Wondering if anyone has integrated Open OnDemand with AFS. Trying to figure out authentication since I need a token to access the home directory.
I think kerberos is a shortcoming on our side. I seem to recall a lot of discussion for the same if you search Kerberos on this site - but I don’t know if there was any resolution.
We can help as best we can, but since we don’t use it, we can only help guide. I don’t think we have a good test system for the same.
Kerberos related problem. KRB5CCNAME is not available in PUN env variables. KRB5CCNAME points to a cached ticket file. Which is the best way to pick REMOTE_USER env variable to automatically pass to the path of this local cached file?
Te be more precise, if I edit /etc/ood/profile with the following:
and then I export in /etc/ood/config/nginx_stage.yml:
In /proc/PID_lbucci_passenger_core/environ I obtain:
How can I obtain the effective REMOTE_USER ‘lbucci’ instead of ‘root’ in the path?
I’m having to dig around for you. I think this is all happening before we boot the PUN. At that point (at a later point in time)
LOGNAME are set correctly, but again, that may be later in the process.
Looks like you can pull the value from the
SUDO_COMMAND environment variable is available when
/etc/ood/profile is sourced, so you’re half the way there. You can just do something similar to this (I left SUDO_COMMAND populated here, but obviously it’ll be dynamic and set for you when you source
SUDO_COMMAND="/opt/ood/nginx_stage/sbin/nginx_stage pun -u jeff -a http%3a%2f%2flocalhost%3a8080%2fnginx%2finit%3fredir%3d%24http_x_forwarded_escaped_uri" UNPRIV_USER=$(echo $SUDO_COMMAND | sed -r 's#.+\-u (.+) \-a.+#\1#g')
Note that I may not be dealing with newlines correctly there in
echo, so that’s a pitfall you’ll have to look out for.
the point is that I need to populate the path to the cached ticket /var/run/httpd/clientcaches/lbucci@ENEA.IT
with the remote_user (lbucci), without hardcoding it with the option ‘-u lbucci’ in the SUDO_COMMAND but with something like ‘-u $REMOTE_USER’.
Is it possible? Should I follow a different strategy?
Thanks a lot for your support.
That’s not hard coded, though it was in that example. the
SUDO_COMMAND that boots the per user nginx will always have a variable
-u <user>. I left if there in the example just because it was an example for demonstration. (I inspected the available environment by doing
env > /tmp/somefile in
When the system sources
/etc/ood/profile - the
SUDO_COMMAND is already set by the system (so you don’t have to initialize it, set it or reset it), you just need to extract the user from that already set/dynamic environment variable.
As you can see while I was testing in a container, the command was
-u jeff (my local container user).
If you tried it with a different user, the nginx_stage command would be different, that’s why we need
sed or similar to extract it.
So your /etc/ood/profile could looks something like
#!/bin/bash # SUDO_COMMAND is something like '... nginx_stage -u ktrout -a ...' UNPRIV_USER=$(echo $SUDO_COMMAND | sed -r 's#.+\-u (.+) \-a.+#\1#g') export KRB5CCNAME="FILE:/var/run/httpd/clientcaches/$UNPRIV_USER@ENEA.IT"
Thanks a lot! Now I have the kerberos Ticket!!!
My next step is to try to forward the ticket to logon on the nodes of our cluster.
If I succeed in this operation I will inform you.
Please share! I’m interested in seeing how you’ve configured everything!
Luigi, would you mind sharing what the auth section looks like in your ood_portal.yml file?
I appear to be authenticating but not getting a ticket. I’m getting permission denied (Errno::EACCES) when trying to create the ondemand directory. I’m missing something obvious.
Jeff, could you give a little background here? So you’ve created a file called profile in /etc/ood. Executable by root/apache? Does this have to be defined somewhere? Is this different than the Configuration Profiles in the documentation?
Not executable, 644 or even maybe 600. No need to define it somewhere, the system will source it if it exists just before starting the PUN.
Yes very different - I think it was shadowing
/etc/profile.d files for shells.
/etc/ood/profile is all about setting environment variables for the entire PUN.