[gridengine users] SGE with KRB5

Dave Love d.love at liverpool.ac.uk
Mon Oct 15 11:05:10 UTC 2012


Orion Poplawski <orion at cora.nwra.com> writes:

>> That's what the "GSSAPI" mechanism does.  If I recall correctly,
>> invoking the hook in qsub does currently work.
>
> Not sure what you mean by GSSAPI here, guess I need to look at the
> slides.

<http://arc.liv.ac.uk/repos/darcs/sge/source/security/security.html#Enhanced%20Security%20Using%20Kerberos/DCE%20Authentication>

> But to reiterate, in afs mode the get_token_cmd script is run
> and emits the token in some form to stdout.  The qmaster then stores
> this (in memory it seems, they get lost on qmaster restart).  The
> set_token_cmd script then receives the token from stdin on job
> execution.  It is also in token.afs in the job spool directory, owned
> by (and only readable by) sgeadmin.

I can't remember the details of how it works, but if you don't
authenticate, then another job running on the host can use any
credentials the one concerned can read, which is likely to give access
to examine someone else's home directory.  Without authenticating job
submission there doesn't seem to be much point in using a Kerberized
file system.

-- 
Community Grid Engine:  http://arc.liv.ac.uk/SGE/



More information about the users mailing list