[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] writable access to a shared file system

On May 4, 2006, at 10:04 AM, Olga Kornievskaia wrote:

Erik Paulson wrote:

On Wed, May 03, 2006 at 05:34:14PM -0400, Olga Kornievskaia wrote:

Are there any plans to have a writable access to a shared file system
(AFS or NFS)?

Administrator's manual, section says:  "Condor does not
currently have a way to authenticate itself to AFS. A solution is not ready for Version 6.7.18. This implies that you are probably not going
to want to have the LOCAL_DIR  for Condor on AFS."

The phrase "a solution is not ready" might imply that some solution is
in works? Can somebody elaborate on this topic? Thanks.

At some point, Condor may provide a secure channel to transmit AFS tokens from the submit machine to the execute machine. We're not sure if we will, because most sites that have AFS also have another way to get an AFS token. For example, many sites run gssklog along with AFS, which lets you present
an X509 certificate to get an AFS token. In that case, we could
delegate an X509 proxy to the job at the execute side, which could then
turn around and get an AFS token.

We're more keen on going the gssklog path, because we already have support for delegating X509 certificates (and it's useful for situations other than
AFS as well.)

Better AFS support is not a feature planned for 6.8. The 6.7.18 mention
is misleading, we've got nothing close to working yet. The reason it
says 6.7.18 is because it's a macro in the LaTeX source - when 6.7.19
comes out, the manual will automatically read "A solution is not ready
for 6.7.19"

Sorry to disappoint,

Thank you for your explanation. I used AFS as an example so I'm not
disappointed. My actual goal is to have writable access to NFSv4.

I was wondering if you can point me to more info or elaborate about the
for delegating X509 certificates" in Condor. I'm new to Condor and I've
submitting simple jobs (the ones provided in the example directory). I
can tell that
if the user doesn't have credentials, the job is not submitted. However,
it is hard to
verify that user credentials are used all the way to the execute node.
(A side note,
I have my Condor daemon use GSI authentication and in the logs I see:
"valid GSS connection established to /C=US/ST=Michigan/L=Ann Arbor/O=
University of Michigan/OU=CITI Production
(it's a DN of a Condor host). What I was hoping to see with regards to
authentication is a similar message where Condor logs the DN of the user
job it's running.)

Also, you mention a solution that uses gssklog. How does that work? I
must be missing
something but the way I understand it, in order for this to work, every
application has to be
modified such that it runs gssklog (AFS tokens are process specific).
Furthermore, since
Condor doesn't say where it stores user's credentials, then I don't see
how gssklog would
find user's credentials. Can you point me to some docs? I've read the
security parts of the
condor manuals and haven't encountered an explanation...

Expanding on what Erik said:

You use x509_user_proxy in the submit file to say where your gsi credential is located. Condor ensures that the credential is forwarded with the job and available for the job to use when it executes. The credential is delegated rather than transferred when it is forwarded across the network.

For non-grid universe jobs, Condor doesn't use the credential for anything else. For grid universe jobs, Condor may use the credential to authenticate with the remote job management service.

|           Jaime Frey           | I used to be a heavy gambler.     |
|       jfrey@xxxxxxxxxxx        | But now I just make mental bets.  |
| http://www.cs.wisc.edu/~jfrey/ | That's how I lost my mind.        |