Create Proxy refresh tool for the server
JobSub web app's authorization module has all the required hooks and a sample untested/unfinished function to refresh proxies. We need a tool that operations can use and run using cron that
- Look at the condor queue to find out the users that have submitted jobs and with what voms group, role
- Use the keytab file to generated krb5 keytab file and voms proxy from it
CDF CAF has the required code to look up the condor queue which we can use and change it as required.
#2 Updated by Dennis Box almost 7 years ago
- % Done changed from 0 to 80
Checked first draft into branch 5075.
- script admin/krbrefresh.sh : sources environment from jobsub_api.py, runs webapp/auth.py:refresh_proxies method
- webapp/auth.py changes:
1) moved krb5cc_(username) and (username).keytab from /home/grid/.security/(group) to /home/grid/.security
this addresses issue that Joe noticed where user submitting from a second group invalidates the kerberos ticket for the first group,
it also (in theory) makes the authorization faster as you shouldn't need to kinit when you voms-proxy-init for a second group if you jist did it for the first group.
2) refresh_proxies method now does a condor_q and then a kinit/kx509/voms-proxy-init for each unique combination of user/group in the queue.
- if we are following the cdf model we need to invalidate kerberos tickets and proxies for users/groups that are no longer in the queue.
- logging does not work when auth.py run standalone instead of from within cherrypy environment
- still lots of hardcoded paths, need to read these from ini files and jobsub_api.py
- main argument handling should be improved