[torqueusers] kerberos tickets
Garrick
garrick at usc.edu
Mon Jun 7 14:03:12 MDT 2010
That patch only has one conflicting chunk with current trunk that you
can probably resolve faster than I can.
HPCC/Linux Systems Admin
On Jun 7, 2010, at 12:43 PM, Alex Rolfe <arolfe at MIT.EDU> wrote:
> Garrick Staples <garrick at usc.edu> writes:
>> On Thu, Jun 03, 2010 at 11:46:13AM +1000, Christopher Samuel alleged:
>>> On 03/06/10 00:42, Andreas Davour wrote:
>>>
>>>> I wonder if someone here have set up torque to forward
>>>> kerberos tickets to the submit host (after doing
>>>> qmgr -c "set server submit_hosts = submithost"), and
>>>> finally to the worker nodes?
>>>
>>> I don't believe that the standard version of Torque
>>> supports this, there is a GSSAPI branch in Subversion
>>> but I have no idea if that is maintained or not these
>>> days.. :-(
>
>> I think it generally works.
>>
>> Someone (who knows what they are doing) needs to give it a good
>> exercising so
>> that we can finally get it merged back into trunk.
>
> The gssapi branch works; I use it all the time on a cluster here.
> I've
> attached a patch with the changes that I made last time I synced my
> checkout with svn (Jan 15, commit 3369 if I'm reading things
> correctly). I'll try out the most recent merges into the gssapi
> branch
> next chance I get, but that'll be a while.
>
> Alex
>
> diff --git a/configure.ac b/configure.ac index 6c6ad4a..ed01369
> 100644 --- a/configure.ac +++ b/configure.ac @@ -815,6 +815,13 @@
> AC_ARG_WITH(gssapi, AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h)
> AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) AC_CHECK_HEADERS
> (gssapi_generic.h gssapi/gssapi_generic.h) + AC_CHECK_HEADERS(afs/
> param.h) + AC_MSG_CHECKING(for libafsauthent) + AC_CHECK_LIB
> (afsauthent_pic, + setpag, + [K5LIBS="-lafsauthent_pic -lafsrpc_pic -
> lpthread $K5LIBS"], + AC_MSG_WARN([Can't find libafsauthent]), + -
> lafsrpc_pic -lpthread) ] ) @@ -824,6 +831,11 @@ AM_CONDITIONAL
> (INCLUDE_GSSAPI, [test "$buildgssapi" = "yes"]) if test
> "$buildgssapi" = "yes" ;then AC_PATH_PROGS(KRB5KDESTROY, kdestroy,
> kdestroy,$PATH:$GSSAPIROOT/bin) AC_DEFINE_UNQUOTED
> ([KRB5_KDESTROY],"${KRB5KDESTROY}",[Path to kdestroy]) +
> AC_CHECK_PROG(KRB5KINIT, kinit, kinit) + AC_DEFINE_UNQUOTED
> ([KRB5_KINIT],"${KRB5KINIT}",[Path to kinit]) + AC_CHECK_PROG
> (AKLOGPATH, aklog, aklog) + AC_DEFINE_UNQUOTED([AKLOG_PATH],"$
> {AKLOGPATH}",[Path to aklog]) + AC_DEFINE_UNQUOTED([__TOLDGROUP],"1",
> [use old group lookup method to keep from trashing PAGs]) fi dnl
> diff --git a/src/include/dis.h b/src/include/dis.h index
> 6a06a58..cb4fac9 100644 --- a/src/include/dis.h +++ b/src/include/
> dis.h @@ -247,9 +247,9 @@ extern void DIS_tcp_setup (int fd); extern
> int DIS_tcp_wflush (int fd); extern void DIS_tcp_settimeout (long
> timeout); extern int DIS_tcp_istimeout (int fd); -extern void
> DIS_tcp_release A_((int fd)); +extern void DIS_tcp_release (int fd);
> #ifdef GSSAPI -extern void DIS_tcp_set_gss A_((int fd, gss_ctx_id_t
> ctx, OM_uint32 flags)); +extern void DIS_tcp_set_gss (int fd,
> gss_ctx_id_t ctx, OM_uint32 flags); #endif diff --git a/src/include/
> pbsgss.h b/src/include/pbsgss.h index 8ed5382..95b2adc 100644 --- a/
> src/include/pbsgss.h +++ b/src/include/pbsgss.h @@ -44,6 +44,7 @@
> int pbsgss_save_creds (gss_cred_id_t client_creds, char
