IDTOKEN password creation is now dynamic in the startup script

Having it in the spec file was hardcoding the same password in container images
glideinWMS · Sep 25, 2024 · 4341073 · 4341073
1 parent 19b3447
commit 4341073
Show file tree

Hide file tree

Showing 5 changed files with 174 additions and 102 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,7 @@ Changes since the last release
 -   Fixed root unable to remove other users' jobs in the Factory (PR #433)
 -   HTCondor TRUST_DOMAIN configuration macro set to string to avoid Glidein config error (PR #420)
 -   Disabled shebang mangling in rpm_build to avoid gwms-python not finding the shell (Issue #436, PR #437)
+-   Dynamic creation of HTCondor IDTOKEN password (Issue #440, PR #441)
 
 ### Testing / Development
 

diff --git a/build/packaging/rpm/frontend_startup b/build/packaging/rpm/frontend_startup
@@ -8,18 +8,19 @@
 
 # Emulate function library.
 success() {
- echo -en "\033[60G[[32mOK[0m]"
- return 0
+    echo -en "\033[60G[[32mOK[0m]"
+    return 0
 }
 
 failure() {
- echo -en "\033[60G[[31mFAILED[0m]"
- return 1
+    echo -en "\033[60G[[31mFAILED[0m]"
+    return 1
 }
 
 [ -f /etc/sysconfig/gwms-frontend ] && . /etc/sysconfig/gwms-frontend
 
-frontend_dir='/var/lib/gwms-frontend/vofrontend'
+frontend_root_dir='/var/lib/gwms-frontend'
+frontend_dir="$frontend_root_dir/vofrontend"
 glideinWMS_dir=$frontend_dir
 frontend_config=/etc/gwms-frontend/frontend.xml
 export HOME="/var/lib/gwms-frontend"
@@ -43,120 +44,138 @@ then
 fi
 id_str="$frontend_name"
 
+check_idtoken_password() {
+    # Make sure that the IDTOKEN password exists
+    if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+        local htc_frontend_password=/etc/condor/passwords.d/FRONTEND    
+        if [ ! -f "$htc_frontend_password" ]; then
+            openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@$(hostname -f)" -f "$htc_frontend_password" add > /dev/null 2>&1
+        fi
+        /bin/cp "$htc_frontend_password" "$frontend_root_dir"/passwords.d/FRONTEND
+        chown $FRONTEND_USER: "$frontend_root_dir"/passwords.d/FRONTEND
+        if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+            echo 'Cannot create IDTOKENs password!'
+            failure
+        fi
+    fi
+}
+
 start() {
-        echo -n "Starting glideinWMS frontend $id_str: "
-        su -s /bin/bash $FRONTEND_USER -c "nice -2 \"glideinFrontend\" \"$frontend_dir\"" 2>/var/log/gwms-frontend/frontend/startup.log 1>&2 </dev/null &
-        sleep 5
-        "checkFrontend" "$frontend_dir"  2>/dev/null 1>&2 </dev/null && success || failure
-        RETVAL=$?
-        echo
+    check_idtoken_password
+    echo -n "Starting glideinWMS frontend $id_str: "
+    su -s /bin/bash $FRONTEND_USER -c "nice -2 \"glideinFrontend\" \"$frontend_dir\"" 2>/var/log/gwms-frontend/frontend/startup.log 1>&2 </dev/null &
+    sleep 5
+    "checkFrontend" "$frontend_dir"  2>/dev/null 1>&2 </dev/null && success || failure
+    RETVAL=$?
+    echo
 }
 
 stop() {
-        echo -n "Shutting down glideinWMS frontend $id_str: "
-        "stopFrontend" "$frontend_dir" 2>/dev/null 1>&2 </dev/null && success || failure
-        RETVAL=$?
-        echo
+    echo -n "Shutting down glideinWMS frontend $id_str: "
+    "stopFrontend" "$frontend_dir" 2>/dev/null 1>&2 </dev/null && success || failure
+    RETVAL=$?
+    echo
 }
 
