kerberos update

pages/merlin6/02-How-To-Use-Merlin/kerberos.md

@@ -108,19 +108,9 @@ Then, from inside the batch script one can obtain granting tickets for Kerberos
 The steps should be the following:
 
 * Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area 
-(`$HOME/.k5` is a good location), and is strongly recommended to generate a shared Kerberos5 cache (in example, in that way one can always refresh 
+(`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 cache (it is, creating a new cache for each job):
-granting tickets for long jobs from anywhere):
-
 ```bash
-# Example one: Shared Kerberos5 cache
-#              Same cache file for all jobs
-#              Generally, always the recommended option
 export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
-
-# Example two: Independent Kerberos5 cache
-#              ${SLURM_JOBID} will make the cache independent per job
-#              Use it only if necessary
-export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX-{SLURM_JOBID}")"
 ```
 * To obtain a Kerberos5 granting ticket, run `kinit` by using your keytab:
 ```bash
@@ -129,13 +119,18 @@ kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
 * To obtain a granting AFS ticket, run `aklog`:
 ```bash
 aklog
-``**
+```
+* At the end of the job, you can remove destroy existing Kerberos tickets. 
+```bash
+kdestroy
+```
 
 ### Slurm batch script example: obtaining KRB+AFS granting tickets
 
-#### Example 1: shared cache file
 
-This is the **recommended*** way for running:
+#### Example 1: independent cache file
+
+This is the recommended way:
 
 ```bash
 #!/bin/bash
@@ -155,29 +150,6 @@ kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
 aklog
 klist
 
-echo "Here should go my batch script code."
-```
-
-#### Example 2: independent cache file
-
-```bash
-#!/bin/bash
-#SBATCH --partition=hourly            # Specify 'general' or 'daily' or 'hourly'
-#SBATCH --time=01:00:00               # Strictly recommended when using 'general' partition.
-#SBATCH --output=run.out              # Generate custom output file
-#SBATCH --error=run.err               # Generate custom error  file
-#SBATCH --nodes=1                     # Uncomment and specify #nodes to use
-#SBATCH --ntasks=1                    # Uncomment and specify #nodes to use 
-#SBATCH --cpus-per-task=1
-#SBATCH --constraint=xeon-gold-6152
-#SBATCH --hint=nomultithread
-#SBATCH --job-name=krb5
-
-export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX-${SLURM_JOBID}")"
-kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
-aklog
-klist
-
 echo "Here should go my batch script code."
 
 # Destroy Kerberos tickets created for this job only
@@ -187,3 +159,35 @@ klist
 # Remove the remaining cache file
 rm -f $KRB5CCNAME
 ```
+
+
+#### Example 2: shared cache file
+
+Some users may need/prefer to run with a shared cache file.
+
+* From the login nodes:
+```bash
+export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
+```
+* Run the job script. `KRB5CCNAME` will be set in the environment of the job itself:
+```bash
+
+#!/bin/bash
+#SBATCH --partition=hourly            # Specify 'general' or 'daily' or 'hourly'
+#SBATCH --time=01:00:00               # Strictly recommended when using 'general' partition.
+#SBATCH --output=run.out              # Generate custom output file
+#SBATCH --error=run.err               # Generate custom error  file
+#SBATCH --nodes=1                     # Uncomment and specify #nodes to use
+#SBATCH --ntasks=1                    # Uncomment and specify #nodes to use 
+#SBATCH --cpus-per-task=1
+#SBATCH --constraint=xeon-gold-6152
+#SBATCH --hint=nomultithread
+#SBATCH --job-name=krb5
+
+# KRB5CCNAME is inherit from the login node session
+kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
+aklog
+klist
+
+echo "Here should go my batch script code."
+```