On Sat, 21 Jan 2017 at 4:22am, Dave Love wrote
Joshua Baker-LePain <j...@salilab.org> writes:
Are you using CSP? To get that to work on CentOS-7 I had to change
the default signature from md5 to sha256 in
$SGE_ROOT/util/sgeCA/sge_ca -- see
<http://gridengine.org/pipermail/users/2016-August/009283.html>.
Although the error message I was seeing was different...
I fixed that in https://arc.liv.ac.uk/trac/SGE/log/sge/source?rev=4928
after I bumped into it in containers. It would be helpful to others if
people could report bugs on the tracker, though someone did that one
recently.
That was me. :)
If I was adminning a cluster -- so probably not needing to protect the
communication -- I'd use MUNGE authentication now. It's easier than
CSP.
My use case for CSP is that I have groups who want every user desktop to
be a submit host. My trust in those desktops is limited since the users
have physical access to them. With CSP I can give that group the certs
only for their users. That way if a host gets compromised they can only
imitate another user from the group, not any cluster user (or sge or
root).
IOW, with MUNGE you implicitly trust a host. With CSP you can trust on a
more granular level, which I find highly useful.
--
Joshua Baker-LePain
QB3 Shared Cluster Sysadmin
UCSF
_______________________________________________
SGE-discuss mailing list
SGE-discuss@liv.ac.uk
https://arc.liv.ac.uk/mailman/listinfo/sge-discuss
