From fa53c390da02d506088390efa9452de14fd210b8 Mon Sep 17 00:00:00 2001 From: Maciej Szymanski <maciej.szymanski@cern.ch> Date: Fri, 4 Feb 2022 14:57:36 +0100 Subject: [PATCH] use keytab to authenticate the job running the test --- lb/nightly/functions/common.py | 20 +++++++++++++++----- lb/nightly/functions/rpc.py | 2 +- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/lb/nightly/functions/common.py b/lb/nightly/functions/common.py index 512f66ea..16ef04d1 100644 --- a/lb/nightly/functions/common.py +++ b/lb/nightly/functions/common.py @@ -186,7 +186,9 @@ def get_build_method(project=None): def safe_dict(mydict): """Helper to return the dictionary without sensitive data To be used e.g. to remove secret environment variables. - >>> d={"PASSWORD": "my_secret_pass", "PASS": "asd", "USER": "me", "KEY": "asd", "TOKEN": "asd", "PRIVATE": "Asd", "HOME": "Asd", "SHA": "asd"} + >>> d={"PASSWORD": "my_secret_pass", "PASS": "asd", "USER": "me",\ + "KEY": "asd", "TOKEN": "asd", "PRIVATE": "Asd", "HOME": "Asd",\ + "SHA": "asd", "KRB5CCNAME": "FILE:/tmp/user_123"} >>> safe_dict(d) {} """ @@ -203,6 +205,7 @@ def safe_dict(mydict): "PRIVATE", "HOME", "SHA", + "KRB5", ] ) } @@ -242,8 +245,15 @@ def singularity_run( try: run( - ["kinit", "-c", krb_token.name, krb_auth[0]], - input=krb_auth[1].encode(), + [ + "kinit", + "-c", + krb_token.name, + "-k", + "-t", + krb_auth[1], + krb_auth[0], + ], check=True, ) except (CalledProcessError, IndexError): @@ -283,7 +293,7 @@ def singularity_run( } log_body.update( { - "log": f"Running command: {cmd} with env: {s_env}", + "log": f"Running command: {cmd} with env: {safe_dict(s_env)}", "timestamp": datetime.now(timezone.utc), } ) @@ -296,7 +306,7 @@ def singularity_run( with open(env.get("TASK_LOGFILE"), "a") as logfile: logfile.write( f"{datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S')}: " - f"Running command: {cmd} with {s_env}\n" + f"Running command: {cmd} with {safe_dict(s_env)}\n" ) # to collect the build messages we communicate through the UNIX socket diff --git a/lb/nightly/functions/rpc.py b/lb/nightly/functions/rpc.py index 35d225b1..63ebd1d9 100644 --- a/lb/nightly/functions/rpc.py +++ b/lb/nightly/functions/rpc.py @@ -337,7 +337,7 @@ def test( try: krb_auth = ( lbnightly_settings()["kerberos"]["user"], - lbnightly_settings()["kerberos"]["password"], + lbnightly_settings()["kerberos"]["keytab"], ) except KeyError: krb_auth = None -- GitLab