[GE users] AFS authentication
ahaupt at ifh.de
Fri Dec 2 14:28:18 GMT 2005
unfortunately we do not provide a howto yet. Here some notes as a starting
SGE has three AFS related switches in it's cluster configuration (man
1. set_token_cmd -> path to the command that generates the AFS token
2. pag_cmd -> path to the command which creates a pag for the job
(usually path to pagsh)
3. token_extend_time -> a time value which describes how often
set_token_cmd is called during the job execution
This is working so far at our site. Actually set_token_command is doing
the whole work. We use a special mechanism where the execution host
authenticates itself at a special server and obtains an AFS token for the
user. If you are interested in the complete details, please contact me.
On Wed, 30 Nov 2005, Kirk Patton wrote:
> Hello all,
> I have been working on a workaround to support AFS with SGE, but it is turning into a bit
> of a kludge. I was wondering if there is a better way, or if the possibility exists to
> get SGE to better support AFS/kerberos.
> We are using AFS to keep design data secure. The problem is that in order to access this
> data, a user needs to run the klog command to get their AFS tokens. SGE expects to be able
> to change to the submission directory and open log files there for stdout. If the submission
> directory is in protected AFS space, the job fails unless the user has already klog'ed.
> I have been able to work around this to some extent. I have automated the granting of
> tickets by writing my own external program that reads the users AFS password from an
> encrypted file. It then calls the klog program to grant the tickets on the target SGE
> host. I use the queue "starter_method" parameter to invoke my program before the
> job is started. It seems to work o.k. in my initial testing, but I have to do some
> juggling with the current working directory so that the job does not land in AFS
> space before it is authenticated.
> I recently ran into another related problem when specifying '-o out_file'. If the
> jobs stdout is told to go to the current directory, and that directory is in AFS
> space, it appears that an attempt to open the file happens before my starter_method
> can get the tokens granted. So, the job fails.
> What I think I need for this to work more smoothly would be to have some way in SGE
> to specify that an external program needs to run before the job setup is begun.
> If it were possible to run my authentication program on the target host before any
> other job setup had been attempted, the program could grant the AFS tokens, and
> I would not have to mess around with the current working directory, or tell my
> user that they cannot specify AFS space for their jobs output files.
> Does anyone have any comments on how best to support AFS with SGE? To further
> complicate things, one of our AFS cells is not under local control, so any suggestion
> that requires messing with the AFS cell would not work in my situation.
> Any suggestions are appreciated. :-)
| Andreas Haupt | E-Mail: andreas.haupt at desy.de
| DESY Zeuthen | WWW: http://www.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net
More information about the gridengine-users