[torquedev] patch to add gssapi/krb5 support to Torque

Garrick Staples garrick at clusterresources.com
Fri Jul 7 13:52:19 MDT 2006


On Fri, Jul 07, 2006 at 03:57:51PM -0400, Alex Rolfe alleged:
> I've added a first pass of gssapi/krb5 support to torque.  This lets
> users run jobs that access AFS and also use gssapi-authenticated scp.
> The patch forwards a user's credentials along with the job to the server
> and then to the mom.  It does not authenticate the server to the mom or
> vice-versa.
> 
> The patch against 2.1.0p0 is at
>   http://people.csail.mit.edu/arolfe/torque/2.1.0p0_to_torquekrb.patch
> a patch against 2.1.1 at
>   http://cs.stanford.edu/people/miles/torque-gssapi/torque-2.1.1-gssapi.patch
> if that's helpful.
> 
> What do I need to do to get this patch into the sourcetree?  I've been
> running it for over a month and it seems to work, but I'm sure I haven't
> exercised the gssapi parts fully against all of torque's functionality.
> There are also some rough edges that could use further work to make the
> credentials renewal more robust.
> 
> Suggestions or comments are certainly welcome since this is my first
> work with the torque source.

This is an impressive contribution!  I'm reading over the patch now.

This will completely replace the ruserok() stuff?  Including data
stageout with scp/mom_rcp?

The patch seems to diff a pristine 2.1.1 tarball with a modified FE5
source?  I see the extra bits that I put into the FE5 rpm.  I'll clean
that up and make a gssapi branch in TORQUE's subversion repo.

I have a few quick initial thoughts...

Let's get rid of the cronjobs.  pbs_server has an internal scheduling
mechanism that can call functions at requested times, and we can add a
check in pbs_mom's main loop?

With creds and principals added to the connection struct, I wonder if it
would make sense to make those linked lists.  Perhaps one day we'll want
to support other kinds of credentials?  kx509 certs?  ssh passphrases?
Maybe a pointer to a generic cred struct so we can plugin future
security mechanisms?

Is TM supported?  Do creds get forwarded to sister MOMs?

PAM support?  Would it make sense to move the authn/authz down to PAM?

All client connections would require kerb princs?  This will complicate
everyone's homegrown queue status CGIs?  What about globus?



More information about the torquedev mailing list