Feature #5075

Create Proxy refresh tool for the server

Added by Parag Mhashilkar about 7 years ago. Updated about 7 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Spent time:


Duration: 10


JobSub web app's authorization module has all the required hooks and a sample untested/unfinished function to refresh proxies. We need a tool that operations can use and run using cron that

  • Look at the condor queue to find out the users that have submitted jobs and with what voms group, role
  • Use the keytab file to generated krb5 keytab file and voms proxy from it

CDF CAF has the required code to look up the condor queue which we can use and change it as required.


#1 Updated by Parag Mhashilkar about 7 years ago

  • Target version changed from v0.1.1 to v0.1.2

#2 Updated by Dennis Box about 7 years ago

  • % Done changed from 0 to 80

Checked first draft into branch 5075.

- script admin/ : sources environment from, runs webapp/ method

- webapp/ changes:

1) moved krb5cc_(username) and (username).keytab from /home/grid/.security/(group) to /home/grid/.security
this addresses issue that Joe noticed where user submitting from a second group invalidates the kerberos ticket for the first group,
it also (in theory) makes the authorization faster as you shouldn't need to kinit when you voms-proxy-init for a second group if you jist did it for the first group.

2) refresh_proxies method now does a condor_q and then a kinit/kx509/voms-proxy-init for each unique combination of user/group in the queue.


- if we are following the cdf model we need to invalidate kerberos tickets and proxies for users/groups that are no longer in the queue.
- logging does not work when run standalone instead of from within cherrypy environment
- still lots of hardcoded paths, need to read these from ini files and
- main argument handling should be improved

#3 Updated by Dennis Box about 7 years ago

forgot to add to TODO:
-check that its not doing too many kinits, I think this is making submission and the refresh_proxies method slower than they need to be

#4 Updated by Parag Mhashilkar about 7 years ago

  • Status changed from New to Resolved

#5 Updated by Parag Mhashilkar about 7 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF