Long-running jobs with renewal of krb5 tickets and AFS tokens

Thomas Kula kula at tproa.net
Sat Feb 28 18:04:38 EST 2009 

On Sat, Feb 28, 2009 at 05:42:58PM -0500, Jason Edgecombe wrote:
> We have users who need to run long-running jobs and store their files in 
> AFS during the run.
> 
> I've read the k5start and k5renew man pages, but I don't see how I can 
> have users type in their password when they start a job and have the 
> tickets and tokens keep being renewed.
> 
> How can I do this?

Give them a keytab, but not one for their normal identity (this
breaks things). Create, rather, an instance for them that can
be put in a keytab, give that instance permission to do whatever
it needs to do in AFS, and use the option to k5start that has it
use a keytab instead of asking for a password.

For example, here's what I do for cronjobs that need to access
AFS:

 - create a principal user/cron (e.g. kula/cron)
 - extract that into a keytab
 - put the keytab somewhere on local disk where only the
   user can get to it
 - Do what you need to do to give user/cron access to 
   files in AFS (create the PTS identity user.cron, put
   that on the appropriate ACLs)
 - Teach the user how to give the proper incantation to 
   k5start to get credentials from they keytab and keep
   renewing them until the job finishes.

This presumes, of course, that it works in your setup to put
that keytab somewhere on local disk and that the user will 
start the job from a machine that has the keytab on local
disk. Also, remember off course, that access to the keytab
gives access to the files, so protect it accordingly.

I've also had good luck starting a screen session inside of
it's own pag and with it's own credentials cache, and in one
window have something that runs the job and in another window
something renewing the user's credentials. That could be
something as simple as "user must remember to attach the screen
session every N hours and renew their credentails" to using
k5start with the keytab idea above. I don't think k5start has
an option that prompts you for a password *and* remembers it
to keep renewing credentials on your behalf, but since I always
just use the keytab option I'm not as familiar with that use
of k5start. If there is such an option, remember to treat the
environment it runs in as securely as you would treat the user's
credentials cache, since, well, that process has the user's 
password.

There are probably several other ways of doing this, but these
are a couple that have worked well for me, and at work we've
helped a couple users do the screen option, so at least someone
other than me can understand the process well enough to use
it (your users, of course, may vary).


-- 
Thomas L. Kula | kula at tproa.net | http://kula.tproa.net/

More information about the Kerberos mailing list