kerberos update

This commit is contained in:
caubet_m 2022-07-15 15:22:12 +02:00
parent 7e8b56e0f7
commit 2d267ae8d2

View File

@ -108,7 +108,7 @@ Then, from inside the batch script one can obtain granting tickets for Kerberos
The steps should be the following: The steps should be the following:
* Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area * Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area
(`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 cache (it is, creating a new cache for each job): (`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 credential cache (it is, creating a new credential cache per Slurm job):
```bash ```bash
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")" export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
``` ```
@ -127,10 +127,9 @@ kdestroy
### Slurm batch script example: obtaining KRB+AFS granting tickets ### Slurm batch script example: obtaining KRB+AFS granting tickets
#### Example 1: Independent crendetial cache per Slurm job
#### Example 1: independent cache file This is the **recommended** way. At the end of the job, is strongly recommended to remove / destroy the existing kerberos tickets.
This is the recommended way:
```bash ```bash
#!/bin/bash #!/bin/bash
@ -155,21 +154,20 @@ echo "Here should go my batch script code."
# Destroy Kerberos tickets created for this job only # Destroy Kerberos tickets created for this job only
kdestroy kdestroy
klist klist
# Remove the remaining cache file
rm -f $KRB5CCNAME
``` ```
#### Example 2: Shared credential cache
#### Example 2: shared cache file Some users may need/prefer to run with a shared cache file. For doing that, one needs to
setup `KRB5CCNAME` from the **login node** session, before submitting the job.
Some users may need/prefer to run with a shared cache file.
* From the login nodes:
```bash ```bash
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")" export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
``` ```
* Run the job script. `KRB5CCNAME` will be set in the environment of the job itself:
Then, you can run one or multiple jobs scripts (or parallel job with `srun`). `KRB5CCNAME` will be propagated to the
job script or to the parallel job, therefore a single credential cache will be shared amongst different Slurm runs.
```bash ```bash
#!/bin/bash #!/bin/bash
@ -190,4 +188,6 @@ aklog
klist klist
echo "Here should go my batch script code." echo "Here should go my batch script code."
echo "No need to run 'kdestroy', as it may have to survive for running other jobs"
``` ```