Wondering if anyone has integrated Open OnDemand with AFS. Trying to figure out authentication since I need a token to access the home directory.
I think kerberos is a shortcoming on our side. I seem to recall a lot of discussion for the same if you search Kerberos on this site - but I don’t know if there was any resolution.
We can help as best we can, but since we don’t use it, we can only help guide. I don’t think we have a good test system for the same.
Kerberos related problem. KRB5CCNAME is not available in PUN env variables. KRB5CCNAME points to a cached ticket file. Which is the best way to pick REMOTE_USER env variable to automatically pass to the path of this local cached file?
Thanks,
Luiss
Te be more precise, if I edit /etc/ood/profile with the following:
export KRB5CCNAME=FILE:/var/run/httpd/clientcaches/$REMOTE_USER@ENEA.IT
and then I export in /etc/ood/config/nginx_stage.yml:
pun_custom_env_declarations:
- KRB5CCNAME
In /proc/PID_lbucci_passenger_core/environ I obtain:
KRB5CCNAME=FILE:/var/run/httpd/clientcaches/root@ENEA.IT
instead of
KRB5CCNAME=FILE:/var/run/httpd/clientcaches/lbucci@ENEA.IT
How can I obtain the effective REMOTE_USER ‘lbucci’ instead of ‘root’ in the path?
Thanks,
Luiss
I’m having to dig around for you. I think this is all happening before we boot the PUN. At that point (at a later point in time) USER and LOGNAME are set correctly, but again, that may be later in the process.
Looks like you can pull the value from the SUDO_COMMAND. the SUDO_COMMAND environment variable is available when /etc/ood/profile is sourced, so you’re half the way there. You can just do something similar to this (I left SUDO_COMMAND populated here, but obviously it’ll be dynamic and set for you when you source /etc/ood/profile)
SUDO_COMMAND="/opt/ood/nginx_stage/sbin/nginx_stage pun -u jeff -a http%3a%2f%2flocalhost%3a8080%2fnginx%2finit%3fredir%3d%24http_x_forwarded_escaped_uri"
UNPRIV_USER=$(echo $SUDO_COMMAND | sed -r 's#.+\-u (.+) \-a.+#\1#g')
Note that I may not be dealing with newlines correctly there in sed and echo, so that’s a pitfall you’ll have to look out for.
Dear Jeff,
the point is that I need to populate the path to the cached ticket /var/run/httpd/clientcaches/lbucci@ENEA.IT
with the remote_user (lbucci), without hardcoding it with the option ‘-u lbucci’ in the SUDO_COMMAND but with something like ‘-u $REMOTE_USER’.
Is it possible? Should I follow a different strategy?
Thanks a lot for your support.
That’s not hard coded, though it was in that example. the SUDO_COMMAND that boots the per user nginx will always have a variable -u <user>. I left if there in the example just because it was an example for demonstration. (I inspected the available environment by doing env > /tmp/somefile in /etc/ood/profile)
When the system sources /etc/ood/profile - the SUDO_COMMAND is already set by the system (so you don’t have to initialize it, set it or reset it), you just need to extract the user from that already set/dynamic environment variable.
As you can see while I was testing in a container, the command was -u jeff (my local container user).
If you tried it with a different user, the nginx_stage command would be different, that’s why we need sed or similar to extract it.
So your /etc/ood/profile could looks something like
#!/bin/bash
# SUDO_COMMAND is something like '... nginx_stage -u ktrout -a ...'
UNPRIV_USER=$(echo $SUDO_COMMAND | sed -r 's#.+\-u (.+) \-a.+#\1#g')
export KRB5CCNAME="FILE:/var/run/httpd/clientcaches/$UNPRIV_USER@ENEA.IT"
Thanks a lot! Now I have the kerberos Ticket!!!
My next step is to try to forward the ticket to logon on the nodes of our cluster.
If I succeed in this operation I will inform you.
Best Regards,
Luiss
1 Like
Please share! I’m interested in seeing how you’ve configured everything!
Luigi, would you mind sharing what the auth section looks like in your ood_portal.yml file?
I appear to be authenticating but not getting a ticket. I’m getting permission denied (Errno::EACCES) when trying to create the ondemand directory. I’m missing something obvious.
Jeff, could you give a little background here? So you’ve created a file called profile in /etc/ood. Executable by root/apache? Does this have to be defined somewhere? Is this different than the Configuration Profiles in the documentation?
Not executable, 644 or even maybe 600. No need to define it somewhere, the system will source it if it exists just before starting the PUN.
Yes very different - I think it was shadowing /etc/profile.d files for shells. /etc/ood/profile is all about setting environment variables for the entire PUN.
https://osc.github.io/ood-documentation/latest/reference/pun-environment.html
Dear David,
to get the kerberos ticket and the AFS token I use the mod_auth_gssapi and the mod_waklog modules. In this way I am able to access the AFS-filesystem and also propagate the ticket/token to our compute login nodes.
The Apache directives I use are the following:
AuthType GSSAPI
AuthName “GSSAPI Login”
GssapiBasicAuth On
GssapiCredStore keytab:/etc/ood/http.keytab
GssapiLocalName On
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
GssapiDelegCcacheDir /var/run/httpd/clientcaches
GssapiDelegCcachePerms mode:4660
Require valid-user
WaklogEnabled On
WaklogUseUserTokens On
I hope this help you.
Best Regards
Luigi
Thank you Luigi. Am I correct in that you do not use mod_session?
You’re right, I don’t use it.
Sorry to keep asking questions. Did you have to set WaklogAFSCell? If so, where
I find a working solution is to manually enter these settings at the top of the ood-portal.conf file.
LoadModule auth_gssapi_module /opt/rh/httpd/root/etc/httpd/modules/mod_auth_gssapi.so
LoadModule waklog_module /opt/rh/httpd/root/etc/httpd/modules/mod_waklog.so
WaklogAfsCell enea.it
I am sure that Jeff has o more elegant way to include these settings via ood_portal.yml.
Luigi
The workaround right now is to add the lines to the ssl config. Even though they’re not a part of the ssl config, they’re templated in the right place.