Project

General

Profile

Idea #22383

Change superuser behavior to not need VOMS authentication

Added by Shreyas Bhat 5 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
JobSub Server RPM
Target version:
Start date:
04/16/2019
Due date:
% Done:

0%

Estimated time:
Stakeholders:
Duration:

Description

This is an idea that Kevin Retzke came up with when realizing that, for example, for landscape certs to properly access sandboxes in jobsub, he needed to make sure that he was in every single VO that jobsub supports.

The idea is that a global superuser shouldn't need VOMS to do anything. If they present a cert that FERRY maps to a global superuser, then they should be authenticated to at least read files.

I filed this as an idea because it's a major change that needs discussion.

History

#1 Updated by Shreyas Bhat 5 months ago

Log output as an example

[22/Apr/2019:10:04:06]  [139982376310528]: jobsub_api.py starting: JOBSUB_INI_FILE:/opt/jobsub/server/conf/jobsub.ini cacheing:False cache_duration:120 seconds
[22/Apr/2019:10:04:06]  [139982376310528:scheddload.py:index] acctgroup=uboone, kwargs={}
[22/Apr/2019:10:04:06]  [139982376310528:condor_commands.py:ui_condor_status_totalrunningjobs] condor_status -schedd -constraint 'stringListMember(name,"jobsub01.fnal.gov,jobsub02.fnal.gov")&&(supportedvolist=?=Null || stringlistimember("uboone",supportedvolist)=?=true)&&!isUndefined(InDownTime) && (InDownTime =!= True)&&(InDownTime =!= "True") && stringListMember(name,"jobsub01.fnal.gov,jobsub02.fnal.gov")' -af name TotalRunningJobs
[22/Apr/2019:10:07:45]  [139982628067072]: jobsub_api.py starting: JOBSUB_INI_FILE:/opt/jobsub/server/conf/jobsub.ini cacheing:False cache_duration:120 seconds
[22/Apr/2019:10:07:45]  [139982376310528]: jobsub_api.py starting: JOBSUB_INI_FILE:/opt/jobsub/server/conf/jobsub.ini cacheing:False cache_duration:120 seconds
[22/Apr/2019:10:07:45]  [139982376310528:jobsub.py:default_voms_role] default voms role for accel : Analysis
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:wrapper]
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:wrapper] args = (<sandboxes.SandboxesResource object at 0x7f502862c8d0>,) kwargs={'acctgroup': 'accel', 'user_id': 'tropin', 'job_id': '18652252.0@jobsub02.fnal.gov', 'file_id': 'lbnf2019-apex.sh_20190421_040136_2385450_0_1_cluster.18652252.132.out'}
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:wrapper] request method=GET
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:wrapper] DN: /DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov, acctgroup: accel
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:create_voms_proxy] create_voms_proxy: Authenticating DN: /DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:authenticate] Authentication method precedence: ['ferry']
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:authenticate] Authenticating using method: ferry
[22/Apr/2019:10:07:45]  [139982376310528:auth_ferry.py:authenticate] acctgroup=accel, acctrole=Analysis
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:json_from_file] checking for /var/lib/jobsub/ferry/vo_role_fqan_map.json
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:json_from_file] age of /var/lib/jobsub/ferry/vo_role_fqan_map.json is 397.629441023
[22/Apr/2019:10:07:45]  [139982376310528:auth_ferry.py:authenticate] fqan=None
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:json_from_file] checking for /var/lib/jobsub/ferry/fqan_user_map.json
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:json_from_file] age of /var/lib/jobsub/ferry/fqan_user_map.json is 397.6242342
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:json_from_file] checking for /var/lib/jobsub/ferry/dn_user_roles_map.json
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:json_from_file] age of /var/lib/jobsub/ferry/dn_user_roles_map.json is 388.222054958
[22/Apr/2019:10:07:45]  [139982376310528:auth_ferry.py:authenticate] ferry mapped dn '/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov' fqan 'None' to 'kretzke'
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:create_voms_proxy] create_voms_proxy: Authorizing user: kretzke acctgroup: accel role: Analysis
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:authorize] Authorizing method precedence: ['ferry']
[22/Apr/2019:10:07:45]  [139982376310528:auth.py:authorize] Authorizing using method: ferry
[22/Apr/2019:10:07:45]  [139982376310528:jobsub.py:default_voms_role] default voms role for accel : Analysis
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:x509_proxy_fname] Using x509_proxy_name=/var/lib/jobsub/creds/proxies/accel/x509cc_kretzke_Analysis
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:needs_refresh] /var/lib/jobsub/creds/proxies/accel/x509cc_kretzke_Analysis 3600
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:needs_refresh] /var/lib/jobsub/creds/proxies/accel/x509cc_kretzke_Analysis does not exist, need to refresh
[22/Apr/2019:10:07:45]  [139982376310528:jobsub.py:should_transfer_krb5cc] group accel is NOT authorized to transfer krb5 cache
[22/Apr/2019:10:07:45]  [139982376310528:auth_myproxy.py:authorize] /usr/bin/myproxy-logon -n -l "/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov" -s myproxy.fnal.gov -t 24 -o /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t
[22/Apr/2019:10:07:45]  [139982376310528:auth_myproxy.py:authorize] out= A credential has been received for user /DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov in /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t.

