Allow multiple auth methods in PBSPro

Overview

Currently, PBS allows only one auth method in the configuration for authentication and encrypt/decrypt data. So this design proposes new configurations switching which will allow admin/user to switch between different auth methods and whether to encrypt/decrypt data or not.

Breaking change

As part of these interface changes, there is one breaking change in the auth batch request identifier, which will cause new PBS servers not to understand the auth request sent by old PBS clients.

New Interfaces

Interface: New key "PBS_SUPPORTED_AUTH_METHODS" in pbs.conf

  • Visibility: Public
  • Change Control: Stable
  • Synopsis: To specify supported and allowed auth methods on the server
  • Details: This switch allows admin/user to configure comma-separated auth methods which authenticating server (aka PBS Server/Comm/Mom/Sched) understands and allows for authentication. If this switch is configured then the authenticating server will accept authentication only on all listed auth methods and the client will first tell the server which auth method it wants to use to authenticate itself (using PBS_AUTH_METHOD key). The default value is "resvport". The value is case-insensitive, aka "MUNGE,gss" === "munge,gss" === "Munge,Gss" === "munge,GSS" === "MUNGE,GSS". This is only used by the authenticating server, and this key is ignored on the client-side.

Interface: New key "PBS_ENCRYPT_METHOD" in pbs.conf

  • Visibility: Public
  • Change Control: Stable
  • Synopsis: To specify which auth method to use encrypt/decrypt data
  • Details: This switch allows admin/user to configure which library should be used to encrypt/decrypt data. The given library should support encrypt/decrypt data. If this switch is added in pbs.conf and the given library doesn't support encrypt/decrypt data then PBS will throw an error saying "The given PBS_ENCRYPT_METHOD = <library> does not support encrypt/decrypt of data" at startup and fails to start. If this switch is not specified then PBS will not encrypt/decrypt data. This key should be used along with PBS_AUTH_METHOD to use one library to authenticate and another library to encrypt/decrypt data. For example, admin/user wants to use "munge" for authentication only and "gss" for encrypting/decrypting data only then admin/user should set PBS_AUTH_METHOD=munge and PBS_ENCRYPT_METHOD=gss. The value is case-insensitive. This key is client-driven so it should be set on client-side only.

Interface: Modification to "PBS_AUTH_METHOD" in pbs.conf

  • Visibility: Public
  • Change Control: Stable
  • Synopsis: To specify the default auth method to use for authentication and/or encrypt/decrypt data
  • Details: This switch allows admin/user to configure which library should be considered as a default library to use in authenticating. The value is case-insensitive. The default value is "resvport". This key is client-driven so it should be set on client-side only.



OSS Site Map

Project Documentation Main Page

Developer Guide Pages