[GE users] AFS authentication

Andreas Haupt ahaupt at ifh.de
Fri Dec 2 14:28:18 GMT 2005


Hi Kirk,

unfortunately we do not provide a howto yet. Here some notes as a starting 
point:

SGE has three AFS related switches in it's cluster configuration (man 
sge_conf).

1. set_token_cmd -> path to the command that generates the AFS token
2. pag_cmd -> path to the command which creates a pag for the job 
(usually path to pagsh)
3. token_extend_time -> a time value which describes how often 
set_token_cmd is called during the job execution

This is working so far at our site. Actually set_token_command is doing 
the whole work. We use a special mechanism where the execution host 
authenticates itself at a special server and obtains an AFS token for the 
user. If you are interested in the complete details, please contact me.

Greetings
Andreas

On Wed, 30 Nov 2005, Kirk Patton wrote:

> Hello all,
>
> I have been working on a workaround to support AFS with SGE, but it is turning into a bit
> of a kludge.  I was wondering if there is a better way, or if the possibility exists to
> get SGE to better support AFS/kerberos.
>
> We are using AFS to keep design data secure.  The problem is that in order to access this
> data, a user needs to run the klog command to get their AFS tokens.  SGE expects to be able
> to change to the submission directory and open log files there for stdout.  If the submission
> directory is in protected AFS space, the job fails unless the user has already klog'ed.
>
> I have been able to work around this to some extent.  I have automated the granting of
> tickets by writing my own external program that reads the users AFS password from an
> encrypted file.  It then calls the klog program to grant the tickets on the target SGE
> host.  I use the queue "starter_method" parameter to invoke my program before the
> job is started.  It seems to work o.k. in my initial testing, but I have to do some
> juggling with the current working directory so that the job does not land in AFS
> space before it is authenticated.
>
> I recently ran into another related problem when specifying '-o out_file'. If the
> jobs stdout is told to go to the current directory, and that directory is in AFS
> space, it appears that an attempt to open the file happens before my starter_method
> can get the tokens granted.  So, the job fails.
>
> What I think I need for this to work more smoothly would be to have some way in SGE
> to specify that an external program needs to run before the job setup is begun.
>
> If it were possible to run my authentication program on the target host before any
> other job setup had been attempted, the program could grant the AFS tokens, and
> I would not have to mess around with the current working directory, or tell my
> user that they cannot specify AFS space for their jobs output files.
>
> Does anyone have any comments on how best to support AFS with SGE?  To further
> complicate things, one of our AFS cells is not under local control, so any suggestion
> that requires messing with the AFS cell would not work in my situation.
>
> Any suggestions are appreciated. :-)
>
> Thanks,
> Kirk
>
>

-- 
| Andreas Haupt                      | E-Mail:  andreas.haupt at desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list