> *ccname_for_job(char *jobnamem, char *prefix); int
> authenticate_as_job(char *jobname,int setpag); int
> pbsgss_renew_creds (char *jobname, char *prefix); +void
> pbsgss_delete_creds(char *jobname, char *prefix); void
> pbsgss_save_sec_context(gss_ctx_id_t *context, OM_uint32 flags, int
> fd); /* Token types */ diff --git a/src/lib/Libifl/pbsgss.c b/src/
> lib/Libifl/pbsgss.c index 7b2daf0..ea7dcfc 100644 --- a/src/lib/
> Libifl/pbsgss.c +++ b/src/lib/Libifl/pbsgss.c @@ -56,6 +56,8 @@
> #include /* the master config generated by configure */ +#ifdef
> GSSAPI /* don't bother compiling any of this if we don't need gssapi
> */ + #include #include #include @@ -70,6 +72,9 @@ #include
> +#include +extern afs_int32 setpag(); + #include "portability.h"
> #include "pbsgss.h" #include "log.h" @@ -721,15 +726,40 @@ int
> pbsgss_save_creds (gss_cred_id_t client_creds, int
> pbsgss_renew_creds (char *jobname, char *prefix) { char *cmd,
> *ccname; ccname = ccname_for_job(jobname,prefix); - cmd = malloc
> (sizeof(char) * (strlen(ccname) + strlen("/usr/bin/kinit -R -c ") +
> 10)); + cmd = malloc(sizeof(char) * (strlen(ccname) + strlen
> (KRB5_KINIT) + 20)); if (cmd == NULL) { free(ccname); return 1; } -
> sprintf(cmd,"/usr/bin/kinit -R -c %s",ccname); + sprintf(cmd,"%s -R -
> c %s",KRB5_KINIT,ccname); return system(cmd); } +void
> pbsgss_delete_creds(char *jobname, char *prefix) { + char *ccname; +
> char *kdestroy; + + ccname = ccname_for_job
> (jobname,prefix); + if (ccname) { + int result; + kdestroy = malloc
> (sizeof(char) * (strlen(ccname) + strlen(KRB5_KDESTROY) + 5)); + if
> (kdestroy) { + sprintf(kdestroy,"%s -c %s",KRB5_KDESTROY,ccname);
> + result = system(kdestroy); + if (result != 0) { + sprintf
> (log_buffer, "error %d running %s",result,kdestroy); + log_record
> (PBSEVENT_DEBUG, + PBS_EVENTCLASS_JOB, + jobname, + log_buffer);
> + } + free(kdestroy); + } + free(ccname); + } + +} + int
> pbsgss_client_authenticate(char *hostname, int psock, int delegate,
> @@ -850,16 +880,17 @@ char *ccname_for_job(char *jobname, char
> *prefix) { /* assumes it's running as the mom, because server
> doesn't need to call aklog */ int authenticate_as_job(char *ccname,
> - int setpag) { + int shouldsetpag) { if (setenv
> ("KRB5CCNAME",ccname,1) != 0) { return -1; } - if (setpag) { - system
> ("/usr/bin/aklog -setpag"); - } else { - system("/usr/bin/aklog"); +
> if (shouldsetpag) { + int status = setpag(); + if (status != 0) { +
> return status; + } } - return 0; + return system(AKLOG_PATH); } #if
> 0 /* this isn't actually used anywhere, and doesn't return a value
> */ @@ -941,3 +972,5 @@ void pbsgss_save_sec_context(gss_ctx_id_t
> *context, } } } + +#endif /* GSSAPI */ diff --git a/src/lib/Libifl/
> tcp_dis.c b/src/lib/Libifl/tcp_dis.c index d613a2a..a532b61 100644
> --- a/src/lib/Libifl/tcp_dis.c +++ b/src/lib/Libifl/tcp_dis.c @@
> -177,6 +177,39 @@ static void tcp_pack_buff( return; } /* END
> tcp_pack_buff() */ +static int tcp_resize_buff ( + struct tcpdisbuf
> *tp, + size_t newbufsize) { +#ifndef NDEBUG + char *id =
> "tcp_resize_buff"; +#endif + + int leadpct, trailpct; + char *temp;
> + leadpct = (int)(tp->tdis_thebuf - tp->tdis_leadp); + trailpct =
> (int)(tp->tdis_thebuf - tp->tdis_trailp); + temp = (char *)malloc
> (newbufsize); + if(!temp) + { + /* FAILURE */ + + DBPRT(("%s: error!
