...
The Kerberos tickets which is needed for database access are issued by AgResearch Active Directory, and have an expiry time of 10 hours, after which a new ticket must be requested, using kinit.
The current tickets can be seen with klist
...
Note the 10 hour expiry time visible here.
Tickets can be renewed When using the krb5cc.home module version 0.2.0 or later (which is a default dependency of gquery as of 4/9/2024), tickets are automatically renewed every 4 hours up to 7 days without a password, using kinit -R. Note that each renewal will only last 10 hours. Note that the current modules may be seen with module list.
Beyond 7 days, the user needs to kinit a new ticket, which may be picked up by the existing ticket renewal process, or a new module load gquery may be required.
Explanation
Historically on legacy HPC, database credentials were stored in the filesystem, and users were probably oblivious to the fact that they were being fetched on their behalf to authenticate with the database.
...
Tickets are made available to compute nodes via a Kerberos credentials cache in the user’s home directory, which is set up during module load gquery. The updated cache location is visible in klist.
Interactive Example
On Login Node
| Code Block |
|---|
login-0$ kinit
login-0$ module load gquery
login-0$ srun --nodelist=compute --pty bash |
On Compute Node, you do not need to run module load gqueryagain.
| Code Block |
|---|
compute-0 ~ $ gquery -t sources .... physicalsourceuri datasourcetype createddate lastupdateddate /bifo/active/gseq_processing/bin/gquery_dev/gquery/unit_tests/mf_test1a.csv GBS CSV Masterfile 2024-02-01 None /dataset/deer_GBS/active/2024_Chinook_salmon_production_temp/SanfordAll20180418.csv GBS CSV Masterfile 2024-10-24 2024-11-07 ..... |