[GE users] sge_security.c errors

Eric Andresen eandres at mars.asu.edu
Mon Nov 29 22:56:42 GMT 2004


Here's my notes regarding the GSSAPI support in SGE 6.0 (though I
believe it's also valid for 5.3):

See last message for patching details for krb5/gss support.

SGE 6 build instructions:
  # Fix all paths
  vim aimk.site
  # Fix BERKELEYDBBASE path
  vim scripts/distinst.site
  # Remove DBARCH from BERKELEYDBBASE paths
  vim scripts/distinst
  ./aimk -only-depend
  scripts/zerodepend
  ./aimk depend
  ./aimk
  ./aimk -mankv
  export SGE_ROOT=/home/sge-6.0u1
  mkdir -p $SGE_ROOT
  scripts/distinst -local -noexit -allall lx24-x86

  # KerberosV TGT forwarding:
  scripts/distinst -local -- sec
  cd $SGE_ROOT/security/
  add arch type 'lx24-x86' to aimk
  ./aimk -gss
  ./aimk install
  Add 'kerberos' to the 'security_mode' paramater in
$SGE_ROOT/$SGE_CELL/common/bootstrap

NOTE: Ensure that the version of bdb that 'distinst' copied matches the
version
used by your system. On RedHat based systems with nptl support, it will
likely
have copied the wrong version into $SGE_ROOT/lib; simply replace the
copied
version with the appropriate version.


-----------------------------------------------------------------------------
http://gridengine.sunsource.net/servlets/ReadMsg?msgId=13426&listName=dev

I did run into a bug in the code that tries to delete the credentials
when a
job finishes. The problem is in the source file:
     source/libs/gdi/sge_security.c:
 
The routine store_sec_cred2() writes the credentials cache to a file
with a
name of the form of:
    /tmp/krb5cc_sge_job#
 
while the routine  delete_credentials()  looks for the file as:
    /tmp/krb5cc_qmaster_job#
 
Looking at the code, I believe the latter was the orignial naming
convention
(it exists that way in cache_sec_cred() as well) and was changed when
store_sec_cred2() was created.  Anyway, I changed the code in
delete_credentials() to use "sge"  in the name and that resolved the
issue.

Additionally modify store_sec_cred() to use 'sge' rather than 'qmaster'
-----------------------------------------------------------------------------
http://gridengine.sunsource.net/servlets/ReadMsg?msgId=18811&listName=dev

>   I've been playing with getting SGE 6.0 and the security/gss module
to
> play nice. So far, I've got TGT forwarding working correctly for qrsh
> and qsh, but qsub doesn't play nice. From what I can see, this is
> because qsub was converted to make use of JAPI / DRMAA.
> 
>   Is there an easy way that I can make qsub do the regular calls to
gdi
> so that get_cred and friends get called as they do for qrsh and qsh?

Add the code:
   /*
   ** security hook
   */
   if (set_sec_cred(job) != 0) {
      fprintf(stderr, MSG_SEC_SETJOBCRED);
      SGE_EXIT(1);
   }

immediately following the call to cull_parse_job_parameter() in qsub's
main() function. Everything was then happy.
-----------------------------------------------------------------------------
http://gridengine.sunsource.net/servlets/ReadMsg?msgId=18829&listName=dev

The things I've done to allow SGE 6.0 to provide TGT forwarding for all
jobs are:

  - Add the call to set_sec_cred() to qsub following the call to
cull_parse_job_parameter().
  - Change all instances of /tmp/krb5cc_qmaster_ in libs/gdi/ to
/tmp/krb5cc_sge_ so that calls to delete_cred will works correctly for
both the qmaster and execd. The only problem I can see with this change
is if the qmaster is also an execd host.
  - Remove the 'PROTOTYPE' macro wrapper around
security/gss/sge_gsslib.c line 78 (kg_get_context) as it is not defined
anywhere.
  - Add '-DKRB5_EXPORTVAR' to the CFLAGS for '-gss' in
security/gss/aimk. (This is required at least for krb5-1.3.x, not sure
about others)
  - Compile SGE as normal, and install
  - export SGE_ROOT and run 'scripts/distinst -local -- sec' to install
the gss module to $SGE_ROOT/security/
  - Go to $SGE_ROOT/security directory, add arch type 'lx24-x86' to
aimk, run './aimk -DKRB5_EXPORTVAR -gss' and './aimk install'
  - Add 'kerberos' to the 'security_mode' paramater in
<CELL>/common/bootstrap
-----------------------------------------------------------------------------



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list