krb5 auth plugin questions

0 views
Skip to first unread message

Nathan Huff

unread,
May 27, 2005, 3:38:06 PM5/27/05
to slurm-dev
I have started researching what it would take to write a krb5 auth
plugin. I now understand why it doesn't exist yet. My main question is
what would people want from a krb5 auth plugin? I have a feeling I am
going to have to change some internals and break the auth plugin API to
get it to work at all. Depending on what people want from it might make
a difference in how much. The main problem is that srun acts like a server
in some cases.

Also does slurm ever use UDP? There is code to allow it and some
functions seem to imply that they might, but I can't find anywhere a
DGRAM socket is actually ever setup.

--
Nathan Huff
North Dakota State University

Morris Jette

unread,
May 31, 2005, 12:51:59 PM5/31/05
to slur...@lists.llnl.gov, Nathan Huff


The basic thing we need from the authentication plugin is a means
of verifying that a request to run a job for user nhuff was really
initiated by user nhuff. Of course the same authentication mechanism
is required for a multitude of other RPCs. Munge and authd seem to
satisfy this requirement for everyone using slurm today and very
few others have expressed an interest in Kerberos (of course, you
are one of them).

Beyond the basic authentication, most Kerberos users would expect
their jobs to be initiated with a valid Kerberos credential and
have that credential refreshed as needed, ideally for all tasks
on all nodes.

Adding new functions and/or arguments to existing authentication
plugins may very well be necessary. We just finished adding support
for an IBM Federation switch and needed to add many new functions,
but they are just stubs for the other switch plugins.

There was some talk early in the slurm development cycle about using
UDP, but we decided to just use TCP. While TCP is somewhat less
flexible, it certainly is easier to use.
--
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Morris "Moe" Jette jet...@llnl.gov 925-423-4856
Integrated Computational Resource Management Group fax 925-423-6961
Livermore Computing Lawrence Livermore National Laboratory
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Nathan Huff

unread,
May 31, 2005, 3:09:16 PM5/31/05
to slur...@lists.llnl.gov, Greg
I am not even trying to do anything that complex. The basic idea that I
am trying to get working is client authenticates to slurmctld which then
stores some user info with the job and then slurmctld authenticates
itself to the slurmds and passes the info to them. No forwarding of
tickets. If a site was using something like AFS then tickets would have
to be forwarded, but we are not. If I get the first idea working I
might think about how to do the later.

Hopefully in the next day or two I can send a patch that while not a
krb5 auth plugin should at least show the general internal changes I am
making to try and get one working.

--
Nathan Huff
North Dakota State University.

Reply all
Reply to author
Forward
0 new messages