Re: [HTCondor-users] dirty AFS hook stuff?

[Zachary Miller <zmiller@xxxxxxxxxxx>]

On Sun, Nov 10, 2013 at 07:02:22PM +0100, Pek Daniel wrote:
> Thanks for your answers.
> 
> Yes Rich, we definitely need a secure solution, so this one won't work
> out. But also, we definitely need AFS too.
> 
> I see two possibilities: working around this limitation somehow by
> scripting and hooking around - if it's possible at all.

FYI, it is possible.

DISCLAIMER:  Again, I do not recommend doing this with your actual credentials,
and suggest creating and using a separate principal for use with HTCondor.  But
once you have a principal you like, you can do this:

In the submit file (exact path may vary, look at $KRB5CCNAME)

  transfer_input_files = /var/adm/krb5/tmp/tkt/krb5cc_24842_X7me3D
  encrypt_input_files = krb5cc_24842_X7me3D

You'll definitely want to make sure there is authentication enabled for
HTCondor daemon-to-daemon communication.

Then, you can have a wrapper script for your job that does:

  export KRB5CCNAME=FILE:`pwd`/krb5cc_24842_X7me3D
  aklog

and you will now have AFS tokens.

To make this more user-friendly, you'd want some extra magic that discovers
the actual name of the credential cache so you wouldn't need to hard code the
"X7me3D" portion of the filename.  But this is proof that it works.


Cheers,
-zach