configuring qube with AD or LDAP

[turi]

For starters here is my setup -

- Master node connected to a SAN via fibre channel
- Worker nodes connected to the Master on a private subnet. Master shares the disk from SAN on this private network with the worker nodes.

The reason I chose workers to be on a private subnet is because we are in a university setting and there is always someone who is scanning the network or causing issues. I want these nodes to be completely dedicated and away from all this nuisance.

Now I want the end users to authenticate against our University AD or LDAP, but since I want the jobs to be run as that user on these workers I believe these workers have to be part of the AD. Is there any other way of approaching this? Can I have user authenticate against supervisor using AD and then have the supervisor interact workers using proxyuser? In that case how can I give the end user control over their job?

[anthony]

Hey Turi,

    There are really only 2 scenarios you can use for authentication.  The first (which is installed by default) is to use a proxy user to execute all jobs.  This is actually more difficult to use in a secure environment since file permissions almost always becomes an issue.  This is because jobs run under the proxy user will also take on the authority of that user and consequently the files created can only be made in directories which are open to the proxy user to read/write.  This is ok in many studios because their security is normally protected at network boundaries.

    The second is to allow qube! to authenticate using the real user's login and password.  (This is what the qblogin screen is for)  However when setting up this configuration the worker does have to be a part of the AD or at least have access to it. 

    This poses a problem, since you're looking to isolate one network from the other, it makes it difficult for the workers to get to the AD since it's probably on a separate network all together.  You could do 1 of 2 things.  Place a Secondary Domain Server on the farm network and use that for authentication.  Or you could open the ports on the firewall to allow AD authentication.  I would prefer the first one since you would only need to open things for a single host.

    What kind of router, firewall do you plan to use to isolate the network?  is it a linux host? windows? or hardware firewall?  In some cases, setting up a secure routing table might be difficult since you might not have control over traffic through the firewall at that level.  (I'm pretty familiar with iptables, ipchains firewalls and could suggest a few configurations for those if you need them, especially if you need to isolate outgoing traffic)

    Other suggestions to consider would be to also restrict internet access incoming and outgoing from the farm to prevent malicious use of these hosts.  The simplest thing to do is to handle it using the firewall.  You might want to consider having the file server and the supervisor straddle the networks.  You should also consider a few other security options in the qube! supervisor itself which we could go into with a different forum topic.

    Thanks,
         Anthony