Friday, June 01, 2007

TeraGrid Single Sign On

I don't understand why the TeraGrid brain trust doesn't have this more clearly documented. You'd think they'd also want to automate all of the following steps.

If you get a Teragrid roaming account, you will get access to ~ a dozen clusters and supercomputers. You'll also get several different usernames and passwords for each site. It's a big mess.

Luckily, you can use your Grid credentials as a single sign-on (just like Kerberos!). This will save you from remembering 10 different usernames and passwords. Here are the steps:
  1. Login to one of the teragrid machines (I used one at SDSC) and create a grid public and private key pair. Use the "cacl" command.
  2. Copy your key pair (should be in your $HOME/.globus directory) to all other machines you plan to use. This can include your Linux/Mac desktop. If you use Windows, try Gregor's Java CoG kit.
  3. Run the gx-map command on all the machines you plan to use. This will automatically update the /etc/grid-security/grid-mapfile and add your local username and global DN. The update is probably done with a cron script, so it may take an hour or so.
You're done. Well, you may want to install Globus on your local desktop machine. This is a little heavy (you don't need all the services, probably), but it gives you access to all the command line clients, including GSI-enabled ssh.

GSI-enabled SSH is where the magic happens. This is should be located somewhere under your globus installation like $GLOBUS_LOCATION/bin/ssh.d/ssh. Do the following shell commands:
  1. export GLOBUS_LOCATION=/path/to/your/globus
  2. source $GLOBUS_LOCATION/etc/
  3. grid-proxy-init
  4. which ssh
Step #3 will get you a grid proxy credential that is good for a few hours (just like Kerberos!). Step #4 is a check to make sure that you are using the GSI enabled ssh. If not, modify your $PATH or use the full path as shown above.

You can now ssh to any machine in the TeraGrid as long as you have gx-mapped your self into the grid-mapfile. The grid-mapfile will take care of mapping your global DN identity (part of your grid keys) to your account name on the local machine.

No comments: