Versions Compared

Old Version 2

changes.mady.by.user Simon Guest

Saved on

compared with

New Version Current

changes.mady.by.user Matt Bixley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Kerberos tickets which is needed for database access are issued by AgResearch Active Directory, and have an expiry time of 10 hours, after which a new ticket must be requested, using kinit.

The current tickets can be seen with klist

Code Block
it23677> kinit

it23677> klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: guestsi@AGRESEARCH.CO.NZ

Valid starting       Expires              Service principal
08/14/2024 0817:4818:5635  08/1415/2024 03:18:48:5635  krbtgt/AGRESEARCH.CO.NZ@AGRESEARCH.CO.NZ
        renew until 08/1421/2024 17:18:48:5630

Note the 10 hour expiry time visible here.If 10 hour expiry turns out to be a problem for long-running jobs, the ticket expiry times for tickets issued by Active Directory will need to be increased

When using the krb5cc.home module version 0.2.0 or later (which is a default dependency of gquery as of 4/9/2024), tickets are automatically renewed every 4 hours up to 7 days. Note that each renewal will only last 10 hours. Note that the current modules may be seen with module list.

Beyond 7 days, the user needs to kinit a new ticket, which may be picked up by the existing ticket renewal process, or a new module load gquery may be required.

Explanation

Historically on legacy HPC, database credentials were stored in the filesystem, and users were probably oblivious to the fact that they were being fetched on their behalf to authenticate with the database.

...

Tickets are made available to compute nodes via a Kerberos credentials cache in the user’s home directory, which is set up during module load gquery. The updated cache location is visible in klist.

Interactive Example

On Login Node

Code Block
login-0$ kinit
login-0$ module load gquery
login-0$ srun --nodelist=compute --pty bash

On Compute Node, you do not need to run module load gqueryagain.

Code Block
compute-0 ~ $ gquery -t sources
....
physicalsourceuri       datasourcetype  createddate     lastupdateddate
/bifo/active/gseq_processing/bin/gquery_dev/gquery/unit_tests/mf_test1a.csv     GBS CSV Masterfile      2024-02-01      None
/dataset/deer_GBS/active/2024_Chinook_salmon_production_temp/SanfordAll20180418.csv     GBS CSV Masterfile      2024-10-24      2024-11-07
.....