Commit 7e8a91ba authored by Michael Davis's avatar Michael Davis
Browse files

[kill-bash] Changes CI to use /etc/cta/eos.sss.keytab

cta-cli.sss.keytab is deprecated. CTA Frontend now uses
/etc/cta/eos.sss.keytab, which should contain one SSS key per EOS
instance (only one in the case of CI).
parent e087243a
......@@ -34,7 +34,6 @@ eoshost=`hostname -f`
EOS_INSTANCE=`hostname -s`
TAPE_FS_ID=65535
CTA_BIN=/usr/bin/eoscta_stub
CTA_KT=/etc/cta/cta-cli.sss.keytab
CTA_XrdSecPROTOCOL=sss
CTA_PROC_DIR=/eos/${EOS_INSTANCE}/proc/cta
CTA_WF_DIR=${CTA_PROC_DIR}/workflow
......
......@@ -30,13 +30,6 @@ echo ${DATABASEURL} >/etc/cta/cta-catalogue.conf
# EOS INSTANCE NAME used as username for SSS key
EOSINSTANCE=ctaeos
# Create SSS key for cta-cli, must be forwardable in kubernetes realm (this is what the + is for)
# USER IN THE SSS FILE IS THE EOS INSTANCE NAME THE REST IS BS
echo y | xrdsssadmin -k cta-cli+ -u ${EOSINSTANCE} -g cta add /etc/cta/cta-cli.sss.keytab
chmod 600 /etc/cta/cta-cli.sss.keytab
chown cta /etc/cta/cta-cli.sss.keytab
# DO NOT FORGET THAT YOU CAN DEFINE SEPARATE CLIENT AND SERVER KEYTABS
# Wait for the keytab file to be pushed in by the creation script.
echo -n "Waiting for /etc/cta/cta-frontend.krb5.keytab"
for ((;;)); do test -e /etc/cta/cta-frontend.krb5.keytab && break; sleep 1; echo -n .; done
......
......@@ -275,16 +275,15 @@ kubectl --namespace=${instance} exec ctacli klist
echo -n "Configuring cta SSS for ctafrontend access from ctaeos"
for ((i=0; i<300; i++)); do
echo -n "."
[ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
[ "`kubectl --namespace=${instance} exec ctaeos -- bash -c "[ -f /etc/eos.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
sleep 1
done
[ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
# just in case /etc/cta directory does not exist yet
kubectl --namespace=${instance} exec -i ctaeos -- bash -c "mkdir -p /etc/cta"
kubectl --namespace=${instance} exec ctafrontend -- cat /etc/cta/cta-cli.sss.keytab | kubectl --namespace=${instance} exec -i ctaeos -- bash -c "cat > /etc/cta/cta-cli.sss.keytab; chmod 600 /etc/cta/cta-cli.sss.keytab; chown daemon /etc/cta/cta-cli.sss.keytab"
[ "`kubectl --namespace=${instance} exec ctaeos -- bash -c "[ -f /etc/eos.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
kubectl --namespace=${instance} exec ctaeos -- grep ${EOSINSTANCE} /etc/eos.keytab | sed "s/daemon/${EOSINSTANCE}/g" |\
kubectl --namespace=${instance} exec -i ctafrontend -- \
bash -c "cat > /etc/cta/eos.sss.keytab; chmod 400 /etc/cta/eos.sss.keytab; chown cta:cta /etc/cta/eos.sss.keytab"
echo OK
echo -n "Waiting for EOS to be configured"
for ((i=0; i<300; i++)); do
echo -n "."
......
......@@ -23,7 +23,7 @@ xrootd.seclib libXrdSec.so
# Protocol specification
# The xroot server process needs to be able to read the keytab file
sec.protocol krb5 /etc/cta/cta-frontend.krb5.keytab cta/cta-frontend@TEST.CTA
sec.protocol sss -s /etc/cta/cta-cli.sss.keytab
sec.protocol sss -s /etc/cta/eos.sss.keytab
# Only Kerberos 5 and sss are allowed
sec.protbind * only sss krb5
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment