Compute Cluster Security
Applies To: Windows Compute Cluster Server 2003
Compute cluster security is designed to give user credentials the least possible exposure as they pass from client workstation to head node to compute nodes, while maximizing usability. This includes providing encrypted storage and transport of credentials, and the use of tokens to minimize exposure of credentials on the compute nodes.
From a security perspective, the three machines—client workstation, head node, and compute node—are configured as follows:
The client workstation contains a credential cache in which the user credentials (user name and password) are stored at the user's behest in encrypted form. Only the head node will possess a key to the encryption.
The head node hosts the Job Scheduler and contains a job database that utilizes the standard Windows Data Protection API (DPAPI).
Each compute node contains the Node Manager Service.
When a job is submitted and executed, passing of credentials takes place as follows:
The user submits the job from a client workstation.
The user is prompted for a credential (user name and password).
The user enters the credential and is given an option to store it in encrypted form in the client credential cache. This offers the convenience of not having to reenter the credential with each job submission.
The credential is sent with the job along an encrypted (256-bit AES) .NET Remoting channel to the head node, where it is encrypted using DPAPI and stored with the job in the job database. If the user requested that it be stored for future use, it is returned in encrypted form to the client workstation and stored there as well, in the credential cache. It will then be automatically appended, in encrypted form, to future job submissions from that client computer.
At run time, the credential is decrypted using DPAPI on the head node. The task is then dispatched with the credential to the compute node along an encrypted (256-bit AES) .NET Remoting channel.
On the compute node, the credential is used to create a token and is then erased. The task is then performed under the token, which does not contain the credential.
When the job is completed, the credential is erased from the job database.
Subsequent submission is identical to first submission, except that the credential is now cached on the client and the user is not prompted for it if the user chose this option. In this case, the client will simply retrieve it from the cache and send it with the job to the head node in preencrypted form.
The compute cluster uses standard Windows security mechanisms. For encryption, this is standard Windows Data Protection API (DPAPI). For authentication, it is Kerberos authentication, NTLM, and the Security Support Provider Interface (SSPI). For transport, it is encrypted Component Object Model (COM) and encrypted (256-bit AES) .NET Remoting channels.