[torquedev] patch to add gssapi/krb5 support to Torque
Garrick Staples
garrick at clusterresources.com
Fri Jul 7 13:52:19 MDT 2006
On Fri, Jul 07, 2006 at 03:57:51PM -0400, Alex Rolfe alleged:
> I've added a first pass of gssapi/krb5 support to torque. This lets
> users run jobs that access AFS and also use gssapi-authenticated scp.
> The patch forwards a user's credentials along with the job to the server
> and then to the mom. It does not authenticate the server to the mom or
> vice-versa.
>
> The patch against 2.1.0p0 is at
> http://people.csail.mit.edu/arolfe/torque/2.1.0p0_to_torquekrb.patch
> a patch against 2.1.1 at
> http://cs.stanford.edu/people/miles/torque-gssapi/torque-2.1.1-gssapi.patch
> if that's helpful.
>
> What do I need to do to get this patch into the sourcetree? I've been
> running it for over a month and it seems to work, but I'm sure I haven't
> exercised the gssapi parts fully against all of torque's functionality.
> There are also some rough edges that could use further work to make the
> credentials renewal more robust.
>
> Suggestions or comments are certainly welcome since this is my first
> work with the torque source.
This is an impressive contribution! I'm reading over the patch now.
This will completely replace the ruserok() stuff? Including data
stageout with scp/mom_rcp?
The patch seems to diff a pristine 2.1.1 tarball with a modified FE5
source? I see the extra bits that I put into the FE5 rpm. I'll clean
that up and make a gssapi branch in TORQUE's subversion repo.
I have a few quick initial thoughts...
Let's get rid of the cronjobs. pbs_server has an internal scheduling
mechanism that can call functions at requested times, and we can add a
check in pbs_mom's main loop?
With creds and principals added to the connection struct, I wonder if it
would make sense to make those linked lists. Perhaps one day we'll want
to support other kinds of credentials? kx509 certs? ssh passphrases?
Maybe a pointer to a generic cred struct so we can plugin future
security mechanisms?
Is TM supported? Do creds get forwarded to sister MOMs?
PAM support? Would it make sense to move the authn/authz down to PAM?
All client connections would require kerb princs? This will complicate
everyone's homegrown queue status CGIs? What about globus?
More information about the torquedev
mailing list