[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] writable access to a shared file system

Erik Paulson wrote:

On Wed, May 03, 2006 at 05:34:14PM -0400, Olga Kornievskaia wrote:
Are there any plans to have a writable access to a shared file system (AFS or NFS)?

Administrator's manual, section says: "Condor does not currently have a way to authenticate itself to AFS. A solution is not ready for Version 6.7.18. This implies that you are probably not going to want to have the LOCAL_DIR for Condor on AFS."

The phrase "a solution is not ready" might imply that some solution is in works? Can somebody elaborate on this topic? Thanks.

At some point, Condor may provide a secure channel to transmit AFS tokens
from the submit machine to the execute machine. We're not sure if we will,
because most sites that have AFS also have another way to get an AFS token.
For example, many sites run gssklog along with AFS, which lets you present an X509 certificate to get an AFS token. In that case, we could delegate an X509 proxy to the job at the execute side, which could then turn around and get an AFS token.
We're more keen on going the gssklog path, because we already have support
for delegating X509 certificates (and it's useful for situations other than
AFS as well.)

Better AFS support is not a feature planned for 6.8. The 6.7.18 mention is misleading, we've got nothing close to working yet. The reason it
says 6.7.18 is because it's a macro in the LaTeX source - when 6.7.19
comes out, the manual will automatically read "A solution is not ready for 6.7.19"

Sorry to disappoint,
Thank you for your explanation. I used AFS as an example so I'm not
disappointed. My actual goal is to have writable access to NFSv4.

I was wondering if you can point me to more info or elaborate about the "support for delegating X509 certificates" in Condor. I'm new to Condor and I've been submitting simple jobs (the ones provided in the example directory). I can tell that if the user doesn't have credentials, the job is not submitted. However, it is hard to verify that user credentials are used all the way to the execute node. (A side note,
I have my Condor daemon use GSI authentication and in the logs I see:
"valid GSS connection established to /C=US/ST=Michigan/L=Ann Arbor/O=
University of Michigan/OU=CITI Production KCA/CN=condor/llnl1.citi.umich.edu" (it's a DN of a Condor host). What I was hoping to see with regards to user authentication is a similar message where Condor logs the DN of the user who's
job it's running.)

Also, you mention a solution that uses gssklog. How does that work? I must be missing something but the way I understand it, in order for this to work, every application has to be modified such that it runs gssklog (AFS tokens are process specific). Furthermore, since Condor doesn't say where it stores user's credentials, then I don't see how gssklog would find user's credentials. Can you point me to some docs? I've read the security parts of the
condor manuals and haven't encountered an explanation...