[Beowulf] Re: Kerberos + HPC
Many of your questions may have already been answered in earlier discussions or in the FAQ. The search results page will indicate current discussions as well as past list serves, articles, and papers.
Perry E. Metzger perry at piermont.comWed Aug 13 10:09:34 PDT 2008
- Previous message: [Beowulf] Re: Kerberos + HPC
- Next message: [Beowulf] large MPI adopters
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dave Love <d.love at liverpool.ac.uk> writes: > "Perry E. Metzger" <perry at piermont.com> writes: > >> So, you just run kinit in cron as the specified daemon user with the >> appropriate flags and it will renew its own tickets and all is well. > > Who says you can even run kinit from cron if it was appropriate? > >> I'm not sure why people think this is all so mysterious. Can you >> explain what is hard about this? > > That's just hand-waving. Hard things include how you integrate it with > a distributed batch system, for a start. Kerberos is already a distributed system. Machines at MIT have been refreshing their server tickets for what, 20 years now? This is not hard. > Making it tolerably secure too. That's why you use kerberos. > I don't want all users to keep keytabs around everywhere > (synchronized with password changes), You don't need to do that. If the issue is a user process on a remote machine that needs user rather than server credentials, you forward tickets or design things so server credentials are good enough to get the needed resources once things have started. You can re-forward tickets as often as you want. There are large firms I know that run this stuff in production and it really does work. Perry
- Previous message: [Beowulf] Re: Kerberos + HPC
- Next message: [Beowulf] large MPI adopters
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Beowulf mailing list