[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] writable access to a shared file system
- Date: Fri, 12 May 2006 16:45:38 -0500
- From: Jaime Frey <jfrey@xxxxxxxxxxx>
- Subject: Re: [Condor-users] writable access to a shared file system
On May 4, 2006, at 10:04 AM, Olga Kornievskaia wrote:
Erik Paulson wrote:
On Wed, May 03, 2006 at 05:34:14PM -0400, Olga Kornievskaia wrote:
Are there any plans to have a writable access to a shared file
(AFS or NFS)?
Administrator's manual, section 220.127.116.11 says: "Condor does not
currently have a way to authenticate itself to AFS. A solution is
ready for Version 6.7.18. This implies that you are probably not
to want to have the LOCAL_DIR for Condor on AFS."
The phrase "a solution is not ready" might imply that some
in works? Can somebody elaborate on this topic? Thanks.
At some point, Condor may provide a secure channel to transmit AFS
from the submit machine to the execute machine. We're not sure if
because most sites that have AFS also have another way to get an
For example, many sites run gssklog along with AFS, which lets you
an X509 certificate to get an AFS token. In that case, we could
delegate an X509 proxy to the job at the execute side, which could
turn around and get an AFS token.
We're more keen on going the gssklog path, because we already have
for delegating X509 certificates (and it's useful for situations
AFS as well.)
Better AFS support is not a feature planned for 6.8. The 6.7.18
is misleading, we've got nothing close to working yet. The reason it
says 6.7.18 is because it's a macro in the LaTeX source - when 6.7.19
comes out, the manual will automatically read "A solution is not
Sorry to disappoint,
Thank you for your explanation. I used AFS as an example so I'm not
disappointed. My actual goal is to have writable access to NFSv4.
I was wondering if you can point me to more info or elaborate about
for delegating X509 certificates" in Condor. I'm new to Condor and
submitting simple jobs (the ones provided in the example directory). I
can tell that
if the user doesn't have credentials, the job is not submitted.
it is hard to
verify that user credentials are used all the way to the execute node.
(A side note,
I have my Condor daemon use GSI authentication and in the logs I see:
"valid GSS connection established to /C=US/ST=Michigan/L=Ann Arbor/O=
University of Michigan/OU=CITI Production
(it's a DN of a Condor host). What I was hoping to see with
authentication is a similar message where Condor logs the DN of the
job it's running.)
Also, you mention a solution that uses gssklog. How does that work? I
must be missing
something but the way I understand it, in order for this to work,
application has to be
modified such that it runs gssklog (AFS tokens are process specific).
Condor doesn't say where it stores user's credentials, then I don't
how gssklog would
find user's credentials. Can you point me to some docs? I've read the
security parts of the
condor manuals and haven't encountered an explanation...
Expanding on what Erik said:
You use x509_user_proxy in the submit file to say where your gsi
credential is located. Condor ensures that the credential is
forwarded with the job and available for the job to use when it
executes. The credential is delegated rather than transferred when it
is forwarded across the network.
For non-grid universe jobs, Condor doesn't use the credential for
anything else. For grid universe jobs, Condor may use the credential
to authenticate with the remote job management service.
| Jaime Frey | I used to be a heavy gambler. |
| jfrey@xxxxxxxxxxx | But now I just make mental bets. |
| http://www.cs.wisc.edu/~jfrey/ | That's how I lost my mind. |