[GE users] AFS Support in SGE6.1

Andreas.Haas at Sun.COM Andreas.Haas at Sun.COM
Thu May 10 16:28:57 BST 2007

Hi Duc,

On Thu, 10 May 2007, Duc Bao Ta wrote:

> For the set_token_cmd and pag you have to set the configuration to point to 
> the files (set_token_cmd and pagsh in the cluster configuration), the 
> get_token_cmd MUST be in $SGE_ROOT/util (where can I change that? where have 
> all the text-configuration files gone?).

that path is simply compiled-in

    libs/gdi/sge_security.c:      sprintf(binary, "%s/util/get_token_cmd", sge_root);

> Here is how I think it works:
> When you enter qsub, the get_token_cmd is executed which expects the "token" 
> to be printed to stdout (if something is on stderr, the submission is 
> aborted). When the job starts a new pag-shell is created by executing pag. 
> Then set_token_cmd receives the "token" from stdin and the job is started.
> Now I do not send the AFS-token, but the krb5-ticket coded as BASE64 (the 
> python scripts are doing the conversion, some characters get lost when coding 
> with e.g. uuencode or sending the 'binary'). The pag script has to set the 
> KRB5CCNAME variable (/tmp/ticket.**jobId**, I use pwd since the program seems 
> to be in the directory of the stored script, which is [...]/**jobId**, I 
> haven't found variables that contain the job number or task-id number) which 
> stays valid for the set_token_cmd and the job itself (set_token_cmd and the 
> job seem to be children of the pag script), otherwise the job does not know 
> which ticket was used to get the AFS-token. set_token_cmd restores the 
> original krb5-ticket and gets an AFS-token. After all that the job starts.
> Using this I don't have to create extra keytabs for every user and the 
> authentification is done by trying to get a token from the ticket that was 
> sent at the time of submission.

Uhhm ... honestly no idea whether that can be recommended ;-)

> I only wonder, where the "token" (i.e. my converted ticket) is stored and if 
> it is securely transfered (maybe using CSP helps)?

AFAIR the ticketes are stored with the job. The code where this is
done is set_sec_cred() in libs/gdi/sge_security.c.


To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net

More information about the gridengine-users mailing list