[GE users] AFS authentication

Kirk Patton kpatton at transmeta.com
Fri Dec 2 15:05:38 GMT 2005


This sounds like what I am looking for.  I will check the man page an see
what I can get working. 

Thanks!
Kirk

On Fri, Dec 02, 2005 at 03:28:18PM +0100, Andreas Haupt wrote:
> Hi Kirk,
> 
> unfortunately we do not provide a howto yet. Here some notes as a starting 
> point:
> 
> SGE has three AFS related switches in it's cluster configuration (man 
> sge_conf).
> 
> 1. set_token_cmd -> path to the command that generates the AFS token
> 2. pag_cmd -> path to the command which creates a pag for the job 
> (usually path to pagsh)
> 3. token_extend_time -> a time value which describes how often 
> set_token_cmd is called during the job execution
> 
> This is working so far at our site. Actually set_token_command is doing 
> the whole work. We use a special mechanism where the execution host 
> authenticates itself at a special server and obtains an AFS token for the 
> user. If you are interested in the complete details, please contact me.
> 
> Greetings
> Andreas
> 
> On Wed, 30 Nov 2005, Kirk Patton wrote:
> 
> >Hello all,
> >
> >I have been working on a workaround to support AFS with SGE, but it is 
> >turning into a bit
> >of a kludge.  I was wondering if there is a better way, or if the 
> >possibility exists to
> >get SGE to better support AFS/kerberos.
> >
> >We are using AFS to keep design data secure.  The problem is that in order 
> >to access this
> >data, a user needs to run the klog command to get their AFS tokens.  SGE 
> >expects to be able
> >to change to the submission directory and open log files there for stdout. 
> >If the submission
> >directory is in protected AFS space, the job fails unless the user has 
> >already klog'ed.
> >
> >I have been able to work around this to some extent.  I have automated the 
> >granting of
> >tickets by writing my own external program that reads the users AFS 
> >password from an
> >encrypted file.  It then calls the klog program to grant the tickets on 
> >the target SGE
> >host.  I use the queue "starter_method" parameter to invoke my program 
> >before the
> >job is started.  It seems to work o.k. in my initial testing, but I have 
> >to do some
> >juggling with the current working directory so that the job does not land 
> >in AFS
> >space before it is authenticated.
> >
> >I recently ran into another related problem when specifying '-o out_file'. 
> >If the
> >jobs stdout is told to go to the current directory, and that directory is 
> >in AFS
> >space, it appears that an attempt to open the file happens before my 
> >starter_method
> >can get the tokens granted.  So, the job fails.
> >
> >What I think I need for this to work more smoothly would be to have some 
> >way in SGE
> >to specify that an external program needs to run before the job setup is 
> >begun.
> >
> >If it were possible to run my authentication program on the target host 
> >before any
> >other job setup had been attempted, the program could grant the AFS 
> >tokens, and
> >I would not have to mess around with the current working directory, or 
> >tell my
> >user that they cannot specify AFS space for their jobs output files.
> >
> >Does anyone have any comments on how best to support AFS with SGE?  To 
> >further
> >complicate things, one of our AFS cells is not under local control, so any 
> >suggestion
> >that requires messing with the AFS cell would not work in my situation.
> >
> >Any suggestions are appreciated. :-)
> >
> >Thanks,
> >Kirk
> >
> >
> 
> -- 
> | Andreas Haupt                      | E-Mail:  andreas.haupt at desy.de
> |  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
> |  Platanenallee 6                   | Phone:   +49/33762/7-7359
> |  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
> For additional commands, e-mail: users-help at gridengine.sunsource.net
> 

-- 
Kirk Patton
Unix Administrator
Transmeta Inc.
Tel. 408 919-3055

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list