Project

General

Profile

Bug #23108

myproxyretrievers regex not friendly to scaling

Added by Dennis Box about 1 month ago. Updated about 1 month ago.

Status:
Work in progress
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
08/13/2019
Due date:
% Done:

0%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

Every time a new jobsub server is added to a cluster, the regex for the myproxyretrievers has to be changed for all the existing ones.

Can a common proxy be used instead?

History

#1 Updated by Dennis Box about 1 month ago

  • Status changed from New to Work in progress

Hey Nick, Joe, I added you guys as watchers on this ticket.

I determined through some testing the following cigetcertopts.txt file would work on all the production and dev jobsub servers, and wouldn't have to be changed when adding new jobsub servers as long as the hostname conformed to jobsub.fnal.gov :

#-----begin new cigetcertopts.txt----------------------
  1. comments are ignored
    i 'Fermi National Accelerator Laboratory'
    --myproxyserver=myproxy.fnal.gov
    --myproxyretrievers='(/DC=org/DC=opensciencegrid/O=Open Science Grid/OU=Services|/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab)/CN=()jobsub().fnal.gov'
    --myproxyhours=24
    --hours=672
    #-----------------------------------------------------

The potential downside would be that someone could maliciously create a server, say Iwanttohackjobsubbecausewhynot.fnal.gov, install some OSG client software on it, and steal proxies from the myproxy server. I don't know if this is a realistic threat scenario or not.

#2 Updated by Dennis Box about 1 month ago

try again, not letting text be interpreted as markup instructions:


# comments are ignored
-i 'Fermi National Accelerator Laboratory'
--myproxyserver=myproxy.fnal.gov
--myproxyretrievers='(/DC=org/DC=opensciencegrid/O=Open Science Grid/OU=Services|/DC=org/DC=incommon/C=US/ST=IL/L=Batavia/O=Fermi Research Alliance/OU=Fermilab)/CN=(*)jobsub(*).fnal.gov'
--myproxyhours=24
--hours=672

#3 Updated by Dennis Box about 1 month ago

The last mail you got does not have the correct regular expression, but it is now correct in the ticket. Sorry for the spam



Also available in: Atom PDF