[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] writable access to a shared file system
- Date: Thu, 04 May 2006 11:04:47 -0400
- From: Olga Kornievskaia <aglo@xxxxxxxxxxxxxx>
- Subject: Re: [Condor-users] writable access to a shared file system
Erik Paulson wrote:
On Wed, May 03, 2006 at 05:34:14PM -0400, Olga Kornievskaia wrote:
Are there any plans to have a writable access to a shared file system
(AFS or NFS)?
Administrator's manual, section 18.104.22.168 says: "Condor does not
currently have a way to authenticate itself to AFS. A solution is not
ready for Version 6.7.18. This implies that you are probably not going
to want to have the LOCAL_DIR for Condor on AFS."
The phrase "a solution is not ready" might imply that some solution is
in works? Can somebody elaborate on this topic? Thanks.
At some point, Condor may provide a secure channel to transmit AFS tokens
from the submit machine to the execute machine. We're not sure if we will,
because most sites that have AFS also have another way to get an AFS token.
For example, many sites run gssklog along with AFS, which lets you present
an X509 certificate to get an AFS token. In that case, we could
delegate an X509 proxy to the job at the execute side, which could then
turn around and get an AFS token.
We're more keen on going the gssklog path, because we already have support
for delegating X509 certificates (and it's useful for situations other than
AFS as well.)
Better AFS support is not a feature planned for 6.8. The 6.7.18 mention
is misleading, we've got nothing close to working yet. The reason it
says 6.7.18 is because it's a macro in the LaTeX source - when 6.7.19
comes out, the manual will automatically read "A solution is not ready
Sorry to disappoint,
Thank you for your explanation. I used AFS as an example so I'm not
disappointed. My actual goal is to have writable access to NFSv4.
I was wondering if you can point me to more info or elaborate about the
for delegating X509 certificates" in Condor. I'm new to Condor and I've
submitting simple jobs (the ones provided in the example directory). I
can tell that
if the user doesn't have credentials, the job is not submitted. However,
it is hard to
verify that user credentials are used all the way to the execute node.
(A side note,
I have my Condor daemon use GSI authentication and in the logs I see:
"valid GSS connection established to /C=US/ST=Michigan/L=Ann Arbor/O=
University of Michigan/OU=CITI Production
(it's a DN of a Condor host). What I was hoping to see with regards to
authentication is a similar message where Condor logs the DN of the user
job it's running.)
Also, you mention a solution that uses gssklog. How does that work? I
must be missing
something but the way I understand it, in order for this to work, every
application has to be
modified such that it runs gssklog (AFS tokens are process specific).
Condor doesn't say where it stores user's credentials, then I don't see
how gssklog would
find user's credentials. Can you point me to some docs? I've read the
security parts of the
condor manuals and haven't encountered an explanation...