[Beowulf] Re: Linux cluster authenticating against multiple Active Directory domains
tortay at cc.in2p3.fr
Wed Aug 13 07:20:37 PDT 2008
Perry E. Metzger wrote:
> Maybe some sort of strange myth has been going by so long on this that
> people refuse to believe that the ticket refresh is a single easy
The "myth" is the ability to automatically get a Kerberos ticket on any
node in a cluster *especially* for the nodes on which you can neither
login nor run cron jobs to renew tickets (which is ugly and likely to be
non practical and/or insecure in any but the most simple environment
That's the point of "kstart" and similar tools, as well as specific
modifications/extensions to batch queueing systems used where a Kerberos
ticket is required for jobs (including many HEP sites): *transparently*
get and renew Kerberos tickets (for the local realm) on *any* node in
the cluster without the need to ever enter a password on the computing
nodes. The tickets are discarded when the process/job ends (unlike the
"kinit" in a cron job thingy).
The version of LSF used at CERN is modified to be able to renew and
transmit Kerberos tickets in CERN's realm as long as needed (queue time
+ execution time). AFAIK this is a (non free) extra feature developed
by Platform Computing.
If I'm not mistaken, the same (also paid for) LSF modification is used
at SLAC and BNL. As someone mentionned, DESY (the German HEP
organisation) has something similar for SGE, as we (the French HEP
organisation) do for our own batch system and others certainly have
Everyday use case example: the user job runs a program binary stored in
CERN's AFS cell with input data in our AFS cell and writes its output in
BNL's AFS cell (Kerberos tickets for at least two realms/cells required).
This is the way things have been routinely going on in the HEP world
(where people usually read manuals) during the last decade or so.
| Loïc Tortay <tortay at cc.in2p3.fr> - IN2P3 Computing Centre |
More information about the Beowulf