Project

General

Profile

Task #9307

Task #9306: Make EOS test instance functional

Create separate eos keytab for cmseos-test

Added by Gerard Bernabeu Altayo almost 6 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Gerard Bernabeu Altayo
Start date:
06/26/2015
Due date:
% Done:

0%

Estimated time:
Duration:

Description

I've seen that the eos keytab for test allows access to the production instance... This is VERY VERY bad, fixing right away by generating a new keytab for test. Will eventually redo the keytab in production but not now.

History

#1 Updated by Gerard Bernabeu Altayo almost 6 years ago

1. I create a new keytab:

[root@cmssrv151 ~]# xrdsssadmin -k cmseos-test.fnal.gov -u daemon -g daemon add /etc/eos-test.keytab
xrdsssadmin: Keyfile '/etc/eos-test.keytab' does not exist. Create it? (y | n): y
xrdsssadmin: 1 key out of 1 kept (0 expired).
[root@cmssrv151 ~]# cat /etc/eos-test.keytab
0 u:daemon g:daemon n:cmseos-test.fnal.gov N....

2. I've fixed the keytab distribution mechanism in my new branch gerard_eostestfst. Adding the keytab in the 3 eos test systems: cmssrv151/153, cmsstor150:

bash-4.1$ git commit -m'adding EOS test keytab as per https://cdcvs.fnal.gov/redmine/issues/9307' -a
[master 56c1c52] adding EOS test keytab as per https://cdcvs.fnal.gov/redmine/issues/9307
3 files changed, 3 insertions(+), 0 deletions()
create mode 100644 cmssrv151.fnal.gov/eos.keytab
create mode 100644 cmssrv153.fnal.gov/eos.keytab
create mode 100644 cmsstor150.fnal.gov/eos.keytab

3. For now I'll move the new keytab to the 2 EOS test systems: cmssrv151 and cmssrv153:

[root@cmssrv151 ~]# ll /etc/eos.keytab
r------- 1 daemon daemon 137 Apr 27 04:36 /etc/eos.keytab
[root@cmssrv151 ~]# mv /etc/eos-test.keytab /etc/eos.keytab
mv: overwrite `/etc/eos.keytab'? yes
[root@cmssrv151 ~]# scp /etc/eos.keytab cmssrv153:/etc/eos.keytab
eos.keytab 100% 148 0.1KB/s 00:00
[root@cmssrv151 ~]# ll /etc/eos.keytab
rw------ 1 root root 148 Jun 26 13:17 /etc/eos.keytab
[root@cmssrv151 ~]# chown daemon.daemon /etc/eos.keytab
[root@cmssrv151 ~]# chmod 400 /etc/eos.keytab
[root@cmssrv151 ~]# ll /etc/eos.keytab
r------- 1 daemon daemon 148 Jun 26 13:17 /etc/eos.keytab
[root@cmssrv151 ~]#

#2 Updated by Gerard Bernabeu Altayo almost 6 years ago

after restarting the services this seems to work fine :)

I also removed the keytab-test RPM from the list that puppet installs... let's see if the FST installs good and then I'll close this.

#3 Updated by Gerard Bernabeu Altayo almost 6 years ago

  • Status changed from New to Resolved

It works, closing this ticket.

Also available in: Atom PDF