It would be nice if you could specify folder permissions for the repository path if your user account doesn’t have them. I can enter them manually in the file explorer or 3ds max and I can do it through a service but can’t let the launcher in user space connect.
Hello Gavin,
Could you explain what you need a bit better? Perhaps some examples of what you need to do and how it differs from what is happening?
If I run Deadline as a service everything is peachy, it logs in as a Domain user and everything just works.
However if I run as a local user with the computer not joined to the domain I need to enter in credentials to browse the network e.g. fileserver\repository7. As a normal user this works fine I can elevate my file permissions on-demand. However Deadline the software tries to access the folder as an application and it can’t since it’s trapped in my user credentials and can’t elevate itself. It would be nice if you could run say a slave on the desktop but also give it domain privileges.
Hello Gavin,
I don’t think we have any way to do that in Deadline now, but I am wondering how it would even be done via a command line. Are you aware of how that would be done?
runas seems to be the command line way.
Hello Gavin,
I’ll see if there is a way to get something like this implemented in future.
Thanks, I found another use case: Deadline as a Service. When I’m setting up Deadline as a virtual render node I leave the VM off of the domain until a user chooses a machine name and joins as one step. Until the machine joins the domain the service isn’t able to run on a domain account. So once they’ve joined the domain they then have to circle back and open services on every rendernode and enable domain permissions. If we could handle user space through the Repository we could give all slaves an elevated permissions automatically regardless if the machine has even joined a domain which would be nice for cloud rendering.
Hey Gavin, what do you think about making your own startup script for the Launcher and disabling the normal Deadline login startup? You could even drop the script into the user’s “startup” folder and have it work that way.
It’s kind of a rare setup you have, and this might be the cleanest solution.
This sounds like a security nightmare.
How so? The slave would be the one getting elevated above the launcher. That way your launcher could be a simple system service but when the slave launches it is SU’ed to a specific render account. It would be way better than a startup script because a startup script would have to pass the user/pass in plaintext. If the functionality was built into deadline you could use a private key inside of Deadline to encrypt the passwords and keep it secure from database straight to launching the slave process.
How so? The slave would be the one getting elevated above the launcher. That way your launcher could be a simple system service but when the slave launches it is SU’ed to a specific render account. It would be way better than a startup script because a startup script would have to pass the user/pass in plaintext. If the functionality was built into deadline you could use a private key inside of Deadline to encrypt the passwords and keep it secure from database straight to launching the slave process.
I think you’re overlooking the potential implications of this. Deadline currently has very little security itself. It doesn’t interface with system-level authentication at all, and it doesn’t really have a way to store secure data or enforce much in the way of authentication. You would be leaving it up to the customer to ensure that the entire security chain was properly configured and enforced, or risking the exposure of root/admin credentials. Forgive me for being blunt, but most Deadline customers are not sysadmins.
I’m obviously just another customer, but I feel like the specific use-case you’re talking about is a one-off with a very narrow upside, and isn’t really worth investing a lot of development energy into in the grand scheme of things. It’s honestly less work to just properly run the launcher as a service.
It’s not really without precedent though. The Mapped Drives functionality already does this, but only for mapped drives and not at the slave level. So it actually already is mostly implemented in Deadline, just for one specific application instead of a broader application which could obsolete the current mapped drive security system.
docs.thinkboxsoftware.com/produc … ped-drives
Although to be completely fair… passwords in mapped drives I think was one of my feature requests.
So in the repository you would have a slave config field: “RunAs: User\Pass”. Then when the launcher runs deadlineslave.exe it would just do:
runas user\credentials deadlineslave.exe.
Oh yeah, that’s the other thing: All of this work would be entirely Windows-specific.
We don’t want to play around with permissions in general, so in the places that we have changed things we’ve believed that a large enough number of people would benefit from it for us to bend those rules. In this case, it’s kind of a unique circumstance.
Let’s see if there’s a way we can solve this for Gavin with an external method. The nice thing with Deadline is that because it avoids playing with permissions, we should be able to find an off-the-shelf solution. Can permissions be set via ACLs to execute the batch script without it being readable by end users? I’ve played with file permissions and that’s not going to really cut it.