locked
Using Kerberos Protocol Transition to submit jobs on behalf of users RRS feed

  • Question

  • Hi Guys,

    We are writing software that interacts with HPC Server and we would like to be able to submit jobs on behalf of users without knowing their password.  So far the two options that appear to be viable are to either store a list of the user passwords on the submission node (not particularly secure!), or attempt to use kerberos protocol transition as documented here:

    http://technet.microsoft.com/en-us/library/cc739587(WS.10).aspx

    Has anyone ever tried this?  Any thoughts or suggestions?

    Thanks,
    Mark
    Wednesday, October 28, 2009 9:23 PM

Answers

  • Unfortunately, the HPC scheduler requires the users username/password to run their job.  We investigated Protocol Transition as the means for getting jobs started on a user's behalf but there are limitations in it which made it unsuitable.

    We are aware that requiring a Username/Password to run jobs can be onerous in certain circumstances, and are (and have been!) actively looking for a solution in a future version of the HPC Pack.

    Thanks,
    Josh
    -Josh
    Wednesday, October 28, 2009 10:11 PM
    Moderator
  • Mark,
    I think that is the approach most people are taking, that's actually what we do internal to the scheduler (carefully encrypted of course!).

    More details on this can be found in our security guide: http://technet.microsoft.com/en-us/library/cc707383(WS.10).aspx

    Thanks,
    Josh
    -Josh
    Thursday, November 19, 2009 1:15 AM
    Moderator

All replies

  • Unfortunately, the HPC scheduler requires the users username/password to run their job.  We investigated Protocol Transition as the means for getting jobs started on a user's behalf but there are limitations in it which made it unsuitable.

    We are aware that requiring a Username/Password to run jobs can be onerous in certain circumstances, and are (and have been!) actively looking for a solution in a future version of the HPC Pack.

    Thanks,
    Josh
    -Josh
    Wednesday, October 28, 2009 10:11 PM
    Moderator
  • Hi Josh,

    Thanks for the quick response.  Do you happen to know if there is any documentation available regarding your findings?  I also noticed that the moab folks have gone with a solution involving having the user upload their password to a service which stores it in a (hopefully encrypted) database.  Is this the approach most people are taking right now?

    Thanks,
    Mark
    Thursday, October 29, 2009 3:59 AM
  • Mark,
    I think that is the approach most people are taking, that's actually what we do internal to the scheduler (carefully encrypted of course!).

    More details on this can be found in our security guide: http://technet.microsoft.com/en-us/library/cc707383(WS.10).aspx

    Thanks,
    Josh
    -Josh
    Thursday, November 19, 2009 1:15 AM
    Moderator