From 21a472c476bc5b8c0a74701075f525b2e3e67880 Mon Sep 17 00:00:00 2001
From: Julien Leduc <julien.leduc@cern.ch>
Date: Tue, 14 Nov 2017 15:38:45 +0100
Subject: [PATCH] Changing /etc/ctafrontend_SSS_c.keytab and
 /etc/ctafrontend_SSS_s.keytab to /etc/cta/cta-cli.sss.keytab so that CI and
 preprod have now the same configuration files.

Keep in mind thatL
The user in the ctafrontend SSS key is the EOS instance name, the rest is BS. I tried to make it clear in the configuration files and names when a field is useless.
WFE scripts are now the same between preprod and CI and the ctafrontend
configuration file can move in the rpm.
---
 .../ctafrontend/etc/cta/cta-frontend-xrootd.conf     |  2 +-
 .../docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh |  4 ++--
 .../ctafrontend/cc7/opt/run/bin/ctafrontend.sh       | 12 ++++++------
 .../cc7/opt/run/bin/eos_configure_preprod.sh         |  2 +-
 .../orchestration/create_instance.sh                 |  8 +++++---
 eos_wfe_scripts/delete_archive_file                  |  3 +--
 eos_wfe_scripts/retrieve_archive_file                |  3 +--
 7 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/continuousintegration/docker/ctafrontend/cc7/config/ctafrontend/etc/cta/cta-frontend-xrootd.conf b/continuousintegration/docker/ctafrontend/cc7/config/ctafrontend/etc/cta/cta-frontend-xrootd.conf
index f5981be0b0..a7ab0e089c 100644
--- a/continuousintegration/docker/ctafrontend/cc7/config/ctafrontend/etc/cta/cta-frontend-xrootd.conf
+++ b/continuousintegration/docker/ctafrontend/cc7/config/ctafrontend/etc/cta/cta-frontend-xrootd.conf
@@ -19,7 +19,7 @@ xrootd.seclib libXrdSec.so
 # Protocol specification
 # The xroot server process needs to be able to read the keytab file
 sec.protocol krb5 /etc/cta/cta-frontend.krb5.keytab cta/cta-frontend@TEST.CTA
-sec.protocol sss -s /etc/ctafrontend_SSS_s.keytab -c /etc/ctafrontend_SSS_c.keytab
+sec.protocol sss -s /etc/cta/cta-cli.sss.keytab
 #sec.protocol unix
 
 # Only Kerberos 5 and sss are allowed
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
index 69aba714ba..8efec1fb1d 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
@@ -34,7 +34,7 @@ eoshost=`hostname -f`
 EOS_INSTANCE=`hostname -s`
 TAPE_FS_ID=65535
 CTA_BIN=/usr/bin/eoscta_stub
-CTA_KT=/etc/ctafrontend_SSS_c.keytab
+CTA_KT=/etc/cta/cta-cli.sss.keytab
 CTA_XrdSecPROTOCOL=sss
 CTA_PROC_DIR=/eos/${EOS_INSTANCE}/proc/cta
 CTA_WF_DIR=${CTA_PROC_DIR}/workflow
@@ -191,7 +191,7 @@ test -e /usr/lib64/libjemalloc.so.1 && export LD_PRELOAD=/usr/lib64/libjemalloc.
 # for sss authorisation  unix has to be replaced by sss
 
 # Set the worfklow rule for archiving files to tape
-eos attr set sys.workflow.closew.default="bash:shell:cta XrdSecPROTOCOL=${CTA_XrdSecPROTOCOL} XrdSecSSSKT=${CTA_KT} ${CTA_BIN} archive --user <eos::wfe::rusername> --group <eos::wfe::rgroupname> --diskid <eos::wfe::fid> --instance eoscta --srcurl <eos::wfe::turl> --size <eos::wfe::size> --checksumtype <eos::wfe::checksumtype> --checksumvalue <eos::wfe::checksum> --storageclass <eos::wfe::cxattr:CTA_StorageClass> --diskfilepath <eos::wfe::path> --diskfileowner <eos::wfe::username> --diskfilegroup <eos::wfe::groupname> --recoveryblob:base64 <eos::wfe::base64:metadata> --reportURL 'eosQuery://${EOS_INSTANCE}//eos/wfe/passwd?mgm.pcmd=event\&mgm.fid=<eos::wfe::fxid>\&mgm.logid=cta\&mgm.event=archived\&mgm.workflow=default\&mgm.path=/eos/wfe/passwd\&mgm.ruid=0\&mgm.rgid=0' --stderr" ${CTA_WF_DIR}
+eos attr set sys.workflow.closew.default="bash:shell:cta XrdSecPROTOCOL=${CTA_XrdSecPROTOCOL} XrdSecSSSKT=${CTA_KT} ${CTA_BIN} archive --user <eos::wfe::rusername> --group <eos::wfe::rgroupname> --diskid <eos::wfe::fid> --instance ignored_instance_name --srcurl <eos::wfe::turl> --size <eos::wfe::size> --checksumtype <eos::wfe::checksumtype> --checksumvalue <eos::wfe::checksum> --storageclass <eos::wfe::cxattr:CTA_StorageClass> --diskfilepath <eos::wfe::path> --diskfileowner <eos::wfe::username> --diskfilegroup <eos::wfe::groupname> --recoveryblob:base64 <eos::wfe::base64:metadata> --reportURL 'eosQuery://${EOS_INSTANCE}//eos/wfe/passwd?mgm.pcmd=event\&mgm.fid=<eos::wfe::fxid>\&mgm.logid=cta\&mgm.event=archived\&mgm.workflow=default\&mgm.path=/eos/wfe/passwd\&mgm.ruid=0\&mgm.rgid=0' --stderr" ${CTA_WF_DIR}
 
