Dave Love <[EMAIL PROTECTED]> writes: > "Perry E. Metzger" <[EMAIL PROTECTED]> writes: >> I keep seeing these messages go by over and over making it sound like >> this is difficult. It is not difficult. I've seen people say "I have >> seen no document with a recipe for how to do it", perhaps because a >> single kinit command in a cron job is too simple for a HOWTO. > > How about commenting on the DESY paper I linked to and pointing out > exactly how they were wasting their time?
I didn't see that link. Please re-forward it. >> Maybe some sort of strange myth has been going by so long on this >> that people refuse to believe that the ticket refresh is a single >> easy command? > > Because it simply isn't, in the context of typical Beowulf batch > systems, especially if you're not going to pretty well chuck out the > Kerberos security model. (Those of us who've contributed to a Kerberos > implementation -- particularly the documentation -- know all about > kinit, obviously.) Maybe I'm not getting the problem domain here. There are, as I see it, two contexts in which you want kerberos tickets: you want to authenticate access to compute nodes, in which case the remote server is doing nothing that kerberized services haven't done for 20 years to get its tickets, and you may need user credentials to get resources for the user process once it is running on the cluster node. The latter isn't an issue in the average cluster which runs on a segregated network and isn't trying to mount the user's home file system or what have you. If it were a real issue, I would give the user a new instance just for remote jobs so that you could restrict the permissions for that particular instance down to what was absolutely needed, and forward the tickets at intervals from his trusted machine to the compute nodes. This is, after all, more or less what forwarding credentials were made for. -- Perry E. Metzger [EMAIL PROTECTED] _______________________________________________ Beowulf mailing list, [email protected] To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
