>We think this is a generic batch job problem to k4/k5 and/or AFS/DFS
>services. What have people been doing in the k4/k5/AFS/DFS space to
>deal with this problem?
Doug has already given the "Use V5 renewable tickets" sermon, so I
won't reiterate it :-)
I've been progressing on that front here. Currently we have a little
wrapper program called "krenew" that will run a program and continually
refresh the V5 tickets and AFS tokens in the program's environment.
It seems to work fairly well.
However, the next step (integrating it with batch queueing systems)
has not progresses as far as I would have liked. We are currently
saddled with a couple of commercial batch queueing systems; few of
them have any security, and of course they don't support ticket
renewal (actually, that's a bit of a lie - LSF does, but in a insecure
and AFS-specific way). Getting the vendors to solve this problem has
been mostly a failure.
My current plans are to junk all of our commercial queueing systems
and take PBS and add "real" Kerberos V5 support to it, which will
include ticket renewal in the job environment. The only thing that
has stopped me up until now is a lack of time. I'll probably
tackle this when I get back from vacation.
I will say that I disagree with Doug on one point - I looked at the
stuff for postdatable tickets, and it's mostly useless when it
comes to batch queueing systems. With postdatable tickets you say
that your ticket is valid some time in the future - but you have to
specify that time the time you get your credentials. Few batch
queueing systems can make guarantees as to when your job will start -
you can be conservative about picking your ticket start time, but
then you can possibly lose time when your job could be running. I'm
not planning on doing anything with postdatable tickets with our
queueing systems.
>Outside of keytabs. We're looking at creating a batch job wrapper
>which requires the username/password of the user, obtains the
>credential, and refreshes it for the duration of the process. Any
>thoughts?
I don't see how this differs fundamentally from keytabs - you're
still keeping around the user's password, which is a bad idea.
--Ken
