[torqueusers] kerberos tickets

Garrick garrick at usc.edu
Mon Jun 7 14:03:12 MDT 2010


That patch only has one conflicting chunk with current trunk that you  
can probably resolve faster than I can.

HPCC/Linux Systems Admin

On Jun 7, 2010, at 12:43 PM, Alex Rolfe <arolfe at MIT.EDU> wrote:

> Garrick Staples <garrick at usc.edu> writes:
>> On Thu, Jun 03, 2010 at 11:46:13AM +1000, Christopher Samuel alleged:
>>> On 03/06/10 00:42, Andreas Davour wrote:
>>>
>>>> I wonder if someone here have set up torque to forward
>>>> kerberos tickets to the submit host (after doing
>>>> qmgr -c "set server submit_hosts = submithost"), and
>>>> finally to the worker nodes?
>>>
>>> I don't believe that the standard version of Torque
>>> supports this, there is a GSSAPI branch in Subversion
>>> but I have no idea if that is maintained or not these
>>> days.. :-(
>
>> I think it generally works.
>>
>> Someone (who knows what they are doing) needs to give it a good  
>> exercising so
>> that we can finally get it merged back into trunk.
>
> The gssapi branch works; I use it all the time on a cluster here.   
> I've
> attached a patch with the changes that I made last time I synced my
> checkout with svn (Jan 15, commit 3369 if I'm reading things
> correctly).  I'll try out the most recent merges into the gssapi  
> branch
> next chance I get, but that'll be a while.
>
> Alex
>
> diff --git a/configure.ac b/configure.ac index 6c6ad4a..ed01369  
> 100644 --- a/configure.ac +++ b/configure.ac @@ -815,6 +815,13 @@  
> AC_ARG_WITH(gssapi, AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h)  
> AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) AC_CHECK_HEADERS 
> (gssapi_generic.h gssapi/gssapi_generic.h) +	AC_CHECK_HEADERS(afs/ 
> param.h) +	AC_MSG_CHECKING(for libafsauthent) +	AC_CHECK_LIB 
> (afsauthent_pic, + setpag, + [K5LIBS="-lafsauthent_pic -lafsrpc_pic - 
> lpthread $K5LIBS"], + AC_MSG_WARN([Can't find libafsauthent]), + - 
> lafsrpc_pic -lpthread) ] ) @@ -824,6 +831,11 @@ AM_CONDITIONAL 
> (INCLUDE_GSSAPI, [test "$buildgssapi" = "yes"]) if test  
> "$buildgssapi" = "yes" ;then AC_PATH_PROGS(KRB5KDESTROY, kdestroy,  
> kdestroy,$PATH:$GSSAPIROOT/bin)       AC_DEFINE_UNQUOTED 
> ([KRB5_KDESTROY],"${KRB5KDESTROY}",[Path to kdestroy]) +  
> AC_CHECK_PROG(KRB5KINIT, kinit, kinit) + AC_DEFINE_UNQUOTED 
> ([KRB5_KINIT],"${KRB5KINIT}",[Path to kinit]) +     AC_CHECK_PROG 
> (AKLOGPATH, aklog, aklog) + AC_DEFINE_UNQUOTED([AKLOG_PATH],"$ 
> {AKLOGPATH}",[Path to aklog]) + AC_DEFINE_UNQUOTED([__TOLDGROUP],"1", 
> [use old group lookup method to keep from trashing PAGs])  fi dnl  
> diff --git a/src/include/dis.h b/src/include/dis.h index  
> 6a06a58..cb4fac9 100644 --- a/src/include/dis.h +++ b/src/include/ 
> dis.h @@ -247,9 +247,9 @@ extern void DIS_tcp_setup (int fd); extern  
> int DIS_tcp_wflush (int fd);  extern void DIS_tcp_settimeout (long  
> timeout); extern int DIS_tcp_istimeout (int fd); -extern void  
> DIS_tcp_release A_((int fd)); +extern void DIS_tcp_release (int fd);  
> #ifdef GSSAPI -extern void DIS_tcp_set_gss A_((int fd, gss_ctx_id_t  
> ctx, OM_uint32 flags)); +extern void DIS_tcp_set_gss (int fd,  
> gss_ctx_id_t ctx, OM_uint32 flags); #endif diff --git a/src/include/ 
> pbsgss.h b/src/include/pbsgss.h index 8ed5382..95b2adc 100644 --- a/ 
> src/include/pbsgss.h +++ b/src/include/pbsgss.h @@ -44,6 +44,7 @@  
> int pbsgss_save_creds (gss_cred_id_t client_creds, char  
