[SGE-discuss] Kerberos authentication

Fri, 07 Apr 2017 08:48:02 -0700 

    I've built the gss utils with 'aimk -gss' and am testing with
security_mode set to kerberos.
   In my first attempt I tried to make use of gssproxy to store the
sge/qmaster principal, but unfortunately it appears that gssproxy is too old
on EL7 to handle storing the delegated credential for us:

put_cred stderr: GSS-API error copying delegated creds to ccache: The
operation or option is not available or unsuppo

    Next attempt was to set:

KRB5_KTNAME=FILE:/var/spool/gridengine/sge.keytab

in the environment of the daemons and store the sge/host principals there.
This avoids needing to run qmaster as root to access /etc/krb5.keytab.  Need a
sge service principal for the qmaster and each of the exec hosts, which seems
appropriate.

   Another issue I ran into is that I'm running in an IPA/Active Directory
trust setup where the users are stored in the AD domain, and the hosts are in
the IPA domain.  Therefore the code in gsslib_put_credentials that was using
gss_compare_name() to compare users ended up comparing "orion" to
"or...@ad.nwra.com".  I changed that to also try using gss_localname() to
convert the client principal to a local username and comparing that.

   Also, the later code that called krb5_kuserok() segfaulted because it was
erroneously casting gss_name_t to krb5_principal.  I've started work changing
that to do the conversion properly but as of now that is untested.

  There are also a bunch of memory leaks in this code that probably should be
cleaned up, although at the moment this is all run in short lived executables.

  Finally, I needed to tweak my peopen() patch to run put_cred and delete_cred
as root on the exec hosts since they need to change the ownership and remove
files of the user running the job.

  At least for a simple test case, this appears to be working now for me, so
I'm fairly pleased.  Next issue I expect to face is renewing and expiring user
credentials for long running jobs.

-- 
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       or...@nwra.com
Boulder, CO 80301                   http://www.nwra.com
_______________________________________________
SGE-discuss mailing list
SGE-discuss@liv.ac.uk
https://arc.liv.ac.uk/mailman/listinfo/sge-discuss

Reply via email to