[kill-bash] Changes CI to use /etc/cta/eos.sss.keytab

cta-cli.sss.keytab is deprecated. CTA Frontend now uses /etc/cta/eos.sss.keytab, which should contain one SSS key per EOS instance (only one in the case of CI).

[kill-bash] Changes CI to use /etc/cta/eos.sss.keytab
7e8a91ba · Michael Davis · e087243a · 7e8a91ba · 7e8a91ba · 7e8a91ba
Commit 7e8a91ba authored 7 years ago by Michael Davis
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
@@ -34,7 +34,6 @@ eoshost=`hostname -f`
 EOS_INSTANCE=`hostname -s`
 TAPE_FS_ID=65535
 CTA_BIN=/usr/bin/eoscta_stub
-CTA_KT=/etc/cta/cta-cli.sss.keytab
 CTA_XrdSecPROTOCOL=sss
 CTA_PROC_DIR=/eos/${EOS_INSTANCE}/proc/cta
 CTA_WF_DIR=${CTA_PROC_DIR}/workflow

--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
@@ -30,13 +30,6 @@ echo ${DATABASEURL} >/etc/cta/cta-catalogue.conf
 # EOS INSTANCE NAME used as username for SSS key
 EOSINSTANCE=ctaeos

-# Create SSS key for cta-cli, must be forwardable in kubernetes realm (this is what the + is for)
-# USER IN THE SSS FILE IS THE EOS INSTANCE NAME THE REST IS BS
-echo y | xrdsssadmin -k cta-cli+ -u ${EOSINSTANCE} -g cta add /etc/cta/cta-cli.sss.keytab
-chmod 600 /etc/cta/cta-cli.sss.keytab
-chown cta /etc/cta/cta-cli.sss.keytab
-# DO NOT FORGET THAT YOU CAN DEFINE SEPARATE CLIENT AND SERVER KEYTABS
-
 # Wait for the keytab file to be pushed in by the creation script.
 echo -n "Waiting for /etc/cta/cta-frontend.krb5.keytab"
 for ((;;)); do test -e /etc/cta/cta-frontend.krb5.keytab && break; sleep 1; echo -n .; done

--- a/continuousintegration/orchestration/create_instance.sh
+++ b/continuousintegration/orchestration/create_instance.sh
@@ -275,16 +275,15 @@ kubectl --namespace=${instance} exec ctacli klist
 echo -n "Configuring cta SSS for ctafrontend access from ctaeos"
 for ((i=0; i<300; i++)); do
  echo -n "."
-  [ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
+  [ "`kubectl --namespace=${instance} exec ctaeos -- bash -c "[ -f /etc/eos.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
  sleep 1
 done
-[ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
-# just in case /etc/cta directory does not exist yet
-kubectl --namespace=${instance} exec -i ctaeos --  bash -c "mkdir -p /etc/cta"
-kubectl --namespace=${instance} exec ctafrontend -- cat /etc/cta/cta-cli.sss.keytab | kubectl --namespace=${instance} exec -i ctaeos --  bash -c "cat > /etc/cta/cta-cli.sss.keytab; chmod 600 /etc/cta/cta-cli.sss.keytab; chown daemon /etc/cta/cta-cli.sss.keytab"
+[ "`kubectl --namespace=${instance} exec ctaeos -- bash -c "[ -f /etc/eos.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
+kubectl --namespace=${instance} exec ctaeos -- grep ${EOSINSTANCE} /etc/eos.keytab | sed "s/daemon/${EOSINSTANCE}/g" |\
+kubectl --namespace=${instance} exec -i ctafrontend -- \
+bash -c "cat > /etc/cta/eos.sss.keytab; chmod 400 /etc/cta/eos.sss.keytab; chown cta:cta /etc/cta/eos.sss.keytab"
 echo OK

-
 echo -n "Waiting for EOS to be configured"
 for ((i=0; i<300; i++)); do
  echo -n "."

--- a/xroot_plugins/cta-frontend-xrootd.conf
+++ b/xroot_plugins/cta-frontend-xrootd.conf
@@ -23,7 +23,7 @@ xrootd.seclib libXrdSec.so
 # Protocol specification
 # The xroot server process needs to be able to read the keytab file
 sec.protocol krb5 /etc/cta/cta-frontend.krb5.keytab cta/cta-frontend@TEST.CTA
-sec.protocol sss -s /etc/cta/cta-cli.sss.keytab
+sec.protocol sss -s /etc/cta/eos.sss.keytab

 # Only Kerberos 5 and sss are allowed
 sec.protbind * only sss krb5