Commit 1adc6377 authored by Fabio Luchetti's avatar Fabio Luchetti
Browse files

Add eos-user krb5 credential and distribute the related keytab to the clients

parent 8bd2279e
Pipeline #1573246 skipped with stage
......@@ -12,7 +12,8 @@ echo Done.
# Populate KDC and generate keytab files
echo -n "Populating kdc... "
/usr/lib/heimdal/bin/kadmin -l -r TEST.EOS add --random-password --use-defaults admin1 host/eos-mgm1.eoscluster.cern.ch
/usr/lib/heimdal/bin/kadmin -l -r TEST.EOS add --random-password --use-defaults admin1 host/eos-mgm1.eoscluster.cern.ch eos-user
/usr/lib/heimdal/bin/kadmin -l -r TEST.EOS ext_keytab --keytab=/root/admin1.keytab admin1
/usr/lib/heimdal/bin/kadmin -l -r TEST.EOS ext_keytab --keytab=/root/eos.keytab host/eos-mgm1.eoscluster.cern.ch
/usr/lib/heimdal/bin/kadmin -l -r TEST.EOS ext_keytab --keytab=/root/eos-user.keytab eos-user
echo Done.
......@@ -6,10 +6,12 @@ kdb5_util create -r TEST.EOS -s -P testeos
# Add Kerberos entities
kadmin.local -r TEST.EOS add_principal -randkey -maxlife 0 -maxrenewlife 0 admin1
kadmin.local -r TEST.EOS add_principal -randkey -maxlife 0 -maxrenewlife 0 host/eos-mgm1.eoscluster.cern.ch
kadmin.local -r TEST.EOS add_principal -randkey -maxlife 0 -maxrenewlife 0 eos-user
# Generate keytab files
kadmin.local -r TEST.EOS ktadd -k /root/admin1.keytab admin1
kadmin.local -r TEST.EOS ktadd -k /root/eos.keytab host/eos-mgm1.eoscluster.cern.ch
kadmin.local -r TEST.EOS ktadd -k /root/eos-user.keytab eos-user
# Start the kdc
/usr/sbin/krb5kdc -r TEST.EOS
......
......@@ -113,9 +113,8 @@ fi
# Applying Kerberos keytab to EOS cluster
echo -e "\n\n*** Applying Kerberos keytab on EOS cluster"
TMP_EOS_KEYTAB=mktemp
docker cp eos-kdc:/root/eos.keytab $TMP_EOS_KEYTAB
docker cp $TMP_EOS_KEYTAB eos-mgm1:/etc/eos.krb5.keytab
TMP_EOS_KEYTAB=$(mktemp)
docker cp eos-kdc:/root/eos.keytab $TMP_EOS_KEYTAB && docker cp $TMP_EOS_KEYTAB eos-mgm1:/etc/eos.krb5.keytab
rm -f $TMP_EOS_KEYTAB
# MGM server setup
......@@ -177,11 +176,21 @@ for (( i=1; i<=$n_client; i++ )); do
CLIENTHOSTNAME=eos-cli${i}
docker run --privileged --pid=host -dit -h ${CLIENTHOSTNAME}.eoscluster.cern.ch --name ${CLIENTHOSTNAME} --net=eoscluster.cern.ch --net-alias=${CLIENTHOSTNAME} ${deb_cli_img:-$image}
# Kerberos client configuration
docker exec -i eos-kdc cat /root/admin1.keytab | docker exec -i ${CLIENTHOSTNAME} bash -c "cat > /root/admin1.keytab"
# Kerberos client configuration, admin1 and eos-user
TMP_EOS_KEYTAB=$(mktemp)
docker cp eos-kdc:/root/admin1.keytab $TMP_EOS_KEYTAB && docker cp $TMP_EOS_KEYTAB eos-cli1:/root/admin1.keytab
rm -f $TMP_EOS_KEYTAB
docker exec -i ${CLIENTHOSTNAME} kinit -kt /root/admin1.keytab admin1@TEST.EOS
docker exec -i ${CLIENTHOSTNAME} kvno host/eos-mgm1.eoscluster.cern.ch
TMP_EOS_KEYTAB=$(mktemp)
docker cp eos-kdc:/root/eos-user.keytab $TMP_EOS_KEYTAB && docker cp $TMP_EOS_KEYTAB eos-cli1:/home/eos-user/eos-user.keytab
rm -f $TMP_EOS_KEYTAB
docker exec -i ${CLIENTHOSTNAME} chown eos-user:eos-user /home/eos-user/eos-user.keytab
docker exec -i ${CLIENTHOSTNAME} chmod 400 /home/eos-user/eos-user.keytab
docker exec -i -u eos-user ${CLIENTHOSTNAME} kinit -kt /home/eos-user/eos-user.keytab eos-user@TEST.EOS
docker exec -i -u eos-user ${CLIENTHOSTNAME} kvno host/eos-mgm1.eoscluster.cern.ch
if [[ $with_proxy == 1 ]]; then
# Set created proxy server as cluster access point for EOS client
docker exec -i ${CLIENTHOSTNAME} bash -c "echo 'export '"$proxy_EOS_MGM_URL" >> /root/.bashrc; source /root/.bashrc"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment