Feature #9736: Overhaul Vulcan Authentication - Vulcan - Fermilab Redmine

Feature #9736

Overhaul Vulcan Authentication

Added by Chih-Hao Huang about 5 years ago. Updated about 5 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Chih-Hao Huang

Start date:

07/27/2015

Due date:

08/03/2015

% Done:

100%

Estimated time:

4.00 h

Spent time:

3.00 h

Duration: 8

Description

Vulcan used to be run by admin, using admin's certificate.
To allow other people, Jesus for now and general users in the future, it should not depend on operators' certificate.
Will use vulcan/cmssrv28.fnal.gov@FNAL.GOV certificate every where.

History

#1 Updated by Chih-Hao Huang about 5 years ago

% Done changed from 0 to 80

New git repository, cms-git/dcso-git, does not permit access using host/cmssrv28.fnal.gov@FNAL.GOV any more.
vulcan/cms/cmssrv28.fnal.gov@FNAL.GOV was then created for managing password files in puppet.
(It was for the cronjob and they worked.)
However, in interactive vulcan scripts, such as newCMSUser.sh, once vulcan/cms/cmssrv28.fnal.gov@FNAL.GOV is initiated, it can not ssh into other remote nodes such as cmssrv222, cmsstor24, ... etc, since they do not have the same service certificate in ~root/.k5login.
To maintain different versions of ~root/.k5login (so that only selected nodes have the certificate) is a pain in the neck.
To put the service certificate in ~root/.k5login every where is literally defeating the purpose.
To argue over principle or principal is waste of time.

Current solution: use host/cmssrv28.fnal.gov@FNAL.GOV except for pushing password to puppet.
host/cmssrv28.fnal.gov@FNAL.GOV is already every where in ~root/.k5login.
Every host accepts it, except cms-git.fnal.gov.

Therefore, in the beginning, initiate host/cmssrv28.fnal.gov@FNAL.GOV.
When dealing with password pull/push from/to puppet, initiate vulcan/cms/cmssrv28.fnal.gov@FNAL.GOV.
Once the password file is pushed, immediately initiate host/cmssrv28.fnal.gov@FNAL.GOV back.
Initiating host/cmssrv28.fnal.gov@FNAL.GOV in the beginning makes vulcan not depend on personal certificate.

This is ugly and I don't like that either. However, this is the least effort to make it work.

Certificates are stored in a file in one place. It can be easily changed in the future.

Will test it with Jesus O. soon.

#2 Updated by Chih-Hao Huang about 5 years ago

% Done changed from 80 to 90

Sitting down with Jesus O. this afternoon.
Jesus logged on to cmsrocks1 as himself.
Then, using sudo:
sudo /opt/vulcan/newCMSUser.sh sluo
Everything went well, except the last part, passing the password and group files to LPC deskop support group, which is irrelevant in account creation here.
The reason was kinit (need a kinit -k) was not in the command path.
It was fixed by using the full path.

Will do the same with other scripts.

#3 Updated by Chih-Hao Huang about 5 years ago

Status changed from Assigned to Resolved
% Done changed from 90 to 100

This has been in place more than two months ago. Jesus O. has been using this without problem. Granted there were minor glitch here and there, they have been corrected along the way.

Close this ticket today.

Also available in: Atom PDF

Project

General

Profile

DCSO » Vulcan

Issues