> out of space in buffer and cannot realloc message buffer (bufsize=
> %ld, buflen=%d, newbufsize=%d)\n", + id, + tp->tdis_bufsize, + (int)
> (tp->tdis_leadp - tp->tdis_thebuf), + (int)newbufsize)) + + return
> (-1); + } + + memcpy(temp, tp->tdis_thebuf, tp->tdis_bufsize); + free
> (tp->tdis_thebuf); + tp->tdis_thebuf = temp; + tp->tdis_bufsize =
> newbufsize; + tp->tdis_leadp = tp->tdis_thebuf - leadpct; + tp-
> >tdis_trailp = tp->tdis_thebuf - trailpct; + return 0; +} /* END
> tcp_resize_buff */ @@ -331,7 +364,7 @@ leftover: { tp = &tcparray
> [fd]->readbuf; tcp_pack_buff(tp); - f = THE_BUF_SIZE - (tp->tdis_eod
> - tp->tdis_thebuf); + f = tp->tdis_bufsize - (tp->tdis_eod - tp-
> >tdis_thebuf); if ((size_t)f < l) { memcpy(tp->tdis_eod, tcparray
> [fd]->unwrapped.value, f); @@ -363,9 +396,15 @@ readmore: int i; for
> (i=0, l=0; i<4; i++) l = l<<8 | (*tp->tdis_leadp++ & 0xff); - if (l
> +4>THE_BUF_SIZE) + /* if the buffer is to small to have read the
> entire gss token, + make the buffer bigger and call read again to
> read the rest from the + socket. Then proceed + */ + if (l+4>tp-
> >tdis_bufsize) { - return(-2); /* FIXME: this is fatal; how to clean
> up? */ + tcp_resize_buff(tp, l+4); + f = tcp_readbuf(fd, tp); +
> tcparray[fd]->AtEOF = (f == -2); } if ((size_t)(tp->tdis_eod - tp-
> >tdis_leadp) >= l) { @@ -773,15 +812,9 @@ static int tcp_puts
> ( size_t ct) /* I */ { -#ifndef NDEBUG - char *id = "tcp_puts";
> -#endif struct tcp_chan *tcp; struct tcpdisbuf *tp; - char *temp; -
> int leadpct, trailpct; - size_t newbufsize; tcp = tcparray[fd]; @@
> -792,31 +825,9 @@ static int tcp_puts( tp = &tcp->writebuf; if ((tp-
> >tdis_thebuf + tp->tdis_bufsize - tp->tdis_leadp) < (ssize_t)ct)
> { - /* not enough room, reallocate the buffer */ - leadpct = (int)
> (tp->tdis_thebuf - tp->tdis_leadp); - trailpct = (int)(tp-
> >tdis_thebuf - tp->tdis_trailp); - newbufsize = tp->tdis_bufsize +
> THE_BUF_SIZE; - temp = (char *)malloc(newbufsize); - if(!temp) -
> { - /* FAILURE */ - - DBPRT(("%s: error! out of space in buffer and
> cannot realloc message buffer (bufsize=%ld, buflen=%d, ct=%d)\n", -
> id, - tp->tdis_bufsize, - (int)(tp->tdis_leadp - tp->tdis_thebuf), -
> (int)ct)) - - return(-1); + if (tcp_resize_buff(tp,tp->tdis_bufsize
> + THE_BUF_SIZE) != 0) { + return(-1); } - - memcpy(temp, tp-
> >tdis_thebuf, tp->tdis_bufsize); - free(tp->tdis_thebuf); - tp-
> >tdis_thebuf = temp; - tp->tdis_bufsize = newbufsize; - tp-