> *ccname_for_job(char *jobnamem, char *prefix); int  
> authenticate_as_job(char *jobname,int setpag); int  
> pbsgss_renew_creds (char *jobname, char *prefix); +void  
> pbsgss_delete_creds(char *jobname, char *prefix); void  
> pbsgss_save_sec_context(gss_ctx_id_t *context, OM_uint32 flags, int  
> fd); /* Token types */ diff --git a/src/lib/Libifl/pbsgss.c b/src/ 
> lib/Libifl/pbsgss.c index 7b2daf0..ea7dcfc 100644 --- a/src/lib/ 
> Libifl/pbsgss.c +++ b/src/lib/Libifl/pbsgss.c @@ -56,6 +56,8 @@  
> #include /* the master config generated by configure */ +#ifdef  
> GSSAPI /* don't bother compiling any of this if we don't need gssapi  
> */ + #include #include #include  @@ -70,6 +72,9 @@ #include  
> +#include +extern afs_int32 setpag(); + #include "portability.h"  
> #include "pbsgss.h" #include "log.h" @@ -721,15 +726,40 @@ int  
> pbsgss_save_creds (gss_cred_id_t client_creds, int  
> pbsgss_renew_creds (char *jobname, char *prefix) { char *cmd,  
> *ccname; ccname = ccname_for_job(jobname,prefix); - cmd = malloc 
> (sizeof(char) * (strlen(ccname) + strlen("/usr/bin/kinit -R -c ") +  
> 10)); + cmd = malloc(sizeof(char) * (strlen(ccname) + strlen 
> (KRB5_KINIT) + 20)); if (cmd == NULL) { free(ccname); return 1; } -  
> sprintf(cmd,"/usr/bin/kinit -R -c %s",ccname); + sprintf(cmd,"%s -R - 
> c %s",KRB5_KINIT,ccname); return system(cmd); } +void  
> pbsgss_delete_creds(char *jobname, char *prefix) { + char *ccname; +  
> char          *kdestroy; + + ccname = ccname_for_job 
> (jobname,prefix); + if (ccname) { + int result; + kdestroy = malloc 
> (sizeof(char) * (strlen(ccname) + strlen(KRB5_KDESTROY) + 5)); + if  
> (kdestroy) { + sprintf(kdestroy,"%s -c %s",KRB5_KDESTROY,ccname);  
> +      result = system(kdestroy); + if (result != 0) { +	sprintf 
> (log_buffer, "error %d running %s",result,kdestroy); +	log_record 
> (PBSEVENT_DEBUG, + PBS_EVENTCLASS_JOB, + jobname, +	 log_buffer);  
> + } + free(kdestroy); + } + free(ccname); + } + +} + int  
> pbsgss_client_authenticate(char *hostname, int psock, int delegate,  
> @@ -850,16 +880,17 @@ char *ccname_for_job(char *jobname, char  
> *prefix) { /* assumes it's running as the mom, because server  
> doesn't need to call aklog */ int authenticate_as_job(char *ccname,  
> - int setpag) { +	 int shouldsetpag) { if (setenv 
> ("KRB5CCNAME",ccname,1) != 0) { return -1; } - if (setpag) { - system 
> ("/usr/bin/aklog -setpag"); - } else { - system("/usr/bin/aklog"); +  
> if (shouldsetpag) { + int status = setpag(); + if (status != 0) { +  
> return status; + } } - return 0; + return system(AKLOG_PATH); } #if  
> 0 /* this isn't actually used anywhere, and doesn't return a value  
> */ @@ -941,3 +972,5 @@ void pbsgss_save_sec_context(gss_ctx_id_t  
> *context, } } } + +#endif /* GSSAPI */ diff --git a/src/lib/Libifl/ 
> tcp_dis.c b/src/lib/Libifl/tcp_dis.c index d613a2a..a532b61 100644  
> --- a/src/lib/Libifl/tcp_dis.c +++ b/src/lib/Libifl/tcp_dis.c @@  
> -177,6 +177,39 @@ static void tcp_pack_buff( return; } /* END  
> tcp_pack_buff() */ +static int tcp_resize_buff ( +	 struct tcpdisbuf  
> *tp, +	 size_t newbufsize) { +#ifndef NDEBUG + char *id =  
> "tcp_resize_buff"; +#endif + + int leadpct, trailpct; + char *temp;  
> + leadpct = (int)(tp->tdis_thebuf - tp->tdis_leadp); + trailpct =  
> (int)(tp->tdis_thebuf - tp->tdis_trailp); + temp = (char *)malloc 
> (newbufsize); + if(!temp) + { + /* FAILURE */ + + DBPRT(("%s: error!  
