From: Jeff Layton <jlayton@redhat.com>
To: raini-9HxftnAiGddWk0Htik3J/w@public.gmane.org
Cc: linux-nfs@vger.kernel.org
Subject: Re: [NFS] NFS/krb and batch jobs - doable?
Date: Fri, 9 Oct 2009 12:16:02 -0400 [thread overview]
Message-ID: <20091009121602.5ec86dfb@tlielax.poochiereds.net> (raw)
In-Reply-To: <c8e974302190b867ad8ea49d8158f1db.squirrel-2RFepEojUI30fF+2cCIZ11aTQe2KTcn/@public.gmane.org>
On Fri, 9 Oct 2009 08:15:12 -0700
raini-9HxftnAiGddWk0Htik3J/w@public.gmane.org wrote:
> I've been struggling for some time to understand how to allow users of
> long-running batch jobs to continue to do so in an environmnet migrated to
> NFS4 with kerberos (from non-kerberized NFS), centered around the problem
> of keeping their batch job credentials separate from login credentials,
> which might otherwise mangle or delete them and cause the batch jobs to
> die on logout - or say if the users opted for renewable tickets for the
> job explicitly but the system default is non-renewable.
>
> The central problem seems to be that NFS4 (on Linux at least) doesn't
> support the concept of multiple sessions, and seems to expect to see a
> standard ccache filename /tmp/krb5cc_${UID}. Am I right in thinking this
> is a fundamental limitation?
No, gssd (the client side daemon) will search /tmp for anything that
looks like a credcache for the right user, verify that it is a
credcache and then pick the one with the latest TGT expiration.
> I've played with KRB5CCNAME but am led to
> believe NFS ignores this; I've also added ccname template settings to
> krb5.conf and PAM to try to fool NFS into separating batch job credentials
> from user ones, but don't seem to be getting a robust separation.
>
You're correct that NFS ignores $KRB5CCNAME. It uses the above (less
than optimal) heuristic instead.
> The essential problem is that I need an environment where a user can
> obtain credentials that may be different from the desirable interactive
> default (e.g. longer duration, renewable), then run a batch job, ideally
> in the heterogeneous ways they do currently - run via a shell, kicked off
> on another machine via ssh, via condor - and not have its credentials at
> risk if the user then logs into the machine it's running on, submits a
> second job etc.
>
> Is this doable currently? I'm surprised (so far) to not run across people
> who are doing this, and would be very surprised if it's not a requirement
> for many. If not, is it likely to be doable soon and what does it depend
> on?
>
Probably doable, but not trivial. IIRC, the kernel tracks credentials
by uid. You'd need to determine some way to split that up so that each
"session" has separate credentials. Once you do that, you'll have to
have the kernel pass enough info to the upcall for it to determine what
credcache it should use and modify gssd to use the new info accordingly.
--
Jeff Layton <jlayton@redhat.com>
next prev parent reply other threads:[~2009-10-09 16:16 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-09 15:15 [NFS] NFS/krb and batch jobs - doable? raini-9HxftnAiGddWk0Htik3J/w
[not found] ` <c8e974302190b867ad8ea49d8158f1db.squirrel-2RFepEojUI30fF+2cCIZ11aTQe2KTcn/@public.gmane.org>
2009-10-09 16:16 ` Jeff Layton [this message]
[not found] ` <20091009121602.5ec86dfb-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2009-10-09 16:53 ` raini-9HxftnAiGddWk0Htik3J/w
[not found] ` <1c358fde92c49215d84129a1bfe2c6ec.squirrel-2RFepEojUI30fF+2cCIZ11aTQe2KTcn/@public.gmane.org>
2009-10-10 13:00 ` Jeff Layton
[not found] ` <20091010090039.4dfd1dfb-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2009-10-13 15:28 ` raini-9HxftnAiGddWk0Htik3J/w
[not found] ` <ee56329e7d86a3e4b15001a39bb7e14a.squirrel-2RFepEojUI30fF+2cCIZ11aTQe2KTcn/@public.gmane.org>
2009-10-13 15:44 ` Jeff Layton
[not found] ` <20091013114441.2882c8b9-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2009-10-13 15:51 ` Kevin Coffman
2009-10-13 16:56 ` Trond Myklebust
2009-10-13 17:27 ` Jeff Layton
[not found] ` <20091013132701.72927b4d-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2009-10-13 17:51 ` Trond Myklebust
2009-10-13 18:03 ` Jeff Layton
2009-10-14 16:47 ` raini
2009-10-14 17:12 ` Trond Myklebust
2009-10-14 18:19 ` Kevin Coffman
2009-10-13 15:59 ` raini
2009-10-13 17:31 ` Jeff Layton
2009-10-13 17:52 ` Jeff Layton
2009-10-14 17:00 ` raini
2009-10-14 17:21 ` Jeff Layton
[not found] ` <f99e65f7b2fe66fc32dee931fd6bd525.squirrel@webmail.rainiday.com>
[not found] ` <f99e65f7b2fe66fc32dee931fd6bd525.squirrel-2RFepEojUI30fF+2cCIZ11aTQe2KTcn/@public.gmane.org>
2009-10-09 17:05 ` raini-9HxftnAiGddWk0Htik3J/w
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091009121602.5ec86dfb@tlielax.poochiereds.net \
--to=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=raini-9HxftnAiGddWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox