Kerberos

If your workflow needs to access external services from within the job such as EOS you could use Kerberos authentication.

Generating keytab file

First, generate a Kerberos keytab file for passwordless authentication.

$ # login to lxplus and generate keytab file
$ ssh johndoe@lxplus.cern.ch
$ ktutil
ktutil:  add_entry -password -p johndoe@CERN.CH -k 1 -e aes256-cts-hmac-sha1-96
Password for johndoe@CERN.CH:
ktutil:  add_entry -password -p johndoe@CERN.CH -k 1 -e arcfour-hmac
Password for johndoe@CERN.CH:
ktutil:  write_kt .keytab
ktutil:  exit

$ # Let's test generated keytab file by trying to generate Kerberos ticket
$ scp johndoe@lxplus.cern.ch:~/.keytab .
$ kinit -kt ~/.keytab johndoe@CERN.CH
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: johndoe@CERN.CH

Valid starting       Expires              Service principal
04/29/2019 11:24:12  04/30/2019 12:23:52  krbtgt/CERN.CH@CERN.CH
  renew until 05/04/2019 11:23:52
04/29/2019 11:24:49  04/30/2019 12:23:52  host/tweetybird04.cern.ch@CERN.CH
  renew until 05/04/2019 11:23:52
04/29/2019 11:25:00  04/30/2019 12:23:52  host/bigbird14.cern.ch@CERN.CH
  renew until 05/04/2019 11:23:52

Uploading secrets

Once you have a working keytab file, you need to upload your CERN username and keytab secrets to REANA:

$ reana-client secrets-add --env CERN_USER=johndoe \
                           --env CERN_KEYTAB=.keytab \
                           --file ~/.keytab

Setting Kerberos requirement

Setting Kerberos requirement for whole workflow

If the workflow engine you are using needs Kerberos to parse and validate the workflow specification, then you can enable it globally for the whole workflow orchestration in the reana.yaml file. For example, this may be needed if you are using the Snakemake workflow engine with data objects living in a restricted data storage:

workflow:
  type: snakemake
  resources:
    kerberos: true
  file: workflow/snakemake/Snakefile

This will enable Kerberos authentication not only for workflow orchestration, but also for each workflow step job.

Setting Kerberos requirement for certain jobs only

If your workflow does not need Kerberos for the whole duration, but only for some of its steps, you can provide a workflow hint kerberos: true for only those steps that need it.

Serial example:

workflow:
  type: serial
  resources:
    cvmfs:
      - fcc.cern.ch
  specification:
    steps:
      - environment: "cern/slc6-base"
        kerberos: true
        commands:
          - ls -l /cvmfs/fcc.cern.ch/sw/views/releases/

CWL example:

steps:
  first:
    hints:
      reana:
        kerberos: true
    run: helloworld.tool
    in:
      helloworld: helloworld

      inputfile: inputfile
      sleeptime: sleeptime
      outputfile: outputfile
    out: [result]

Yadage example:

step:
  process:
    process_type: "string-interpolated-cmd"
    cmd: 'python "{helloworld}" --sleeptime {sleeptime} --inputfile "{inputfile}" --outputfile "{outputfile}"'
  publisher:
    publisher_type: "frompar-pub"
    outputmap:
      outputfile: outputfile
  environment:
    environment_type: "docker-encapsulated"
    image: "python"
    imagetag: "2.7-slim"
    resources:
      - kerberos: true

Snakemake example:

rule helloworld:
  input:
    helloworld=config["helloworld"],
    inputfile=config["inputfile"],
  params:
    sleeptime=config["sleeptime"]
  output:
    "results/greetings.txt"
  resources:
    kerberos=True
  container: "docker://python:2.7-slim"

Please note that Kerberos token is automatically provided for HTCondor and Slurm compute backend jobs and there is no need to specify kerberos requirement in the workflow specification.