##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

Update info in parallel docs.
Thomas Kluyver -
Show More
Show file before | Show file after | Hide comments
@@ -4,11 +4,6 b''
4 4 Using MPI with IPython
5 5 =======================
6 6
7 .. note::
8
9 Not adapted to zmq yet
10 This is out of date wrt ipcluster in general as well
11
12 7 Often, a parallel algorithm will require moving data between the engines. One
13 8 way of accomplishing this is by doing a pull and then a push using the
14 9 multiengine client. However, this will be slow as all the data has to go
Show file before | Show file after | Hide comments
@@ -248,75 +248,6 b' capabilities based authentication model, in conjunction with SSH tunneled'
248 248 TCP/IP channels, address the core potential vulnerabilities in the system,
249 249 while still enabling user's to use the system in open networks.
250 250
251 Other questions
252 ===============
253
254 .. note::
255
256 this does not apply to ZMQ, but I am sure there will be questions.
257
258 About keys
259 ----------
260
261 Can you clarify the roles of the certificate and its keys versus the FURL,
262 which is also called a key?
263
264 The certificate created by IPython processes is a standard public key x509
265 certificate, that is used by the SSL handshake protocol to setup encrypted
266 channel between the controller and the IPython engine or client. This public
267 and private key associated with this certificate are used only by the SSL
268 handshake protocol in setting up this encrypted channel.
269
270 The FURL serves a completely different and independent purpose from the
271 key pair associated with the certificate. When we refer to a FURL as a
272 key, we are using the word "key" in the capabilities based security model
273 sense. This has nothing to do with "key" in the public/private key sense used
274 in the SSL protocol.
275
276 With that said the FURL is used as an cryptographic key, to grant
277 IPython engines and clients access to particular capabilities that the
278 controller offers.
279
280 Self signed certificates
281 ------------------------
282
283 Is the controller creating a self-signed certificate? Is this created for per
284 instance/session, one-time-setup or each-time the controller is started?
285
286 The Foolscap network protocol, which handles the SSL protocol details, creates
287 a self-signed x509 certificate using OpenSSL for each IPython process. The
288 lifetime of the certificate is handled differently for the IPython controller
289 and the engines/client.
290
291 For the IPython engines and client, the certificate is only held in memory for
292 the lifetime of its process. It is never written to disk.
293
294 For the controller, the certificate can be created anew each time the
295 controller starts or it can be created once and reused each time the
296 controller starts. If at any point, the certificate is deleted, a new one is
297 created the next time the controller starts.
298
299 SSL private key
300 ---------------
301
302 How the private key (associated with the certificate) is distributed?
303
304 In the usual implementation of the SSL protocol, the private key is never
305 distributed. We follow this standard always.
306
307 SSL versus Foolscap authentication
308 ----------------------------------
309
310 Many SSL connections only perform one sided authentication (the server to the
311 client). How is the client authentication in IPython's system related to SSL
312 authentication?
313
314 We perform a two way SSL handshake in which both parties request and verify
315 the certificate of their peer. This mutual authentication is handled by the
316 SSL handshake and is separate and independent from the additional
317 authentication steps that the CLIENT and SERVER perform after an encrypted
318 channel is established.
319
320 251 .. [RFC5246] <http://tools.ietf.org/html/rfc5246>
321 252
322 253 .. [OpenSSH] <http://www.openssh.com/>
General Comments 0
You need to be logged in to leave comments. Login now