 # Set the worflow rule for creating tape file replicas in the EOS namespace.
 eos attr set sys.workflow.archived.default="bash:shell:cta eos file tag <eos::wfe::path> +<eos::wfe::cxattr:CTA_TapeFsId>" ${CTA_WF_DIR}
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
index 7c8ce9e889..7774824ddf 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
@@ -31,12 +31,12 @@ echo ${DATABASEURL} >/etc/cta/cta-catalogue.conf
 # EOS INSTANCE NAME used as username for SSS key
 EOSINSTANCE=ctaeos
 
-# Create SSS key for ctafrontend, must be forwardable in kubernetes realm
-echo y | xrdsssadmin -k ctafrontend+ -u ${EOSINSTANCE} -g cta add /etc/ctafrontend_SSS_s.keytab
-# copy it in the client file that contains only one SSS
-cp /etc/ctafrontend_SSS_s.keytab /etc/ctafrontend_SSS_c.keytab
-chmod 600 /etc/ctafrontend_SSS_s.keytab /etc/ctafrontend_SSS_c.keytab
-chown cta /etc/ctafrontend_SSS_s.keytab /etc/ctafrontend_SSS_c.keytab
+# Create SSS key for cta-cli, must be forwardable in kubernetes realm (this is what the + is for)
+# USER IN THE SSS FILE IS THE EOS INSTANCE NAME THE REST IS BS
+echo y | xrdsssadmin -k cta-cli+ -u ${EOSINSTANCE} -g cta add /etc/cta/cta-cli.sss.keytab
+chmod 600 /etc/cta/cta-cli.sss.keytab
+chown cta /etc/cta/cta-cli.sss.keytab
+# DO NOT FORGET THAT YOU CAN DEFINE SEPARATE CLIENT AND SERVER KEYTABS
 
 # Wait for the keytab file to be pushed in by the creation script.
 echo -n "Waiting for /etc/cta/cta-frontend.krb5.keytab"
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/eos_configure_preprod.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/eos_configure_preprod.sh
index 339ccabe05..a0831211ad 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/eos_configure_preprod.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/eos_configure_preprod.sh
@@ -14,7 +14,7 @@ eos attr set CTA_StorageClass=ctaStorageClass ${PREPROD_DIR}
 
 eos attr set CTA_TapeFsId=65535 ${PREPROD_DIR}
 
-eos attr set sys.workflow.closew.default="bash:shell:cta XrdSecPROTOCOL=sss XrdSecSSSKT=/etc/ctafrontend_SSS_c.keytab ${CTA_BIN} archive --user <eos::wfe::rusername> --group <eos::wfe::rgroupname> --diskid <eos::wfe::fid> --instance eoscta --srcurl <eos::wfe::turl> --size <eos::wfe::size> --checksumtype <eos::wfe::checksumtype> --checksumvalue <eos::wfe::checksum> --storageclass <eos::wfe::cxattr:CTA_StorageClass> --diskfilepath <eos::wfe::path> --diskfileowner <eos::wfe::username> --diskfilegroup <eos::wfe::groupname> --recoveryblob:base64 cmVjb3ZlcnkK --reportURL 'eosQuery://ctaeos//eos/wfe/passwd?mgm.pcmd=event\&mgm.fid=<eos::wfe::fxid>\&mgm.logid=cta\&mgm.event=archived\&mgm.workflow=default\&mgm.path=/eos/wfe/passwd\&mgm.ruid=0\&mgm.rgid=0' --stderr" ${PREPROD_DIR}
+eos attr set sys.workflow.closew.default="bash:shell:cta XrdSecPROTOCOL=sss XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab ${CTA_BIN} archive --user <eos::wfe::rusername> --group <eos::wfe::rgroupname> --diskid <eos::wfe::fid> --instance ignored_instance_name --srcurl <eos::wfe::turl> --size <eos::wfe::size> --checksumtype <eos::wfe::checksumtype> --checksumvalue <eos::wfe::checksum> --storageclass <eos::wfe::cxattr:CTA_StorageClass> --diskfilepath <eos::wfe::path> --diskfileowner <eos::wfe::username> --diskfilegroup <eos::wfe::groupname> --recoveryblob:base64 cmVjb3ZlcnkK --reportURL 'eosQuery://ctaeos//eos/wfe/passwd?mgm.pcmd=event\&mgm.fid=<eos::wfe::fxid>\&mgm.logid=cta\&mgm.event=archived\&mgm.workflow=default\&mgm.path=/eos/wfe/passwd\&mgm.ruid=0\&mgm.rgid=0' --stderr" ${PREPROD_DIR}
 
