I'm currently running into a situation where I'd like finer control over which services can register themselves in our grid and what information I have about them after they register. At the moment, I'm looking for suggestions, which might eventually turn into useful RFEs.
All our servers are within a firewall using Glacier2 for session management. The central data server,
blitz, contains all the logic for authentication/authorization.
Processor servers are started on nodes as a particular
blitz user (different from the OS user) and take job requests from
blitz.
The issue is how does
blitz know that the
processor is authorized to take a particular job with the rules: (1)
root can run anyone's jobs and (2) anyone else can only run their own jobs.
The first solution is to simply prevent non-root users from connecting. This I could do with SSL or a specialized root-only PermissionsVerifier. I'd prefer to allow non-root users to also start
processors to allow integration with existing cluster resources. Managing the SSL certificates for N users becomes difficult, but is doable if that solves the problem.
Another solution I thought of, but do not know how to implement, entails having "trusted" processors start with port numbers < 1024. This works under the assumption that a process started as (OS) root on a known host can be "trusted".
The other possibility I see is to implement this in user code, though management of the multiple processors becomes a bit convoluted.
- User submits job
- blitz gets a list of all processors from registry
- blitz asks all processors to provide login info,
- and manages a map from user->processor
- blitz passes job to any processor for user or root or throws exception.
This solves the issue of
blitz not trusting the
processor but it leaves the
processors potentially at risk of being misused by a malicious
blitz (especially if processors eventually register themselves with multiple icegrid registries.)