Orion Poplawski <[email protected]> writes: >> That's what the "GSSAPI" mechanism does. If I recall correctly, >> invoking the hook in qsub does currently work. > > Not sure what you mean by GSSAPI here, guess I need to look at the > slides.
<http://arc.liv.ac.uk/repos/darcs/sge/source/security/security.html#Enhanced%20Security%20Using%20Kerberos/DCE%20Authentication> > But to reiterate, in afs mode the get_token_cmd script is run > and emits the token in some form to stdout. The qmaster then stores > this (in memory it seems, they get lost on qmaster restart). The > set_token_cmd script then receives the token from stdin on job > execution. It is also in token.afs in the job spool directory, owned > by (and only readable by) sgeadmin. I can't remember the details of how it works, but if you don't authenticate, then another job running on the host can use any credentials the one concerned can read, which is likely to give access to examine someone else's home directory. Without authenticating job submission there doesn't seem to be much point in using a Kerberized file system. -- Community Grid Engine: http://arc.liv.ac.uk/SGE/ _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
