Feature #9736

Overhaul Vulcan Authentication

Added by Chih-Hao Huang over 5 years ago. Updated over 5 years ago.

Start date:
Due date:
% Done:


Estimated time:
4.00 h
Spent time:
Duration: 8


Vulcan used to be run by admin, using admin's certificate.
To allow other people, Jesus for now and general users in the future, it should not depend on operators' certificate.
Will use certificate every where.


#1 Updated by Chih-Hao Huang over 5 years ago

  • % Done changed from 0 to 80

New git repository, cms-git/dcso-git, does not permit access using any more.
was then created for managing password files in puppet.
(It was for the cronjob and they worked.)
However, in interactive vulcan scripts, such as, once is initiated, it can not ssh into other remote nodes such as cmssrv222, cmsstor24, ... etc, since they do not have the same service certificate in ~root/.k5login.
To maintain different versions of ~root/.k5login (so that only selected nodes have the certificate) is a pain in the neck.
To put the service certificate in ~root/.k5login every where is literally defeating the purpose.
To argue over principle or principal is waste of time.

Current solution: use except for pushing password to puppet.
is already every where in ~root/.k5login.
Every host accepts it, except

Therefore, in the beginning, initiate .
When dealing with password pull/push from/to puppet, initiate .
Once the password file is pushed, immediately initiate back.
Initiating in the beginning makes vulcan not depend on personal certificate.

This is ugly and I don't like that either. However, this is the least effort to make it work.

Certificates are stored in a file in one place. It can be easily changed in the future.

Will test it with Jesus O. soon.

#2 Updated by Chih-Hao Huang over 5 years ago

  • % Done changed from 80 to 90

Sitting down with Jesus O. this afternoon.
Jesus logged on to cmsrocks1 as himself.
Then, using sudo:
sudo /opt/vulcan/ sluo
Everything went well, except the last part, passing the password and group files to LPC deskop support group, which is irrelevant in account creation here.
The reason was kinit (need a kinit -k) was not in the command path.
It was fixed by using the full path.

Will do the same with other scripts.

#3 Updated by Chih-Hao Huang over 5 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 90 to 100

This has been in place more than two months ago. Jesus O. has been using this without problem. Granted there were minor glitch here and there, they have been corrected along the way.

Close this ticket today.

Also available in: Atom PDF