Project

General

Profile

Bug #6261

Milestone #6351: Release JobSub v0.3.1

Server authentication should not recreate user keytabs. This causes problem when a index roll over happens

Added by Parag Mhashilkar over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
JobSub CherryPy Web App
Target version:
Start date:
05/13/2014
Due date:
05/14/2014
% Done:

100%

Estimated time:
Spent time:
First Occurred:
Occurs In:
Stakeholders:
Duration: 2

Description

Suspicion is that the roll over cause problem.

[rexbatch@fifebatch1 proxies]$ klist -t -k dbox.keytab.blarg
Keytab name: FILE:dbox.keytab.blarg
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  92 01/31/14 15:01:36 dbox/batch/fifegrid@FNAL.GOV
  98 02/13/14 14:58:54 dbox/batch/fifegrid@FNAL.GOV
 103 02/18/14 10:51:29 dbox/batch/fifegrid@FNAL.GOV
 105 02/18/14 13:29:25 dbox/batch/fifegrid@FNAL.GOV
 106 02/18/14 15:34:18 dbox/batch/fifegrid@FNAL.GOV
 107 02/20/14 10:26:04 dbox/batch/fifegrid@FNAL.GOV
 110 02/20/14 17:30:18 dbox/batch/fifegrid@FNAL.GOV
 113 02/21/14 11:49:12 dbox/batch/fifegrid@FNAL.GOV
 137 03/14/14 14:01:43 dbox/batch/fifegrid@FNAL.GOV
 138 03/17/14 11:37:34 dbox/batch/fifegrid@FNAL.GOV
 139 03/17/14 12:38:08 dbox/batch/fifegrid@FNAL.GOV
 141 03/17/14 13:39:29 dbox/batch/fifegrid@FNAL.GOV
 142 03/17/14 15:16:41 dbox/batch/fifegrid@FNAL.GOV
 143 03/17/14 16:31:56 dbox/batch/fifegrid@FNAL.GOV
 145 03/18/14 13:58:44 dbox/batch/fifegrid@FNAL.GOV
 150 03/19/14 12:07:43 dbox/batch/fifegrid@FNAL.GOV
 151 03/19/14 19:54:55 dbox/batch/fifegrid@FNAL.GOV
 152 03/20/14 15:04:28 dbox/batch/fifegrid@FNAL.GOV
 153 03/26/14 12:22:08 dbox/batch/fifegrid@FNAL.GOV
 154 03/26/14 13:34:38 dbox/batch/fifegrid@FNAL.GOV
 155 03/26/14 14:46:21 dbox/batch/fifegrid@FNAL.GOV
 156 03/26/14 14:46:33 dbox/batch/fifegrid@FNAL.GOV
 163 03/28/14 14:35:08 dbox/batch/fifegrid@FNAL.GOV
 181 04/07/14 11:03:14 dbox/batch/fifegrid@FNAL.GOV
 182 04/07/14 14:15:49 dbox/batch/fifegrid@FNAL.GOV
 183 04/07/14 16:15:32 dbox/batch/fifegrid@FNAL.GOV
 184 04/07/14 17:26:45 dbox/batch/fifegrid@FNAL.GOV
 187 04/08/14 16:47:26 dbox/batch/fifegrid@FNAL.GOV
 216 04/17/14 10:01:12 dbox/batch/fifegrid@FNAL.GOV
 218 04/21/14 10:33:29 dbox/batch/fifegrid@FNAL.GOV
 226 04/29/14 16:33:43 dbox/batch/fifegrid@FNAL.GOV
   1 05/13/14 13:57:55 dbox/batch/fifegrid@FNAL.GOV

Solution is to use the keytab file if exists and if using it fails, try to remove an recreate one before failing and giving auth error.

History

#1 Updated by Parag Mhashilkar over 5 years ago

  • Assignee changed from Parag Mhashilkar to Dennis Box

#2 Updated by Dennis Box over 5 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

My original code left the user.keytab alone, not adding new lines to it with kadmin commands. This failed to authenticate for reasons I do not understand. Resolved problem by creating new keytab and replacing old one with it after success. Tested overnight with submissions every 10 minutes.

#3 Updated by Dennis Box over 5 years ago

  • Status changed from Closed to Assigned
  • Target version changed from v0.3 to v0.3.1

testing revealed that issue was not resolved, but operational load is no worse than before . Operational workaround is to delete the (username).keytab and ask them to resubmit. I have saved off an example of the keytabs which I can use to reproduce the problem and resolve it in the server code.
Dennis

#4 Updated by Parag Mhashilkar over 5 years ago

  • Parent task changed from #6025 to #6351

#5 Updated by Dennis Box over 5 years ago

  • Status changed from Assigned to Feedback

generating user keytab invalidates users keytab on all the other servers.
Resolution is to generate them in a central place and distribute them along with running auth.py from this branch

#6 Updated by Dennis Box over 5 years ago

  • Status changed from Feedback to Resolved

#7 Updated by Parag Mhashilkar over 5 years ago

  • Status changed from Resolved to Closed


Also available in: Atom PDF