Project

General

Profile

Bug #24561

Glidein token fetching is not working

Added by Marco Mambelli 16 days ago. Updated 3 days ago.

Status:
Feedback
Priority:
High
Assignee:
Category:
Frontend
Target version:
Start date:
06/24/2020
Due date:
% Done:

0%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

These errors appear in the log files:

[2020-06-24 09:11:35,283] DEBUG: glideinFrontendElement:893: failed to fetch /var/lib/gwms-frontend/.condor/tokens.d/ITB_FC_CE2.token
[2020-06-24 09:11:35,285] DEBUG: glideinFrontendElement:894: Command '/usr/sbin/frontend_condortoken ITB_FC_CE2' returned non-zero exit status 1: mkdir: cannot create dire
ctory ‘~’: Permission denied

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

Tokens should work (possibly) or fail w/ a message saying why and fall back to normal authentication

History

#1 Updated by Dennis Box 11 days ago

  • Assignee changed from Dennis Box to Marco Mambelli
  • Status changed from New to Feedback

See branch v37/24561, branched from dcc3a9fce29.

#2 Updated by Marco Mambelli 3 days ago

  • Assignee changed from Marco Mambelli to Dennis Box

Feedback sent also via email.

Hi Dennis,
a couple of observations:

1. spec file, and all: Should the token directories have more strict permissions so a generic user cannot check the list of tokens?

2.
The sites as configured in the Factory are normally referred to as Entry, not entry point
Is this script only outputting the token to stdout (I see no -token for condor_token_create, so seems so)? The file seems saved in the python code. Could this script do that since it has the file name for checking if already there? Or, probably better, the python code handles the reuse of the cached token if available, so this script does not need to know anything about the directory and file path (and you can eliminate the whole reuse section).

The Frontend user may be different from "frontend". I think other scripts check the owner of /etc/gwms-frontend.xml

# purpose: generates a condor token, specific for Glideins submitted to a Factory Entry (named in the parameter), 
#         for authorizing to join the User collector connected to the Frontend

    echo "usage: $0 entry_name" 
    echo "creates frontend token for entry_name and echos it to stdout" 

See first the note above, you may remove this.
If kept, I'd use a flag, I find it more clear:

REUSE_TOKEN=
if [ -e "$TD/$TOKEN" ]; then
 AGE=$(date -r "$TD/$TOKEN" +%s)
 ONE_HR_AGO=$(( $(date +%s) - 3600 ))
 if [ "$AGE" -gt "$ONE_HR_AGO" ]; then
    REUSE_TOKEN=yes
 fi
fi

if [ -n "${REUSE_TOKEN}" ]; then
 cat "$TD/$TOKEN" 
else

If you use 1/0 then you can use the fact that 0 is true in shell
Or do the action there

if [ -e "$TD/$TOKEN" ]; then
 AGE=$(date -r "$TD/$TOKEN" +%s)
 ONE_HR_AGO=$(( $(date +%s) - 3600 ))
 if [ "$AGE" -gt "$ONE_HR_AGO" ]; then
    # OK to reuse the token
    cat "$TD/$TOKEN" 
    exit
 fi
fi

# create the token, echo it to stdout
sudo /usr/bin/condor_token_create  -lifetime 86400 -key ${KEY} ${AUTH} -identity "${ID}@${HOSTNAME}" 

3. glideinFrontendElement.py

Should the permissions be more strict? Any reason to allow everyone to read?

               if not os.path.exists(tkn_dir):
                   os.mkdir(tkn_dir, 0755)

Thanks



Also available in: Atom PDF