[GE users] AFS authentication
kpatton at transmeta.com
Wed Nov 30 20:12:56 GMT 2005
I have been working on a workaround to support AFS with SGE, but it is turning into a bit
of a kludge. I was wondering if there is a better way, or if the possibility exists to
get SGE to better support AFS/kerberos.
We are using AFS to keep design data secure. The problem is that in order to access this
data, a user needs to run the klog command to get their AFS tokens. SGE expects to be able
to change to the submission directory and open log files there for stdout. If the submission
directory is in protected AFS space, the job fails unless the user has already klog'ed.
I have been able to work around this to some extent. I have automated the granting of
tickets by writing my own external program that reads the users AFS password from an
encrypted file. It then calls the klog program to grant the tickets on the target SGE
host. I use the queue "starter_method" parameter to invoke my program before the
job is started. It seems to work o.k. in my initial testing, but I have to do some
juggling with the current working directory so that the job does not land in AFS
space before it is authenticated.
I recently ran into another related problem when specifying '-o out_file'. If the
jobs stdout is told to go to the current directory, and that directory is in AFS
space, it appears that an attempt to open the file happens before my starter_method
can get the tokens granted. So, the job fails.
What I think I need for this to work more smoothly would be to have some way in SGE
to specify that an external program needs to run before the job setup is begun.
If it were possible to run my authentication program on the target host before any
other job setup had been attempted, the program could grant the AFS tokens, and
I would not have to mess around with the current working directory, or tell my
user that they cannot specify AFS space for their jobs output files.
Does anyone have any comments on how best to support AFS with SGE? To further
complicate things, one of our AFS cells is not under local control, so any suggestion
that requires messing with the AFS cell would not work in my situation.
Any suggestions are appreciated. :-)
----- End forwarded message -----
Tel. 408 919-3055
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net
More information about the gridengine-users