[GE users] SGE and Kerberos authentication for resources
phalenor at gmail.com
Mon Aug 2 15:33:16 BST 2010
On 2010-08-02 at 16:15, weiser ( m.weiser at science-computing.de ) said:
> is anyone here running jobs with SGE that use resources authenticated via
> Kerberos? We're thinking about migrating to NFSv4 with
> Kerberos-Authentication and want to avoid re-inventing the wheel. Our
> questions are (quite obviously ;):
> - Can it be done?
> - Has it been done?
> - How to do it?
> With NFSv4 we need a service ticket with the user's principal in it. So
> the obvious approach it to use constrained delegation or protocol
> transition. In the former case there'd need to be a way to attach an SGE
> service ticket to the job with which SGE is then able to retrieve an NFS
> service ticket in the user's name. In both cases SGE needs to be aware of
> the need and able to retrieve the necessary tickets or delegate the task
> to some hook or prologue script.
You could probably abuse SGE's AFS set_token and get_token for this.
get_token defines a command to run at job submission time and basically
expects something on stdout, then set_token runs before the job script
itself runs, and pipes what get_token spit out on stdout to the set_token
command. A 'token' can really be anything, SGE doesn't care, as long as
it's not null.
If you search the list archives, I believe at least one other site is
doing this for AFS support, but passing krb5 tickets instead of afs
tokens. We do something in a similar fashion. Basically, base64 encode the
contents of KRB5CCNAME and output it as the get_token command, then the
reverse of that for the set_token command.
Your cell also has to be running with security mode 'afs', essentially
inst_sge or whatever with the -afs option.
Saved you a google search: http://markmail.org/message/3vakrcunuyyw5euf
That should give you some ideas.
To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
More information about the gridengine-users