> >tdis_leadp = tp->tdis_thebuf - leadpct; - tp->tdis_trailp = tp-
> >tdis_thebuf - trailpct; - } memcpy(tp->tdis_leadp, (char *)str,
> ct); @@ -1153,7 +1164,7 @@ void DIS_tcp_set_gss( { OM_uint32 major,
> minor, bufsize; - struct tcpdisbuf *tp; +/* struct tcpdisbuf *tp; */
> assert (fd >= 0 && fd < tcparraymax && tcparray[fd]); assert
> (tcparray[fd]->gssctx == GSS_C_NO_CONTEXT); @@ -1162,18 +1173,27 @@
> void DIS_tcp_set_gss( tcparray[fd]->Confidential = (flags &
> GSS_C_CONF_FLAG); major = gss_wrap_size_limit (&minor, ctx, (flags &
> GSS_C_CONF_FLAG), GSS_C_QOP_DEFAULT, THE_BUF_SIZE, &bufsize); + + /*
> reallocate the gss buffer if it's too small to handle the wrapped +
> version of the largest unwrapped message + */ if (major ==
> GSS_S_COMPLETE) { - tp = &tcparray[fd]->writebuf; - - tp-
> >tdis_thebuf = (char *)malloc(THE_BUF_SIZE); - if(tp->tdis_thebuf ==
> NULL) - { - log_err(errno,"DIS_tcp_set_gss","malloc failure"); -
> return; + struct tcpdisbuf *tp = &tcparray[fd]->gssrdbuf; + if (tp-
> >tdis_bufsize < bufsize) { + if (tp->tdis_thebuf != NULL) { + free
> (tp->tdis_thebuf); } - tp->tdis_bufsize = THE_BUF_SIZE; + tp-
> >tdis_thebuf = (char *)malloc(bufsize); + if(tp->tdis_thebuf ==
> NULL) + { + log_err(errno,"DIS_tcp_set_gss","malloc failure"); + +
> return; + } + tp->tdis_bufsize = bufsize; + } } } /* END
> DIS_tcp_set_gss */ diff --git a/src/resmom/mom_main.c b/src/resmom/
> mom_main.c index e1a4d82..17b27dc 100644 --- a/src/resmom/mom_main.c
> +++ b/src/resmom/mom_main.c @@ -209,7 +209,7 @@ char *path_aux; char
> *path_server_name; char *path_home = PBS_SERVER_HOME; #ifdef GSSAPI -
> char *path_creds; +char *path_creds = "/tmp"; #endif char *mom_home;
> extern char *msg_daemonname; /* for logs */ diff --git a/src/resmom/
> requests.c b/src/resmom/requests.c index 534975d..fcfb25a 100644 ---
> a/src/resmom/requests.c +++ b/src/resmom/requests.c @@ -1149,6
> +1149,11 @@ void req_deletejob( /* assume success? */ +#ifdef GSSAPI
> + /* clean up the ticket file */ + pbsgss_delete_creds(pjob-
> >ji_qs.ji_jobid,path_creds); +#endif + mom_deljob(pjob); reply_ack
> (preq); @@ -4149,7 +4154,10 @@ int req_accept_forwarded_creds(struct
> batch_request *request, int socket, int sa *atindex = '\0'; pwinfo =
> getpwnam(forwarded_princ); if (pwinfo != NULL) { - chown
> (ccname,pwinfo->pw_uid,pwinfo->pw_gid); + if (chown(ccname,pwinfo-
> >pw_uid,pwinfo->pw_gid) != 0) { + free(ccname); + return -1; + } }
> *atindex = '@'; } diff --git a/src/server/job_func.c b/src/server/
