[slurm-users] work with sensitive data

William Brown william at signalbox.org.uk
Fri Dec 17 23:51:08 UTC 2021

I realise not helpful with Lustre but we are using NFSv4 with krb5p mounts
to encrypt in flight.

Also AUKS to make the Kerberos tickets available to the compute nodes, an
idea from CERN.

All our nodes are AD integrated, so if the user is authenticated by AD they
can access the data, and not otherwise.

Authorization is by AD group membership, with RFC2307 attributes in AD so
we have username mapping. That is why we use NFSv4.

That suits NGS as most of the software isn't written for MPI or other ways
where a real cluster file system is needed.

An advantage is that the users don't really see anything unusual apart from
having to login with a password,  as GSSAPI cannot work with this setup.

On Tue, 14 Dec 2021, 20:24 Michał Kadlof, <m.kadlof at mini.pw.edu.pl> wrote:

> Hi,
> some of my users work with "sensitive data". Currently we use standard
> unix groups with ACLs to limit access but I wonder if there is any way
> to keep data encrypted (for example with gpg) and decrypt them "on the
> fly" in Slurm job and then encrypt the results again after the job is
> finished.
> We store users homes on lustre shared filesystem if it matter...
> Are there any recommendations, guides or "best practices" how to keep
> such data safe?
> --
> cheers
> Michał Kadlof
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20211217/c0e2963a/attachment.htm>

More information about the slurm-users mailing list