 #eos attr set sys.workflow.archived.default="bash:shell:cta eos file tag <eos::wfe::path> +<eos::wfe::cxattr:CTA_TapeFsId>" ${PREPROD_DIR}
 eos attr set sys.workflow.archived.default="bash:create_tape_drop_disk_replicas:cta <eos::wfe::path> <eos::wfe::cxattr:CTA_TapeFsId>" ${PREPROD_DIR}
diff --git a/continuousintegration/orchestration/create_instance.sh b/continuousintegration/orchestration/create_instance.sh
index a1f37ac88d..87c76607d8 100755
--- a/continuousintegration/orchestration/create_instance.sh
+++ b/continuousintegration/orchestration/create_instance.sh
@@ -275,11 +275,13 @@ kubectl --namespace=${instance} exec ctacli klist
 echo -n "Configuring cta SSS for ctafrontend access from ctaeos"
 for ((i=0; i<300; i++)); do
   echo -n "."
-  [ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/ctafrontend_SSS_c.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
+  [ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
   sleep 1
 done
-[ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/ctafrontend_SSS_c.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
-kubectl --namespace=${instance} exec ctafrontend -- cat /etc/ctafrontend_SSS_c.keytab | kubectl --namespace=${instance} exec -i ctaeos --  bash -c "cat > /etc/ctafrontend_SSS_c.keytab; chmod 600 /etc/ctafrontend_SSS_c.keytab; chown daemon /etc/ctafrontend_SSS_c.keytab"
+[ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
+# just in case /etc/cta directory does not exist yet
+kubectl --namespace=${instance} exec -i ctaeos --  bash -c "mkdir -p /etc/cta"
+kubectl --namespace=${instance} exec ctafrontend -- cat /etc/cta/cta-cli.sss.keytab | kubectl --namespace=${instance} exec -i ctaeos --  bash -c "cat > /etc/cta/cta-cli.sss.keytab; chmod 600 /etc/cta/cta-cli.sss.keytab; chown daemon /etc/cta/cta-cli.sss.keytab"
 echo OK
 
 
diff --git a/eos_wfe_scripts/delete_archive_file b/eos_wfe_scripts/delete_archive_file
index 3abcd2089a..ffa8ae5211 100755
--- a/eos_wfe_scripts/delete_archive_file
+++ b/eos_wfe_scripts/delete_archive_file
@@ -4,8 +4,7 @@ EINVAL=22
 ECANCELED=125
 
 export XrdSecPROTOCOL=sss
-export XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab   # This location is used on EOSCTATAPE
-export XrdSecSSSKT=/etc/ctafrontend_SSS_c.keytab # This location is used for CI
+export XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab   # This location is used on EOSCTATAPE AND CI
 
 export XRD_STREAMTIMEOUT=600     # increased from 60s
 export XRD_TIMEOUTRESOLUTION=600 # increased from 15s
diff --git a/eos_wfe_scripts/retrieve_archive_file b/eos_wfe_scripts/retrieve_archive_file
index df67149a87..5085be1cf7 100755
--- a/eos_wfe_scripts/retrieve_archive_file
+++ b/eos_wfe_scripts/retrieve_archive_file
@@ -4,8 +4,7 @@ EINVAL=22
 ECANCELED=125
 
 export XrdSecPROTOCOL=sss
-export XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab   # This location is used on EOSCTATAPE
-export XrdSecSSSKT=/etc/ctafrontend_SSS_c.keytab # This location is used for CI
+export XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab   # This location is used on EOSCTATAPE AND CI
 
 export XRD_STREAMTIMEOUT=600     # increased from 60s
 export XRD_TIMEOUTRESOLUTION=600 # increased from 15s
-- 
GitLab