[GE users] SGE and Kerberos authentication for resources

phalenor phalenor at gmail.com
Mon Aug 2 15:33:16 BST 2010


On 2010-08-02 at 16:15, weiser ( m.weiser at science-computing.de ) said:
> Hello,
>
> is anyone here running jobs with SGE that use resources authenticated via
> Kerberos? We're thinking about migrating to NFSv4 with
> Kerberos-Authentication and want to avoid re-inventing the wheel. Our
> questions are (quite obviously ;):
>
> - Can it be done?
> - Has it been done?
> - How to do it?
>
> With NFSv4 we need a service ticket with the user's principal in it. So
> the obvious approach it to use constrained delegation or protocol
> transition. In the former case there'd need to be a way to attach an SGE
> service ticket to the job with which SGE is then able to retrieve an NFS
> service ticket in the user's name. In both cases SGE needs to be aware of
> the need and able to retrieve the necessary tickets or delegate the task
> to some hook or prologue script.

You could probably abuse SGE's AFS set_token and get_token for this. 
get_token defines a command to run at job submission time and basically 
expects something on stdout, then set_token runs before the job script 
itself runs, and pipes what get_token spit out on stdout to the set_token 
command. A 'token' can really be anything, SGE doesn't care, as long as 
it's not null.

If you search the list archives, I believe at least one other site is 
doing this for AFS support, but passing krb5 tickets instead of afs 
tokens. We do something in a similar fashion. Basically, base64 encode the 
contents of KRB5CCNAME and output it as the get_token command, then the 
reverse of that for the set_token command.

Your cell also has to be running with security mode 'afs', essentially 
inst_sge or whatever with the -afs option.

Saved you a google search: http://markmail.org/message/3vakrcunuyyw5euf

That should give you some ideas.

--andy

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=271746

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list