Show More
| @@ -4,11 +4,6 b'' | |||||
| 4 | Using MPI with IPython |
|
4 | Using MPI with IPython | |
| 5 | ======================= |
|
5 | ======================= | |
| 6 |
|
6 | |||
| 7 | .. note:: |
|
|||
| 8 |
|
||||
| 9 | Not adapted to zmq yet |
|
|||
| 10 | This is out of date wrt ipcluster in general as well |
|
|||
| 11 |
|
||||
| 12 | Often, a parallel algorithm will require moving data between the engines. One |
|
7 | Often, a parallel algorithm will require moving data between the engines. One | |
| 13 | way of accomplishing this is by doing a pull and then a push using the |
|
8 | way of accomplishing this is by doing a pull and then a push using the | |
| 14 | multiengine client. However, this will be slow as all the data has to go |
|
9 | multiengine client. However, this will be slow as all the data has to go | |
| @@ -248,75 +248,6 b' capabilities based authentication model, in conjunction with SSH tunneled' | |||||
| 248 | TCP/IP channels, address the core potential vulnerabilities in the system, |
|
248 | TCP/IP channels, address the core potential vulnerabilities in the system, | |
| 249 | while still enabling user's to use the system in open networks. |
|
249 | while still enabling user's to use the system in open networks. | |
| 250 |
|
250 | |||
| 251 | Other questions |
|
|||
| 252 | =============== |
|
|||
| 253 |
|
||||
| 254 | .. note:: |
|
|||
| 255 |
|
||||
| 256 | this does not apply to ZMQ, but I am sure there will be questions. |
|
|||
| 257 |
|
||||
| 258 | About keys |
|
|||
| 259 | ---------- |
|
|||
| 260 |
|
||||
| 261 | Can you clarify the roles of the certificate and its keys versus the FURL, |
|
|||
| 262 | which is also called a key? |
|
|||
| 263 |
|
||||
| 264 | The certificate created by IPython processes is a standard public key x509 |
|
|||
| 265 | certificate, that is used by the SSL handshake protocol to setup encrypted |
|
|||
| 266 | channel between the controller and the IPython engine or client. This public |
|
|||
| 267 | and private key associated with this certificate are used only by the SSL |
|
|||
| 268 | handshake protocol in setting up this encrypted channel. |
|
|||
| 269 |
|
||||
| 270 | The FURL serves a completely different and independent purpose from the |
|
|||
| 271 | key pair associated with the certificate. When we refer to a FURL as a |
|
|||
| 272 | key, we are using the word "key" in the capabilities based security model |
|
|||
| 273 | sense. This has nothing to do with "key" in the public/private key sense used |
|
|||
| 274 | in the SSL protocol. |
|
|||
| 275 |
|
||||
| 276 | With that said the FURL is used as an cryptographic key, to grant |
|
|||
| 277 | IPython engines and clients access to particular capabilities that the |
|
|||
| 278 | controller offers. |
|
|||
| 279 |
|
||||
| 280 | Self signed certificates |
|
|||
| 281 | ------------------------ |
|
|||
| 282 |
|
||||
| 283 | Is the controller creating a self-signed certificate? Is this created for per |
|
|||
| 284 | instance/session, one-time-setup or each-time the controller is started? |
|
|||
| 285 |
|
||||
| 286 | The Foolscap network protocol, which handles the SSL protocol details, creates |
|
|||
| 287 | a self-signed x509 certificate using OpenSSL for each IPython process. The |
|
|||
| 288 | lifetime of the certificate is handled differently for the IPython controller |
|
|||
| 289 | and the engines/client. |
|
|||
| 290 |
|
||||
| 291 | For the IPython engines and client, the certificate is only held in memory for |
|
|||
| 292 | the lifetime of its process. It is never written to disk. |
|
|||
| 293 |
|
||||
| 294 | For the controller, the certificate can be created anew each time the |
|
|||
| 295 | controller starts or it can be created once and reused each time the |
|
|||
| 296 | controller starts. If at any point, the certificate is deleted, a new one is |
|
|||
| 297 | created the next time the controller starts. |
|
|||
| 298 |
|
||||
| 299 | SSL private key |
|
|||
| 300 | --------------- |
|
|||
| 301 |
|
||||
| 302 | How the private key (associated with the certificate) is distributed? |
|
|||
| 303 |
|
||||
| 304 | In the usual implementation of the SSL protocol, the private key is never |
|
|||
| 305 | distributed. We follow this standard always. |
|
|||
| 306 |
|
||||
| 307 | SSL versus Foolscap authentication |
|
|||
| 308 | ---------------------------------- |
|
|||
| 309 |
|
||||
| 310 | Many SSL connections only perform one sided authentication (the server to the |
|
|||
| 311 | client). How is the client authentication in IPython's system related to SSL |
|
|||
| 312 | authentication? |
|
|||
| 313 |
|
||||
| 314 | We perform a two way SSL handshake in which both parties request and verify |
|
|||
| 315 | the certificate of their peer. This mutual authentication is handled by the |
|
|||
| 316 | SSL handshake and is separate and independent from the additional |
|
|||
| 317 | authentication steps that the CLIENT and SERVER perform after an encrypted |
|
|||
| 318 | channel is established. |
|
|||
| 319 |
|
||||
| 320 | .. [RFC5246] <http://tools.ietf.org/html/rfc5246> |
|
251 | .. [RFC5246] <http://tools.ietf.org/html/rfc5246> | |
| 321 |
|
252 | |||
| 322 | .. [OpenSSH] <http://www.openssh.com/> |
|
253 | .. [OpenSSH] <http://www.openssh.com/> | |
General Comments 0
You need to be logged in to leave comments.
Login now