Bug #24561
Glidein token fetching is not working
0%
Description
These errors appear in the log files:
[2020-06-24 09:11:35,283] DEBUG: glideinFrontendElement:893: failed to fetch /var/lib/gwms-frontend/.condor/tokens.d/ITB_FC_CE2.token [2020-06-24 09:11:35,285] DEBUG: glideinFrontendElement:894: Command '/usr/sbin/frontend_condortoken ITB_FC_CE2' returned non-zero exit status 1: mkdir: cannot create dire ctory ‘~’: Permission denied We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: no tty present and no askpass program specified
Tokens should work (possibly) or fail w/ a message saying why and fall back to normal authentication
History
#1 Updated by Dennis Box 7 months ago
- Assignee changed from Dennis Box to Marco Mambelli
- Status changed from New to Feedback
See branch v37/24561, branched from dcc3a9fce29.
#2 Updated by Marco Mambelli 7 months ago
- Assignee changed from Marco Mambelli to Dennis Box
Feedback sent also via email.
Hi Dennis,
a couple of observations:
1. spec file, and all: Should the token directories have more strict permissions so a generic user cannot check the list of tokens?
2.
The sites as configured in the Factory are normally referred to as Entry, not entry point
Is this script only outputting the token to stdout (I see no -token for condor_token_create, so seems so)? The file seems saved in the python code. Could this script do that since it has the file name for checking if already there? Or, probably better, the python code handles the reuse of the cached token if available, so this script does not need to know anything about the directory and file path (and you can eliminate the whole reuse section).
The Frontend user may be different from "frontend". I think other scripts check the owner of /etc/gwms-frontend.xml
# purpose: generates a condor token, specific for Glideins submitted to a Factory Entry (named in the parameter), # for authorizing to join the User collector connected to the Frontend echo "usage: $0 entry_name" echo "creates frontend token for entry_name and echos it to stdout"
See first the note above, you may remove this.
If kept, I'd use a flag, I find it more clear:
REUSE_TOKEN= if [ -e "$TD/$TOKEN" ]; then AGE=$(date -r "$TD/$TOKEN" +%s) ONE_HR_AGO=$(( $(date +%s) - 3600 )) if [ "$AGE" -gt "$ONE_HR_AGO" ]; then REUSE_TOKEN=yes fi fi if [ -n "${REUSE_TOKEN}" ]; then cat "$TD/$TOKEN" else
If you use 1/0 then you can use the fact that 0 is true in shell
Or do the action there
if [ -e "$TD/$TOKEN" ]; then AGE=$(date -r "$TD/$TOKEN" +%s) ONE_HR_AGO=$(( $(date +%s) - 3600 )) if [ "$AGE" -gt "$ONE_HR_AGO" ]; then # OK to reuse the token cat "$TD/$TOKEN" exit fi fi # create the token, echo it to stdout sudo /usr/bin/condor_token_create -lifetime 86400 -key ${KEY} ${AUTH} -identity "${ID}@${HOSTNAME}"
3. glideinFrontendElement.py
Should the permissions be more strict? Any reason to allow everyone to read?
if not os.path.exists(tkn_dir): os.mkdir(tkn_dir, 0755)
Thanks
#3 Updated by Dennis Box 5 months ago
- Status changed from Feedback to Resolved
feedback merged to branch_v3_7