Hello Martin,

I use a simple script, afs_wrap_cron, (attached below)
for my crontab jobs which need AFS authentication.

It only authenticates once at the start of the crontab job
so I take care to have a long enough token lifetime for
the duration of the crontab job.

Also, since it uses a password stored in a local file,
one must take care about restricting access to the
machine on which the crontab job runs.

I hope this may be of some help to you.
paul                        http://acm.org/~mpb

Martin Gasthuber wrote:

> Hi,
>   we run AFS for a few years now and from day one we ran into the problem of
> letting cron jobs running on AFS files. Several years ago we installed a piece
> of software developed by CERN which submits the jobs (like cron) together with
> a vald AFS token (that's the good thing). This systems has some intrinsic
> scalability problems and we see more and more problems with it. Now the
> question: Did somebody has another solution for this type of problem ?? We
> thought about using a batch system like LSF which has the ability to
> re-getting a valid ticket at the time the job runs.
> Regards,
>   Martin
> --
> Martin Gasthuber -- DESY/Hamburg -- Head of Systems & Networks in IT
> snail Notkestrasse 85 22607 Hamburg/Germany
> e-mail [EMAIL PROTECTED] - fon/fax +49 40 [8998/8994] 2564
#!/usr/afsws/bin/pagsh # # $Header: /afs/linux.ibm.com/src/afs/@cell/scripts/afs_wrap_cron/RCS/afs_wrap_cron,v 1.3 2000/12/07 13:11:26 mpb Exp $ # # $Locked$ # # -------------------------------------------------------------------- # NAME afs_wrap_cron # AUTHOR Paul Blackburn <[EMAIL PROTECTED]> # PURPOSE Run an AFS authenticated cron (or similar) job. # Get a PAG, get the user's token, then exec user's command # HISTORY # mpb 27 Nov 2000 reworked to include command line switches # -------------------------------------------------------------------- # let's get defensive PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/afsws/bin:/usr/afsws/etc: IFS=" " unset ENV # Undo any aliases for commands used. # This is to avoid problems such as "ls" having unexpected format output unalias awk 2>/dev/null unalias cat 2>/dev/null unalias cat 2>/dev/null unalias chmod 2>/dev/null unalias cp 2>/dev/null unalias cut 2>/dev/null unalias date 2>/dev/null unalias df 2>/dev/null unalias grep 2>/dev/null unalias head 2>/dev/null unalias ls 2>/dev/null unalias mkdir 2>/dev/null unalias mv 2>/dev/null unalias ping 2>/dev/null unalias rm 2>/dev/null unalias rmmod 2>/dev/null unalias rsync 2>/dev/null unalias sed 2>/dev/null unalias sort 2>/dev/null unalias strings 2>/dev/null unalias tail 2>/dev/null unalias uname 2>/dev/null unalias whois 2>/dev/null # enough defensiveness already! cmd=$(basename ${0}) cmdline="${cmd} $*" # site configurable defaults follow ------------------------------------- [EMAIL PROTECTED] default_cellname=linux.ibm.com f=/usr/vice/etc/ThisCell if [ -s "${f}" ]; then default_cellname=$(cat ${f}) else echo "${cmd} fatal error: missing ${f}" >&2 exit 1 fi default_principal=${USER} # end site configurable defaults ---------------------------------------- # functions ------------------------------------------------------------- usage() { echo "${cmd}" echo echo "This command is used to run another command with AFS authentication." echo echo "${cmd} [options]" echo "where options are:" echo " -cell \${cellname} - specify AFS cell name" echo " (default is ${default_cellname})" echo " -principal \${principal} - specify AFS principal" echo " (default is ${default_principal})" echo " -pwfile \${pwfile} - file containing password" echo " -commandline \${commandline} - command to be executed" echo echo "Example:" echo "${cmd} -pr afsuser -cell cell.domain -pwfile /etc/security/pwf_afsuser" echo " -commandline "/usr/local/bin/daily_housekeeping -30"" echo echo "Security caution:" echo "Since this script uses a password stored in a file (\${pwfile})" echo "you must take care to restrict access to the contents of \${pwfile}." echo echo "It is recommended that \${pwfile} is a local file (not AFS)" echo "which is protected (chmod 700 \${pwfile}." echo echo "Also, take care about root access to this file and backup tapes." echo "You may choose to run ${cmd} on a restricted login machine. I do." echo echo "Please report bugs/suggestions/comments to: ${default_notify}" } fatal() { echo "${cmd} fatal: ${1}" >&2 exit 1 } error() { echo "${cmd} error: ${1}" >&2 } warning() { echo "${cmd} warning: ${1}" >&2 } tstamp() { echo "`date '+''%H''%M'':%S'` ${cmd}: ${1}" } doit() { tstamp "${1}" eval ${1} retcode=$? if [ ${retcode} != 0 ]; then error "\$?=${retcode}" fi } # main ------------------------------------------------------------------- # crack command line arguments while [ ! -z "${1}" ]; do case ${1} in -cell ) shift if [ -z "${1}" ]; then fatal "missing cell name" else cellname=${1} fi ;; -cell*) cell=$(echo ${1} | cut -c6-) ;; -principal | -pr ) shift if [ -z "${1}" ]; then fatal "missing principal name" else principal=${1} fi ;; -principal*) principal=$(echo ${1} | cut -c11-) ;; -pr*) principal=$(echo ${1} | cut -c4-) ;; -pwfile | -pwf ) shift if [ -z "${1}" ]; then fatal "missing password file name" else pwfile=${1} fi ;; -pwfile*) pwfile=$(echo ${1} | cut -c8-) ;; -pwf*) pwfile=$(echo ${1} | cut -c5-) ;; -commandline | -cmdl ) shift if [ -z "${1}" ]; then fatal "missing commandline to execute" else commandline=${1} fi ;; -commandline*) commandline=$(echo ${1} | cut -c13-) ;; -cmdl*) commandline=$(echo ${1} | cut -c6-) ;; -help | -? | -usage ) usage exit ;; *) warning "unknown command line argument: ${1}" usage exit 1 ;; esac shift done if [ -z "${cellname}" ]; then cellname=${default_cellname} fi if [ -z "${principal}" ]; then principal=${default_principal} fi if [ -z "${pwfile}" ]; then fatal "missing password file name" fi if [ ! -s "${pwfile}" ]; then fatal "empty (or nosuch) password file" fi if [ -z "${commandline}" ]; then fatal "missing command to execute" fi klog -principal ${principal} -cell ${cellname} -pipe < ${pwfile} command=$(echo ${commandline} | awk '{print $1}') type ${command} 2>&1 > /dev/null if [ $? != 0 ]; then fatal "not in PATH: ${command}" fi # syslog the command to be executed logger -i -t "${cmd}" "${commandline}" exec ${commandline}

Reply via email to