Re: [Condor-users] writable access to a shared file system

[Olga Kornievskaia <aglo@xxxxxxxxxxxxxx>]

Erik Paulson wrote:

> On Wed, May 03, 2006 at 05:34:14PM -0400, Olga Kornievskaia wrote:
>  
>
> > Are there any plans to have a writable access to a shared file system 
> > (AFS or NFS)?
> >
> > Administrator's manual, section 3.2.2.7 says:  "Condor does not 
> > currently have a way to authenticate itself to AFS. A solution is not 
> > ready for Version 6.7.18. This implies that you are probably not going 
> > to want to have the LOCAL_DIR  for Condor on AFS."
> >
> > The phrase "a solution is not ready" might imply that some solution is 
> > in works? Can somebody elaborate on this topic? Thanks.
> >    
>
> At some point, Condor may provide a secure channel to transmit AFS tokens
> from the submit machine to the execute machine. We're not sure if we will,
> because most sites that have AFS also have another way to get an AFS token.
> For example, many sites run gssklog along with AFS, which lets you present 
> an X509 certificate to get an AFS token. In that case, we could 
> delegate an X509 proxy to the job at the execute side, which could then
> turn around and get an AFS token. 
>
> We're more keen on going the gssklog path, because we already have support
> for delegating X509 certificates (and it's useful for situations other than
> AFS as well.)
>
> Better AFS support is not a feature planned for 6.8. The 6.7.18 mention 
> is misleading, we've got nothing close to working yet. The reason it
> says 6.7.18 is because it's a macro in the LaTeX source - when 6.7.19
> comes out, the manual will automatically read "A solution is not ready 
> for 6.7.19"
>
> Sorry to disappoint,
>  
Thank you for your explanation. I used AFS as an example so I'm not
disappointed. My actual goal is to have writable access to NFSv4.

I was wondering if you can point me to more info or elaborate about the 
"support
for delegating X509 certificates" in Condor. I'm new to Condor and I've 
been
submitting simple jobs (the ones provided in the example directory). I 
can tell that
if the user doesn't have credentials, the job is not submitted. However, 
it is hard to
verify that user credentials are used all the way to the execute node. 
(A side note,
I have my Condor daemon use GSI authentication and in the logs I see:
"valid GSS connection established to /C=US/ST=Michigan/L=Ann Arbor/O=
University of Michigan/OU=CITI Production 
KCA/CN=condor/llnl1.citi.umich.edu"
(it's a DN of a Condor host).  What I was hoping to see with regards to 
user
authentication is a similar message where Condor logs the DN of the user 
who's
job it's running.)

Also, you mention a solution that uses gssklog. How does that work? I 
must be missing
something but the way I understand it, in order for this to work, every 
application has to be
modified such that it runs gssklog (AFS tokens are process specific). 
Furthermore, since
Condor doesn't say where it stores user's credentials, then I don't see 
how gssklog would
find user's credentials. Can you point me to some docs? I've read the 
security parts of the
condor manuals and haven't encountered an explanation...