> out of space in buffer and cannot realloc message buffer (bufsize= 
> %ld, buflen=%d, newbufsize=%d)\n", + id, + tp->tdis_bufsize, + (int) 
> (tp->tdis_leadp - tp->tdis_thebuf), + (int)newbufsize)) + +	return 
> (-1); + } + + memcpy(temp, tp->tdis_thebuf, tp->tdis_bufsize); + free 
> (tp->tdis_thebuf); + tp->tdis_thebuf = temp; + tp->tdis_bufsize =  
> newbufsize; + tp->tdis_leadp = tp->tdis_thebuf - leadpct; + tp- 
> >tdis_trailp = tp->tdis_thebuf - trailpct; + return 0; +} /* END  
> tcp_resize_buff */ @@ -331,7 +364,7 @@ leftover: { tp = &tcparray 
> [fd]->readbuf; tcp_pack_buff(tp); - f = THE_BUF_SIZE - (tp->tdis_eod  
> - tp->tdis_thebuf); + f = tp->tdis_bufsize - (tp->tdis_eod - tp- 
> >tdis_thebuf); if ((size_t)f < l) { memcpy(tp->tdis_eod, tcparray 
> [fd]->unwrapped.value, f); @@ -363,9 +396,15 @@ readmore: int i; for  
> (i=0, l=0; i<4; i++) l = l<<8 | (*tp->tdis_leadp++ & 0xff); - if (l 
> +4>THE_BUF_SIZE) + /* if the buffer is to small to have read the  
> entire gss token, + make the buffer bigger and call read again to  
> read the rest from the + socket. Then proceed + */ + if (l+4>tp- 
> >tdis_bufsize) { - return(-2);	/* FIXME: this is fatal; how to clean  
> up? */ +	tcp_resize_buff(tp, l+4); +	f = tcp_readbuf(fd, tp); +	 
> tcparray[fd]->AtEOF = (f == -2); } if ((size_t)(tp->tdis_eod - tp- 
> >tdis_leadp) >= l) { @@ -773,15 +812,9 @@ static int tcp_puts 
> ( size_t      ct) /* I */ { -#ifndef NDEBUG - char *id = "tcp_puts";  
> -#endif struct tcp_chan *tcp; struct tcpdisbuf *tp; - char *temp; -  
> int leadpct, trailpct; - size_t newbufsize; tcp = tcparray[fd]; @@  
> -792,31 +825,9 @@ static int tcp_puts( tp = &tcp->writebuf; if ((tp- 
> >tdis_thebuf + tp->tdis_bufsize - tp->tdis_leadp) < (ssize_t)ct)  
> { - /* not enough room, reallocate the buffer */ - leadpct = (int) 
> (tp->tdis_thebuf - tp->tdis_leadp); - trailpct = (int)(tp- 
> >tdis_thebuf - tp->tdis_trailp); - newbufsize = tp->tdis_bufsize +  
> THE_BUF_SIZE; - temp = (char *)malloc(newbufsize); - if(!temp) -  
> { - /* FAILURE */ - - DBPRT(("%s: error!  out of space in buffer and  
> cannot realloc message buffer (bufsize=%ld, buflen=%d, ct=%d)\n", -  
> id, - tp->tdis_bufsize, - (int)(tp->tdis_leadp - tp->tdis_thebuf), -  
> (int)ct)) - - return(-1); + if (tcp_resize_buff(tp,tp->tdis_bufsize  
> + THE_BUF_SIZE) != 0) { +	return(-1); } - - memcpy(temp, tp- 
> >tdis_thebuf, tp->tdis_bufsize); - free(tp->tdis_thebuf); - tp- 
> >tdis_thebuf = temp; - tp->tdis_bufsize = newbufsize; - tp- 
