Am 21.02.2011 um 10:18 schrieb Andreas Haupt:
> Hi,
>
> On Sun, 2011-02-20 at 13:17 +0000, Dave Love wrote:
>> Chris Jewell <[email protected]> writes:
>>
>>> Hi All,
>>>
>>> I was wondering if anybody had any info on using Grid Engine with
>>> Kerberos authentication?
>
> Well, GE actually does not support Kerberos authentication. It provides
> methods to fetch a ticket on job submission (get_token_cmd when running
> with AFS support) as well as providing tickets during job execution
> (set_token_cmd). Nevertheless, there is no authentication process during
> job submission.
I wonder about the statements in the man page of SGE:
set_token_cmd
Note: Deprecated, may be removed in future release.
This parameter is only present if your Grid Engine system is licensed to
support AFS.
- Is it available in the open source edition and the man page is outdated?
- What are the plans to remove it? I don't use it, but I before someone tries
to get it working, it would be good to know.
-- Reuti
>> In the absence of anyone speaking who has been doing it: There's was
>> stuff about it on the old list, searchable via gridengine.markmail.org,
>> including reference to Friebel's SGE workshop talk about the setup at
>> DESY. unfortunately the proceedings have been taken down, and I've
>> failed to archive them, although I have a copy of that one. The
>> software it refers to is at ftp://ftp.ifh.de/pub/unix/gnu/perl/modules/
>> but I haven't used it.
>
> This stuff can be used to forge K5 tickets and AFS tokens.
>
>> There's also a system reported at
>> http://workshop.openafs.org/afsbpw10/talks/wed_3/hautreux_kerberos_hpc.pdf
>> which has integration for SLURM, but I don't know how difficult it would
>> be to integrate it with GE.
>
> This stuff can be used to provide jobs with K5 credentials, also. Slurm
> still does not provide K5 authentication, either.
>
>> Of course, the Kerberos security model is basically incompatible with
>> arbitrary length unattended batch jobs, experimental sessions, etc., and
>> you need to have control of your authentication and resource
>> infrastructure to make this sort of thing work. That doesn't mean
>> there's anything wrong with the model, but a capability system is
>> probably more appropriate for such applications.
>
> ACK.
>
> Cheers,
> Andreas
> --
> | Andreas Haupt | E-Mail: [email protected]
> | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt
> | Platanenallee 6 | Phone: +49/33762/7-7359
> | D-15738 Zeuthen | Fax: +49/33762/7-7216
>
> _______________________________________________
> users mailing list
> [email protected]
> https://gridengine.org/mailman/listinfo/users
_______________________________________________
users mailing list
[email protected]
https://gridengine.org/mailman/listinfo/users
