Project

General

Profile

Feature #5075

Create Proxy refresh tool for the server

Added by Parag Mhashilkar almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
12/11/2013
Due date:
12/20/2013
% Done:

80%

Estimated time:
Spent time:
Stakeholders:

FermiGrid

Duration: 10

Description

JobSub web app's authorization module has all the required hooks and a sample untested/unfinished function to refresh proxies. We need a tool that operations can use and run using cron that

  • Look at the condor queue to find out the users that have submitted jobs and with what voms group, role
  • Use the keytab file to generated krb5 keytab file and voms proxy from it

CDF CAF has the required code to look up the condor queue which we can use and change it as required.

History

#1 Updated by Parag Mhashilkar over 5 years ago

  • Target version changed from v0.1.1 to v0.1.2

#2 Updated by Dennis Box over 5 years ago

  • % Done changed from 0 to 80

Checked first draft into branch 5075.

- script admin/krbrefresh.sh : sources environment from jobsub_api.py, runs webapp/auth.py:refresh_proxies method

- webapp/auth.py changes:

1) moved krb5cc_(username) and (username).keytab from /home/grid/.security/(group) to /home/grid/.security
this addresses issue that Joe noticed where user submitting from a second group invalidates the kerberos ticket for the first group,
it also (in theory) makes the authorization faster as you shouldn't need to kinit when you voms-proxy-init for a second group if you jist did it for the first group.

2) refresh_proxies method now does a condor_q and then a kinit/kx509/voms-proxy-init for each unique combination of user/group in the queue.

TODO:

- if we are following the cdf model we need to invalidate kerberos tickets and proxies for users/groups that are no longer in the queue.
- logging does not work when auth.py run standalone instead of from within cherrypy environment
- still lots of hardcoded paths, need to read these from ini files and jobsub_api.py
- main argument handling should be improved

#3 Updated by Dennis Box over 5 years ago

forgot to add to TODO:
-check that its not doing too many kinits, I think this is making submission and the refresh_proxies method slower than they need to be

#4 Updated by Parag Mhashilkar over 5 years ago

  • Status changed from New to Resolved

#5 Updated by Parag Mhashilkar over 5 years ago

  • Status changed from Resolved to Closed


Also available in: Atom PDF