> >tdis_leadp = tp->tdis_thebuf - leadpct; - tp->tdis_trailp = tp- 
> >tdis_thebuf - trailpct; - } memcpy(tp->tdis_leadp, (char *)str,  
> ct); @@ -1153,7 +1164,7 @@ void DIS_tcp_set_gss( { OM_uint32 major,  
> minor, bufsize; - struct tcpdisbuf *tp; +/* struct tcpdisbuf *tp; */  
> assert (fd >= 0 && fd < tcparraymax && tcparray[fd]); assert  
> (tcparray[fd]->gssctx == GSS_C_NO_CONTEXT); @@ -1162,18 +1173,27 @@  
> void DIS_tcp_set_gss( tcparray[fd]->Confidential = (flags &  
> GSS_C_CONF_FLAG); major = gss_wrap_size_limit (&minor, ctx, (flags &  
> GSS_C_CONF_FLAG), GSS_C_QOP_DEFAULT, THE_BUF_SIZE, &bufsize); + + /*  
> reallocate the gss buffer if it's too small to handle the wrapped +  
> version of the largest unwrapped message + */ if (major ==  
> GSS_S_COMPLETE) { - tp = &tcparray[fd]->writebuf; - - tp- 
> >tdis_thebuf = (char *)malloc(THE_BUF_SIZE); - if(tp->tdis_thebuf ==  
> NULL) - { - log_err(errno,"DIS_tcp_set_gss","malloc failure"); -  
> return; + struct tcpdisbuf *tp = &tcparray[fd]->gssrdbuf; + if (tp- 
> >tdis_bufsize < bufsize) { + if (tp->tdis_thebuf != NULL) { +	free 
> (tp->tdis_thebuf); } - tp->tdis_bufsize = THE_BUF_SIZE; + tp- 
> >tdis_thebuf = (char *)malloc(bufsize); + if(tp->tdis_thebuf ==  
> NULL) +	{ + log_err(errno,"DIS_tcp_set_gss","malloc failure"); +	 +	  
> return; +	} + tp->tdis_bufsize = bufsize; + } } } /* END  
> DIS_tcp_set_gss */ diff --git a/src/resmom/mom_main.c b/src/resmom/ 
> mom_main.c index e1a4d82..17b27dc 100644 --- a/src/resmom/mom_main.c  
> +++ b/src/resmom/mom_main.c @@ -209,7 +209,7 @@ char *path_aux; char  
> *path_server_name; char *path_home = PBS_SERVER_HOME; #ifdef GSSAPI - 
> char *path_creds; +char *path_creds = "/tmp"; #endif char *mom_home;  
> extern char *msg_daemonname; /* for logs */ diff --git a/src/resmom/ 
> requests.c b/src/resmom/requests.c index 534975d..fcfb25a 100644 ---  
> a/src/resmom/requests.c +++ b/src/resmom/requests.c @@ -1149,6  
> +1149,11 @@ void req_deletejob( /* assume success? */ +#ifdef GSSAPI  
> + /* clean up the ticket file */ + pbsgss_delete_creds(pjob- 
> >ji_qs.ji_jobid,path_creds); +#endif + mom_deljob(pjob); reply_ack 
> (preq); @@ -4149,7 +4154,10 @@ int req_accept_forwarded_creds(struct  
> batch_request *request, int socket, int sa *atindex = '\0'; pwinfo =  
> getpwnam(forwarded_princ); if (pwinfo != NULL) { - chown 
> (ccname,pwinfo->pw_uid,pwinfo->pw_gid); + if (chown(ccname,pwinfo- 
> >pw_uid,pwinfo->pw_gid) != 0) { + free(ccname); +	 return -1; +	} }  
> *atindex = '@'; } diff --git a/src/server/job_func.c b/src/server/ 
> job_func.c index fc5c27a..7622774 100644 --- a/src/server/job_func.c  
> +++ b/src/server/job_func.c @@ -1478,10 +1478,6 @@ void job_purge 
> ( char namebuf[MAXPATHLEN + 1]; extern char *msg_err_purgejob; - 
> #ifdef GSSAPI - char *ccname; - char *kdestroy; -#endif if ((pjob- 
> >ji_qs.ji_substate != JOB_SUBSTATE_TRANSIN) && (pjob- 
> >ji_qs.ji_substate != JOB_SUBSTATE_TRANSICM)) @@ -1632,16 +1628,7 @@  
> void job_purge( } #ifdef GSSAPI - ccname = ccname_for_job(pjob- 
> >ji_qs.ji_jobid,path_creds); - if (ccname) { - kdestroy = malloc 
> (sizeof(char) * (strlen(ccname) + strlen(KRB5_KDESTROY) + 5)); - if  
> (kdestroy) { - sprintf(kdestroy,"%s -c %s",KRB5_KDESTROY,ccname); -  
> system(kdestroy); - free(kdestroy); - } - free(ccname); - } +  
> pbsgss_delete_creds(pjob->ji_qs.ji_jobid,path_creds); #endif job_free 
> (pjob); diff --git a/src/server/req_quejob.c b/src/server/ 
> req_quejob.c index 91f3d69..d46f348 100644 --- a/src/server/ 
> req_quejob.c +++ b/src/server/req_quejob.c @@ -381,7 +381,7 @@ void  
> req_quejob( } jobidcopy = malloc(sizeof(char) * (strlen(jid) + 2));  
> strcpy(jobidcopy,jid); - set_task(WORK_Timed,time((time_t *)0) +  
> 3600*3,renew_job_credentials,jobidcopy); + set_task(WORK_Timed,time 
> ((time_t *)0) + 1200,renew_job_credentials,jobidcopy); free(ccname);  
> #endif /* GSSAPI */ diff --git a/src/server/svr_chk_owner.c b/src/ 
> server/svr_chk_owner.c index 4ef4b5e..95822f9 100644 --- a/src/ 
> server/svr_chk_owner.c +++ b/src/server/svr_chk_owner.c @@ -375,6  
> +375,8 @@ int svr_get_privilege( #endif } +#endif /* __CYGWIN__ */ +  
> if (!(server.sv_attr[(int)SRV_ATR_managers].at_flags &  
> ATR_VFLAG_SET)) {      if (is_root) diff --git a/src/server/ 
> svr_jobfunc.c b/src/server/svr_jobfunc.c index e02e5b7..5aa73ec  
> 100644 --- a/src/server/svr_jobfunc.c +++ b/src/server/svr_jobfunc.c  
> @@ -2450,8 +2450,10 @@ void renew_job_credentials (struct work_task  
> *ptask) { allocated in req_quejob.c just to hold the jobname for the  
> renewal tasks */ if (retval == 0) { - set_task(WORK_Timed,time_now +  
> 3600*3,renew_job_credentials,jobname); + set_task 
> (WORK_Timed,time_now + 3600,renew_job_credentials,jobname); } else  
> { + sprintf(logbuffer, "failed to renew tickets for %s : %d",  
> jobname, retval); + log_event(PBSEVENT_ERROR, PBS_EVENTCLASS_SERVER,  
> "renew_job_credentials", log_buffer); free(jobname); } }
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers


More information about the torqueusers mailing list