On 10/15/2012 05:05 AM, Dave Love wrote:
Orion Poplawski <[email protected]> writes:
That's what the "GSSAPI" mechanism does. If I recall correctly,
invoking the hook in qsub does currently work.
Not sure what you mean by GSSAPI here, guess I need to look at the
slides.
<http://arc.liv.ac.uk/repos/darcs/sge/source/security/security.html#Enhanced%20Security%20Using%20Kerberos/DCE%20Authentication>
Thanks, I'll take a look.
But to reiterate, in afs mode the get_token_cmd script is run
and emits the token in some form to stdout. The qmaster then stores
this (in memory it seems, they get lost on qmaster restart). The
set_token_cmd script then receives the token from stdin on job
execution. It is also in token.afs in the job spool directory, owned
by (and only readable by) sgeadmin.
I can't remember the details of how it works, but if you don't
authenticate, then another job running on the host can use any
credentials the one concerned can read, which is likely to give access
to examine someone else's home directory. Without authenticating job
submission there doesn't seem to be much point in using a Kerberized
file system.
The token should be installed only readable by the owner of the job, so only
that user has access to those credentials.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 http://www.nwra.com
_______________________________________________
users mailing list
[email protected]
https://gridengine.org/mailman/listinfo/users
