[Beowulf] Re: Kerberos + HPC

Perry E. Metzger perry at piermont.com
Wed Aug 13 10:09:34 PDT 2008


Dave Love <d.love at liverpool.ac.uk> writes:
> "Perry E. Metzger" <perry at piermont.com> writes:
>
>> So, you just run kinit in cron as the specified daemon user with the
>> appropriate flags and it will renew its own tickets and all is well.
>
> Who says you can even run kinit from cron if it was appropriate?
>
>> I'm not sure why people think this is all so mysterious. Can you
>> explain what is hard about this?
>
> That's just hand-waving.  Hard things include how you integrate it with
> a distributed batch system, for a start.

Kerberos is already a distributed system.

Machines at MIT have been refreshing their server tickets for what, 20
years now? This is not hard.

> Making it tolerably secure too.

That's why you use kerberos.

> I don't want all users to keep keytabs around everywhere
> (synchronized with password changes),

You don't need to do that. If the issue is a user process on a remote
machine that needs user rather than server credentials, you forward
tickets or design things so server credentials are good enough to get
the needed resources once things have started. You can re-forward
tickets as often as you want.

There are large firms I know that run this stuff in production and it
really does work.

Perry



More information about the Beowulf mailing list