Kerberos

If your workflow needs to access external services from within the job such as EOS you could use Kerberos authentication.

Generating keytab file

At CERN, you can connect to lxplus7.cern.ch to generate a Kerberos keytab file for passwordless authentication in the following way:

$ cern-get-keytab --keytab ~/.keytab --user --login johndoe

You can test the freshly generated keytab file as follows:

$ kdestroy; kinit -kt ~/.keytab johndoe; klist
Ticket cache: FILE:/tmp/krb5cc_1234_5678
Default principal: johndoe@CERN.CH

Valid starting       Expires              Service principal
07/05/2023 18:04:13  07/06/2023 19:04:13  krbtgt/CERN.CH@CERN.CH
    renew until 07/10/2023 18:04:13
07/05/2023 18:04:13  07/06/2023 19:04:13  afs/cern.ch@CERN.CH
    renew until 07/10/2023 18:04:13

Uploading secrets

Once you have a working keytab file, you need to upload your CERN username and keytab secrets to REANA:

$ reana-client secrets-add --env CERN_USER=johndoe \
                           --env CERN_KEYTAB=.keytab \
                           --file ~/.keytab

Setting Kerberos requirement

Setting Kerberos requirement for whole workflow

If the workflow engine you are using needs Kerberos to parse and validate the workflow specification, then you can enable it globally for the whole workflow orchestration in the reana.yaml file. For example, this may be needed if you are using the Snakemake workflow engine with data objects living in a restricted data storage:

workflow:
  type: snakemake
  resources:
    kerberos: true
  file: workflow/snakemake/Snakefile

This will enable Kerberos authentication not only for workflow orchestration, but also for each workflow step job.

Setting Kerberos requirement for certain jobs only

If your workflow does not need Kerberos for the whole duration, but only for some of its steps, you can provide a workflow hint kerberos: true for only those steps that need it.

Serial example:

workflow:
  type: serial
  resources:
    cvmfs:
      - fcc.cern.ch
  specification:
    steps:
      - environment: "docker.io/cern/slc6-base"
        kerberos: true
        commands:
          - ls -l /cvmfs/fcc.cern.ch/sw/views/releases/

CWL example:

steps:
  first:
    hints:
      reana:
        kerberos: true
    run: helloworld.tool
    in:
      helloworld: helloworld

      inputfile: inputfile
      sleeptime: sleeptime
      outputfile: outputfile
    out: [result]

Yadage example:

step:
  process:
    process_type: "string-interpolated-cmd"
    cmd: 'python "{helloworld}" --sleeptime {sleeptime} --inputfile "{inputfile}" --outputfile "{outputfile}"'
  publisher:
    publisher_type: "frompar-pub"
    outputmap:
      outputfile: outputfile
  environment:
    environment_type: "docker-encapsulated"
    image: "docker.io/library/python"
    imagetag: "2.7-slim"
    resources:
      - kerberos: true

Snakemake example:

rule helloworld:
  input:
    helloworld=config["helloworld"],
    inputfile=config["inputfile"],
  params:
    sleeptime=config["sleeptime"]
  output:
    "results/greetings.txt"
  resources:
    kerberos=True
  container: "docker://docker.io/library/python:2.7-slim"

Please note that Kerberos token is automatically provided for HTCondor and Slurm compute backend jobs and there is no need to specify kerberos requirement in the workflow specification.