On Sat, 21 Jan 2017 at 4:22am, Dave Love wrote

Joshua Baker-LePain <j...@salilab.org> writes:

Are you using CSP?  To get that to work on CentOS-7 I had to change
the default signature from md5 to sha256 in
$SGE_ROOT/util/sgeCA/sge_ca -- see
<http://gridengine.org/pipermail/users/2016-August/009283.html>.
Although the error message I was seeing was different...

I fixed that in https://arc.liv.ac.uk/trac/SGE/log/sge/source?rev=4928
after I bumped into it in containers.  It would be helpful to others if
people could report bugs on the tracker, though someone did that one
recently.

That was me.  :)

If I was adminning a cluster -- so probably not needing to protect the
communication -- I'd use MUNGE authentication now.  It's easier than
CSP.

My use case for CSP is that I have groups who want every user desktop to be a submit host. My trust in those desktops is limited since the users have physical access to them. With CSP I can give that group the certs only for their users. That way if a host gets compromised they can only imitate another user from the group, not any cluster user (or sge or root).

IOW, with MUNGE you implicitly trust a host. With CSP you can trust on a more granular level, which I find highly useful.

--
Joshua Baker-LePain
QB3 Shared Cluster Sysadmin
UCSF
_______________________________________________
SGE-discuss mailing list
SGE-discuss@liv.ac.uk
https://arc.liv.ac.uk/mailman/listinfo/sge-discuss

Reply via email to