Kerbero tickets on the online machines¶
Special kerberos principals¶
- We use shared account on the online DAQ machines and the control rooms machines. In order to generate kerbero tickets with key tab, we requested special kerberos principals.
- On the control room machines,
ubooneshift/cron/uboone-cr-01.fnal.gov@FNAL.GOV
ubooneshift/cron/uboone-cr-02.fnal.gov@FNAL.GOV
ubooneshift/cron/uboone-cr-03.fnal.gov@FNAL.GOV
ubooneshift/cron/uboone-cr-04.fnal.gov@FNAL.GOV
ubooneshift/cron/uboone-cr-05.fnal.gov@FNAL.GOV - On the online machines,
uboonedaq/ubdaq-prod-evb.fnal.gov@FNAL.GOV
uboonedaq/ubdaq-prod-ws01.fnal.gov@FNAL.GOV
uboonedaq/ubdaq-prod-ws02.fnal.gov@FNAL.GOV
- On the control room machines,
Set up the environment variables¶
- We need to set up the environment variable, KRB5CCNAME.
- On the control room machines, e.g. on uboone-cr-02, in .bashrc we added
export KRB5CCNAME=FILE:/tmp/krb5cc_ubooneshift_cr02 kinit -A -k -t /home/ubooneshift/uboone-shift-tools/ubooneshift.keytab ubooneshift/cron/uboone-cr-02.fnal.gov@FNAL.GOV
- On the online machines, in .bashrc we added
hostname=`uname -n` if [[ "${hostname}" == "ubdaq-prod-evb.fnal.gov" ]]; then export KRB5CCNAME=FILE:/tmp/krb5cc_uboonedaq_evb elif [[ "${hostname}" == "ubdaq-prod-ws01.fnal.gov" ]]; then export KRB5CCNAME=FILE:/tmp/krb5cc_uboonedaq_ws01 elif [[ "${hostname}" == "ubdaq-prod-ws02.fnal.gov" ]]; then export KRB5CCNAME=FILE:/tmp/krb5cc_uboonedaq_ws02 fi
- On the control room machines, e.g. on uboone-cr-02, in .bashrc we added
- In .k5login, which is set to be common on the control room and online machines, we added the special kerbero principals,
ubooneshift/cron/uboone-cr-01.fnal.gov@FNAL.GOV ubooneshift/cron/uboone-cr-02.fnal.gov@FNAL.GOV ubooneshift/cron/uboone-cr-03.fnal.gov@FNAL.GOV ubooneshift/cron/uboone-cr-04.fnal.gov@FNAL.GOV ubooneshift/cron/uboone-cr-05.fnal.gov@FNAL.GOV uboonedaq/ubdaq-prod-evb.fnal.gov@FNAL.GOV uboonedaq/ubdaq-prod-ws01.fnal.gov@FNAL.GOV uboonedaq/ubdaq-prod-ws02.fnal.gov@FNAL.GOV
Set up crontab¶
- Edit the crontab
crontab -e
- List the crontab
crontab -l
- We set up the crontab so that the kerbero tickets will be renewed every three hours:
- On the control room machines, e.g. uboone-cr-02,
00 */3 * * * export KRB5CCNAME=FILE:/tmp/krb5cc_ubooneshift_cr02; kinit -A -k -t /home/ubooneshift/uboone-shift-tools/ubooneshift.keytab ubooneshift/cron/uboone-cr-02.fnal.gov@FNAL.GOV
- On the online machines, e.g. ws01,
00 */3 * * * export KRB5CCNAME=FILE:/tmp/krb5cc_uboonedaq_ws01; kinit -A -k -t /var/adm/krb5/uboonedaq.keytab uboonedaq/ubdaq-prod-ws01.fnal.gov@FNAL.GOV
- On the control room machines, e.g. uboone-cr-02,
Conclusion and Policy¶
- Shifters don't have to renew their kerbero tickets until the key tab expires (in one year)!
- Both experts and shifters shouldn't use their personal kerbero principals when logging in with the shared accounts, uboonedaq and ubooneshift.