On 10/02/2012 12:00 AM, Christoph Müller wrote:
Dear all,
I have been researching the web for some time, but have not yet found a
definite answer to the question whether SGE can be used with Kerberos
authentication. My questions are: How can I forward the user's ticket
from the submit hosts? Does SGE provide any built-in means for that?
Otherwise, could it be done using startup scripts? Is there any support
for automatically renewing ticktes for long-running jobs?
In detail: my boss decided that it would no longer be acceptable to live
with the well-known security issues inherent to NFS. We think that
kerberised NFS is probably the most user-friendly solution. However,
this will also affect our cluster and forces us to enable KRB5 here,
too. At the moment, users are authenticated using KRB5 on the submit
host, i.e. they have a ticket there. They could also acquire a ticket on
the execution hosts by SSH'ing there. However, afaik this cannot be
exploited for SGE, because the job script is executed by the shepard on
the first execution host assigned by the scheduler. I.e. the job is
started by the shepard spawning a process as the user and not by the
user starting a session with his own credentials. Is that correct? How
can I then transport the user's ticket to the execution host and assign
it to the job's process?
If I have the ticket on the host that runs the job script, the problem
should be solved for MPI as its children are started using SSH, and I
could just change the login method of SSH from pubkey to KRB5. Is that
correct?
Another problem is the fact that jobs can be long-running, i.e. the
lifetime of ten hours of a ticket might not be sufficient. Does SGE
provide any means to periodically renew tickets? If not, does anyone
know of a successful hack? I think it would suffice if the job could
fork off a shell that periodically runs kinit -r.
If anyone knows about some web resources on this issue, I would be
grateful for the links.
Thanks in advance,
Christoph
These are my notes. Not yet in production fully though.
Enable afs in bootstrap config (/usr/share/gridengine/default/common/bootstrap):
security_mode afs
Set global configs:
qconf -mconf global
set_token_cmd /usr/share/gridengine/util/set_token_cmd
pag_cmd /usr/share/gridengine/util/krb5sh
token_extend_time 0:60:0
The following files are needed to make it all work.
/usr/share/gridengine/util/get_token_cmd - This is run by qsub to capture the
token at submit time and is hardcoded into sge_security.c.
#!/bin/bash
KRB5CCFILE=${KRB5CCNAME/FILE:/}
([ -r "${KRB5CCFILE}" ] && cat $KRB5CCFILE || echo none) | base64
/usr/share/gridengine/util/krb5sh - This is run by sge_execd as a wrapper
around the job. It sets KRB5CCNAME and cleans up the ticket file after the job
completes.
#!/bin/bash
# krb5sh - run as pag_cmd -c command
# Sets the Kerberos ticket cache name
export KRB5CCNAME=`mktemp /tmp/krb5cc_sge_XXXXXX`
chcon -t user_tmp_t $KRB5CCNAME
# Strip the exec so we can cleanup afterwards
${2/exec /}
rm $KRB5CCNAME
/usr/share/gridengine/util/set_token_cmd -
#!/bin/bash
# set_token_cmd - called with user name and seconds to extend ticket
base64 -d > $KRB5CCNAME
chown $1 $KRB5CCNAME
TODO
There is a coshepard process started which should call the set_token_cmd to
renew the ticket. It should then call kinit -R.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 http://www.nwra.com
_______________________________________________
users mailing list
[email protected]
https://gridengine.org/mailman/listinfo/users