> job_func.c index fc5c27a..7622774 100644 --- a/src/server/job_func.c
> +++ b/src/server/job_func.c @@ -1478,10 +1478,6 @@ void job_purge
> ( char namebuf[MAXPATHLEN + 1]; extern char *msg_err_purgejob; -
> #ifdef GSSAPI - char *ccname; - char *kdestroy; -#endif if ((pjob-
> >ji_qs.ji_substate != JOB_SUBSTATE_TRANSIN) && (pjob-
> >ji_qs.ji_substate != JOB_SUBSTATE_TRANSICM)) @@ -1632,16 +1628,7 @@
> void job_purge( } #ifdef GSSAPI - ccname = ccname_for_job(pjob-
> >ji_qs.ji_jobid,path_creds); - if (ccname) { - kdestroy = malloc
> (sizeof(char) * (strlen(ccname) + strlen(KRB5_KDESTROY) + 5)); - if
> (kdestroy) { - sprintf(kdestroy,"%s -c %s",KRB5_KDESTROY,ccname); -
> system(kdestroy); - free(kdestroy); - } - free(ccname); - } +
> pbsgss_delete_creds(pjob->ji_qs.ji_jobid,path_creds); #endif job_free
> (pjob); diff --git a/src/server/req_quejob.c b/src/server/
> req_quejob.c index 91f3d69..d46f348 100644 --- a/src/server/
> req_quejob.c +++ b/src/server/req_quejob.c @@ -381,7 +381,7 @@ void
> req_quejob( } jobidcopy = malloc(sizeof(char) * (strlen(jid) + 2));
> strcpy(jobidcopy,jid); - set_task(WORK_Timed,time((time_t *)0) +
> 3600*3,renew_job_credentials,jobidcopy); + set_task(WORK_Timed,time
> ((time_t *)0) + 1200,renew_job_credentials,jobidcopy); free(ccname);
> #endif /* GSSAPI */ diff --git a/src/server/svr_chk_owner.c b/src/
> server/svr_chk_owner.c index 4ef4b5e..95822f9 100644 --- a/src/
> server/svr_chk_owner.c +++ b/src/server/svr_chk_owner.c @@ -375,6
> +375,8 @@ int svr_get_privilege( #endif } +#endif /* __CYGWIN__ */ +
> if (!(server.sv_attr[(int)SRV_ATR_managers].at_flags &
> ATR_VFLAG_SET)) { if (is_root) diff --git a/src/server/
> svr_jobfunc.c b/src/server/svr_jobfunc.c index e02e5b7..5aa73ec
> 100644 --- a/src/server/svr_jobfunc.c +++ b/src/server/svr_jobfunc.c
> @@ -2450,8 +2450,10 @@ void renew_job_credentials (struct work_task
> *ptask) { allocated in req_quejob.c just to hold the jobname for the
> renewal tasks */ if (retval == 0) { - set_task(WORK_Timed,time_now +
> 3600*3,renew_job_credentials,jobname); + set_task
> (WORK_Timed,time_now + 3600,renew_job_credentials,jobname); } else
> { + sprintf(logbuffer, "failed to renew tickets for %s : %d",
> jobname, retval); + log_event(PBSEVENT_ERROR, PBS_EVENTCLASS_SERVER,
> "renew_job_credentials", log_buffer); free(jobname); } }
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers
More information about the torqueusers
mailing list