How to run gquery on eRI

The gquery client suite is now supported on eRI.

Summary

To use gquery from a Slurm job it is necessary to have acquired the Kerberos ticket and module loaded gquery on the login node first.

Kerberos ticket expiry

The Kerberos tickets which is needed for database access are issued by AgResearch Active Directory, and have an expiry time of 10 hours.

The current tickets can be seen with klist

Note the 10 hour expiry time visible here.

When using the krb5cc.home module version 0.2.0 or later (which is a default dependency of gquery as of 4/9/2024), tickets are automatically renewed every 4 hours up to 7 days. Note that each renewal will only last 10 hours. Note that the current modules may be seen with module list.

Beyond 7 days, the user needs to kinit a new ticket, which may be picked up by the existing ticket renewal process, or a new module load gquery may be required.

Explanation

Historically on legacy HPC, database credentials were stored in the filesystem, and users were probably oblivious to the fact that they were being fetched on their behalf to authenticate with the database.

On eRI authentication is fine-grained per-user, making use of Kerberos tickets. Therefore a Kerberos ticket is required before attempting to run gquery.

The current Kerberos tickets may be viewed using klist. To obtain a ticket in the first instance, it is necessary to pass it through with ssh -o GSSAPIDelegateCredentials=yes (which may only work on WSL, not native Windows ssh nor putty nor MobaXTerm) or request after login with kinit.

Tickets are made available to compute nodes via a Kerberos credentials cache in the user’s home directory, which is set up during module load gquery. The updated cache location is visible in klist.

Interactive Example

On Login Node

On Compute Node, you do not need to run module load gqueryagain.