Proposed as answer by Josh BarnardModerator Wednesday, October 28, 2009 10:11 PM
- Marked as answer by Josh BarnardModerator Thursday, November 19, 2009 1:15 AM
Wednesday, October 28, 2009 10:11 PMModerator -
Hi Josh,
Thanks for the quick response. Do you happen to know if there is any documentation available regarding your findings? I also noticed that the moab folks have gone with a solution involving having the user upload their password to a service which stores it in a (hopefully encrypted) database. Is this the approach most people are taking right now?
Thanks,
MarkThursday, October 29, 2009 3:59 AM -
Mark,
I think that is the approach most people are taking, that's actually what we do internal to the scheduler (carefully encrypted of course!).
More details on this can be found in our security guide: http://technet.microsoft.com/en-us/library/cc707383(WS.10).aspx
Thanks,
Josh
-Josh- Marked as answer by Josh BarnardModerator Thursday, November 19, 2009 1:15 AM
Thursday, November 19, 2009 1:15 AMModerator