[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] upgrading from 8.8.x to 9.0.4 - kerberos auth problems



After kicking myself over the kerberos error I went back to the drawing board and tried to find a way to have puppet do the necessary configuration steps for IDTOKENS.

I found that way. It involves eyaml (encrypted yaml), installing a common POOL file (from said eyaml), and running the condor_token_create command as a trigger from installing the POOL file.

I created the POOL file using theÂcondor_store_cred -c add command on one host then encrypted it into the data/secrets/osfamily/RedHat_binary_blobs.eyaml file.

Here's an example from my modules/htcondor/manifests/config.pp file. In theory this should be sufficient for anyone else using puppetÂ+ eyaml to duplicate for their own setup.

 # ###################
 # install the POOL secret for IDTOKENS auth
ÂÂ# ###################
 file { "/etc/condor/passwords.d/POOL":
  content => lookup("condor_POOL"),
  ensure Â=> file,
  group  => 'root',
  mode  Â=> '0600',
  notify Â=> Exec['condor_IDTOKENS'],
  owner  => 'root',
  replace => true,
 }

 # ###################
 # tokenize the POOL
 # ###################
 exec { 'condor_IDTOKENS':
  command   => '/usr/bin/umask 0077; /usr/bin/condor_token_create -identity condor@mypool > /etc/condor/tokens.d/condor@mypool',
  refreshonly => true,
 }

I'm happy to say the comment about users needing to run condor_token_fetch in the output of "condor_config_val use security:get_htcondor_idtokens" doesn't appear to apply. This is good as I never want my users to have to care about what hosts are in the cluster.

nomad