[GE users] AFS authentication

Andreas Haupt ahaupt at ifh.de
Fri Dec 2 14:28:18 GMT 2005

Hi Kirk,

unfortunately we do not provide a howto yet. Here some notes as a starting 

SGE has three AFS related switches in it's cluster configuration (man 

1. set_token_cmd -> path to the command that generates the AFS token
2. pag_cmd -> path to the command which creates a pag for the job 
(usually path to pagsh)
3. token_extend_time -> a time value which describes how often 
set_token_cmd is called during the job execution

This is working so far at our site. Actually set_token_command is doing 
the whole work. We use a special mechanism where the execution host 
authenticates itself at a special server and obtains an AFS token for the 
user. If you are interested in the complete details, please contact me.


On Wed, 30 Nov 2005, Kirk Patton wrote:

> Hello all,
> I have been working on a workaround to support AFS with SGE, but it is turning into a bit
> of a kludge.  I was wondering if there is a better way, or if the possibility exists to
> get SGE to better support AFS/kerberos.
> We are using AFS to keep design data secure.  The problem is that in order to access this
> data, a user needs to run the klog command to get their AFS tokens.  SGE expects to be able
> to change to the submission directory and open log files there for stdout.  If the submission
> directory is in protected AFS space, the job fails unless the user has already klog'ed.
> I have been able to work around this to some extent.  I have automated the granting of
> tickets by writing my own external program that reads the users AFS password from an
> encrypted file.  It then calls the klog program to grant the tickets on the target SGE
> host.  I use the queue "starter_method" parameter to invoke my program before the
> job is started.  It seems to work o.k. in my initial testing, but I have to do some
> juggling with the current working directory so that the job does not land in AFS
> space before it is authenticated.
> I recently ran into another related problem when specifying '-o out_file'. If the
> jobs stdout is told to go to the current directory, and that directory is in AFS
> space, it appears that an attempt to open the file happens before my starter_method
> can get the tokens granted.  So, the job fails.
> What I think I need for this to work more smoothly would be to have some way in SGE
> to specify that an external program needs to run before the job setup is begun.
> If it were possible to run my authentication program on the target host before any
> other job setup had been attempted, the program could grant the AFS tokens, and
> I would not have to mess around with the current working directory, or tell my
> user that they cannot specify AFS space for their jobs output files.
> Does anyone have any comments on how best to support AFS with SGE?  To further
> complicate things, one of our AFS cells is not under local control, so any suggestion
> that requires messing with the AFS cell would not work in my situation.
> Any suggestions are appreciated. :-)
> Thanks,
> Kirk

| Andreas Haupt                      | E-Mail:  andreas.haupt at desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7359
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216

To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net

More information about the gridengine-users mailing list