[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:x509pair_to_vomsproxy] tmp_proxy_fname=/var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t_mzB1N_
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:x509pair_to_vomsproxy] /usr/bin/voms-proxy-init -noregen -rfc -ignorewarn -valid 24:00 -bits 1024 -voms fermilab:/fermilab/accel/Role=Analysis -out            /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t_mzB1N_ -cert /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t -key /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t
[22/Apr/2019:10:07:45]  [139982376310528:authutils.py:make_proxy_from_cmd] cmd=/usr/bin/voms-proxy-init -noregen -rfc -ignorewarn -valid 24:00 -bits 1024 -voms fermilab:/fermilab/accel/Role=Analysis -out            /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t_mzB1N_ -cert /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t -key /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t proxy_fname=/var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t tmp_proxy_fname=/var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t_mzB1N_ role=Analysis
[22/Apr/2019:10:07:46]  [139982376310528:authutils.py:make_proxy_from_cmd] failed tb=Traceback (most recent call last):
  File "/opt/jobsub/server/webapp/authutils.py", line 533, in make_proxy_from_cmd
    cmd_out, cmd_err = subprocessSupport.iexe_cmd(cmd, child_env=env_dict)
  File "/opt/jobsub/server/webapp/subprocessSupport.py", line 87, in iexe_cmd
    exitStatus, stdoutdata, stderrdata))
CalledProcessError: Command '/usr/bin/voms-proxy-init -noregen -rfc -ignorewarn -valid 24:00 -bits 1024 -voms fermilab:/fermilab/accel/Role=Analysis -out            /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t_mzB1N_ -cert /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t -key /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t' returned non-zero exit status 1:
EXITCODE:1
STDOUT:Your identity: /DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov/CN=1938932606/CN=1849485194
Contacting  voms2.fnal.gov:15001 [/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=voms2.fnal.gov] "fermilab" Failed

Trying next server for fermilab.
Contacting  voms1.fnal.gov:15001 [/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=voms1.fnal.gov] "fermilab" Failed

STDERR:
Error: fermilab: Unable to satisfy B/fermilab/accel:Analysis request!

Error: fermilab: Unable to satisfy B/fermilab/accel:Analysis request!

None of the contacted servers for fermilab were capable
of returning a valid AC for the user.
[22/Apr/2019:10:07:46]  [139982376310528:auth_myproxy.py:authorize] Traceback (most recent call last):
  File "/opt/jobsub/server/webapp/auth_myproxy.py", line 76, in authorize
    x509_tmp_fname, x509_tmp_fname, x509_tmp_fname, acctgroup, acctrole)
  File "/opt/jobsub/server/webapp/authutils.py", line 475, in x509pair_to_vomsproxy
    make_proxy_from_cmd(cmd, proxy_fname, tmp_proxy_fname, role=acctrole)
  File "/opt/jobsub/server/webapp/authutils.py", line 533, in make_proxy_from_cmd
    cmd_out, cmd_err = subprocessSupport.iexe_cmd(cmd, child_env=env_dict)
  File "/opt/jobsub/server/webapp/subprocessSupport.py", line 87, in iexe_cmd
    exitStatus, stdoutdata, stderrdata))
CalledProcessError: Command '/usr/bin/voms-proxy-init -noregen -rfc -ignorewarn -valid 24:00 -bits 1024 -voms fermilab:/fermilab/accel/Role=Analysis -out            /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t_mzB1N_ -cert /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t -key /var/lib/jobsub/tmp/x509cc_kretzke_Analysis_11s10t' returned non-zero exit status 1:
EXITCODE:1
STDOUT:Your identity: /DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov/CN=1938932606/CN=1849485194
Contacting  voms2.fnal.gov:15001 [/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=voms2.fnal.gov] "fermilab" Failed

Trying next server for fermilab.
Contacting  voms1.fnal.gov:15001 [/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=voms1.fnal.gov] "fermilab" Failed

STDERR:
Error: fermilab: Unable to satisfy B/fermilab/accel:Analysis request!

Error: fermilab: Unable to satisfy B/fermilab/accel:Analysis request!

None of the contacted servers for fermilab were capable
of returning a valid AC for the user.

[22/Apr/2019:10:07:46]  [139982376310528:auth.py:authorize] myproxy authoriziation failed, Error authorizing DN='/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov' for AcctGroup='accel'
[22/Apr/2019:10:07:46]  [139982376310528:auth.py:authorize] Failed to authorize dn '/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov' for group 'accel' with role 'Analysis' using known authentication methods
[22/Apr/2019:10:07:46]  [139982376310528:auth.py:wrapper] User authorization has failed: Error authenticating DN='/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab/CN=jobview-graphitesrv01.fnal.gov' for AcctGroup='accel'

#2 Updated by Dennis Box 4 months ago

  • Target version set to v1.3.4
  • Assignee set to Shreyas Bhat


Also available in: Atom PDF