Kerberos¶
If your workflow needs to access external services from within the job such as EOS you could use Kerberos authentication.
Generating keytab file¶
First, generate a Kerberos keytab file for passwordless authentication.
# login to lxplus and generate keytab file
$ ssh johndoe@lxplus.cern.ch
$ ktutil
ktutil: add_entry -password -p johndoe@CERN.CH -k 1 -e aes256-cts-hmac-sha1-96
Password for johndoe@CERN.CH:
ktutil: add_entry -password -p johndoe@CERN.CH -k 1 -e arcfour-hmac
Password for johndoe@CERN.CH:
ktutil: write_kt .keytab
ktutil: exit
# Let's test generated keytab file by trying to generate Kerberos ticket
$ scp johndoe@lxplus.cern.ch:~/.keytab .
$ kinit -kt ~/.keytab johndoe@CERN.CH
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: johndoe@CERN.CH
Valid starting Expires Service principal
04/29/2019 11:24:12 04/30/2019 12:23:52 krbtgt/CERN.CH@CERN.CH
renew until 05/04/2019 11:23:52
04/29/2019 11:24:49 04/30/2019 12:23:52 host/tweetybird04.cern.ch@CERN.CH
renew until 05/04/2019 11:23:52
04/29/2019 11:25:00 04/30/2019 12:23:52 host/bigbird14.cern.ch@CERN.CH
renew until 05/04/2019 11:23:52
Uploading secrets¶
Once you have a working keytab file, you need to upload your CERN username and keytab secrets to REANA:
$ reana-client secrets-add --env CERN_USER=johndoe \
--env CERN_KEYTAB=.keytab \
--file ~/.keytab
Setting Kerberos requirement¶
Set kerberos: true for the steps in need in the workflow specification.
Please note that step's docker image (e.g environment: 'cern/slc6-base')
should have Kerberos client installed and you have to for the Kerberos
authentication to work.
Serial example:
workflow:
type: serial
resources:
cvmfs:
- fcc.cern.ch
specification:
steps:
- environment: 'cern/slc6-base'
kerberos: true
commands:
- ls -l /cvmfs/fcc.cern.ch/sw/views/releases/
CWL example:
steps:
first:
hints:
reana:
kerberos: true
run: helloworld.tool
in:
helloworld: helloworld
inputfile: inputfile
sleeptime: sleeptime
outputfile: outputfile
out: [result]
Yadage example:
step:
process:
process_type: 'string-interpolated-cmd'
cmd: 'python "{helloworld}" --sleeptime {sleeptime} --inputfile "{inputfile}" --outputfile "{outputfile}"'
publisher:
publisher_type: 'frompar-pub'
outputmap:
outputfile: outputfile
environment:
environment_type: 'docker-encapsulated'
image: 'python'
imagetag: '2.7-slim'
resources:
- kerberos: true
Please note that Kerberos token is automatically provided for HTCondor and Slurm compute backend jobs and there is no need to specify kerberos requirement in the workflow specification.