Bug #24561
Glidein token fetching is not working
0%
Description
These errors appear in the log files:
[2020-06-24 09:11:35,283] DEBUG: glideinFrontendElement:893: failed to fetch /var/lib/gwms-frontend/.condor/tokens.d/ITB_FC_CE2.token
[2020-06-24 09:11:35,285] DEBUG: glideinFrontendElement:894: Command '/usr/sbin/frontend_condortoken ITB_FC_CE2' returned non-zero exit status 1: mkdir: cannot create dire
ctory ‘~’: Permission denied
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified
Tokens should work (possibly) or fail w/ a message saying why and fall back to normal authentication
History
#1 Updated by Dennis Box 11 days ago
- Assignee changed from Dennis Box to Marco Mambelli
- Status changed from New to Feedback
See branch v37/24561, branched from dcc3a9fce29.
#2 Updated by Marco Mambelli 3 days ago
- Assignee changed from Marco Mambelli to Dennis Box
Feedback sent also via email.
Hi Dennis,
a couple of observations:
1. spec file, and all: Should the token directories have more strict permissions so a generic user cannot check the list of tokens?
2.
The sites as configured in the Factory are normally referred to as Entry, not entry point
Is this script only outputting the token to stdout (I see no -token for condor_token_create, so seems so)? The file seems saved in the python code. Could this script do that since it has the file name for checking if already there? Or, probably better, the python code handles the reuse of the cached token if available, so this script does not need to know anything about the directory and file path (and you can eliminate the whole reuse section).
The Frontend user may be different from "frontend". I think other scripts check the owner of /etc/gwms-frontend.xml
# purpose: generates a condor token, specific for Glideins submitted to a Factory Entry (named in the parameter),
# for authorizing to join the User collector connected to the Frontend
echo "usage: $0 entry_name"
echo "creates frontend token for entry_name and echos it to stdout"
See first the note above, you may remove this.
If kept, I'd use a flag, I find it more clear:
REUSE_TOKEN=
if [ -e "$TD/$TOKEN" ]; then
AGE=$(date -r "$TD/$TOKEN" +%s)
ONE_HR_AGO=$(( $(date +%s) - 3600 ))
if [ "$AGE" -gt "$ONE_HR_AGO" ]; then
REUSE_TOKEN=yes
fi
fi
if [ -n "${REUSE_TOKEN}" ]; then
cat "$TD/$TOKEN"
else
If you use 1/0 then you can use the fact that 0 is true in shell
Or do the action there
if [ -e "$TD/$TOKEN" ]; then
AGE=$(date -r "$TD/$TOKEN" +%s)
ONE_HR_AGO=$(( $(date +%s) - 3600 ))
if [ "$AGE" -gt "$ONE_HR_AGO" ]; then
# OK to reuse the token
cat "$TD/$TOKEN"
exit
fi
fi
# create the token, echo it to stdout
sudo /usr/bin/condor_token_create -lifetime 86400 -key ${KEY} ${AUTH} -identity "${ID}@${HOSTNAME}"
3. glideinFrontendElement.py
Should the permissions be more strict? Any reason to allow everyone to read?
if not os.path.exists(tkn_dir):
os.mkdir(tkn_dir, 0755)
Thanks