 restart() {
-        stop
-        if [ $RETVAL -ne 0 ]; then
-          exit $RETVAL
-        fi
-        start
+    stop
+    if [ $RETVAL -ne 0 ]; then
+      exit $RETVAL
+    fi
+    start
 }
 
 reconfig() {
-        "checkFrontend" "$frontend_dir" >/dev/null 2>&1 </dev/null
-        notrun=$?
-        if [ $notrun -eq 0 ]; then
-          stop
-          if [ $RETVAL -ne 0 ]; then
-            exit $RETVAL
-          fi
-        fi
-        pushd $frontend_dir
-        su -s /bin/bash $FRONTEND_USER -c "reconfig_frontend -force_name \"$frontend_name\" -update_scripts \"no\" -xml $frontend_config"
-      RETVAL=$?
-        reconfig_failed=$?
-        echo -n "Reconfiguring the frontend"
-        test $reconfig_failed -eq 0 && success || failure
-        echo
-        if [ $notrun -eq 0 ]; then
-          start
-        fi
+    "checkFrontend" "$frontend_dir" >/dev/null 2>&1 </dev/null
+    notrun=$?
+    if [ $notrun -eq 0 ]; then
+      stop
+      if [ $RETVAL -ne 0 ]; then
+        exit $RETVAL
+      fi
+    fi
+    pushd $frontend_dir
+    su -s /bin/bash $FRONTEND_USER -c "reconfig_frontend -force_name \"$frontend_name\" -update_scripts \"no\" -xml $frontend_config"
+  RETVAL=$?
+    reconfig_failed=$?
+    echo -n "Reconfiguring the frontend"
+    test $reconfig_failed -eq 0 && success || failure
+    echo
+    if [ $notrun -eq 0 ]; then
+      start
+    fi
 }
 
 upgrade() {
-        "checkFrontend" "$frontend_dir" >/dev/null 2>&1 </dev/null
-        notrun=$?
-        if [ $notrun -eq 0 ]; then
-          stop
-          if [ $RETVAL -ne 0 ]; then
-            exit $RETVAL
-          fi
-        fi
-        pushd $frontend_dir
-        su -s /bin/bash $FRONTEND_USER -c "reconfig_frontend -force_name \"$frontend_name\" -writeback \"yes\" -update_scripts \"yes\" -xml $frontend_config"
-        reconfig_failed=$?
-        echo -n "Reconfiguring the frontend"
-        test $reconfig_failed -eq 0 && success || failure
-          RETVAL=$?
-        echo
-        if [ $notrun -eq 0 ]; then
-          start
-        fi
+    "checkFrontend" "$frontend_dir" >/dev/null 2>&1 </dev/null
+    notrun=$?
+    if [ $notrun -eq 0 ]; then
+      stop
+      if [ $RETVAL -ne 0 ]; then
+        exit $RETVAL
+      fi
+    fi
+    pushd $frontend_dir
+    su -s /bin/bash $FRONTEND_USER -c "reconfig_frontend -force_name \"$frontend_name\" -writeback \"yes\" -update_scripts \"yes\" -xml $frontend_config"
+    reconfig_failed=$?
+    echo -n "Reconfiguring the frontend"
+    test $reconfig_failed -eq 0 && success || failure
+      RETVAL=$?
+    echo
+    if [ $notrun -eq 0 ]; then
+      start
+    fi
 }
 
 downtime() {
-       if [ -z "$2" ]; then
-           echo $"Usage: frontend_startup $1 'frontend'|'entries'|entry_name [delay]"
-           exit 1
-       fi
-
-	 if [ "$1" == "down" ]; then
-	   echo -n "Setting downtime for"
-	 elif [ "$1" == "up" ]; then
-	   echo -n "Removing downtime for"
-	 else
-	   echo -n "Infosys-based downtime management for"
-	 fi
-
-	 if [ "$2" == "frontend" ]; then
-	   echo -n " frontend:"
+    if [ -z "$2" ]; then
+        echo $"Usage: frontend_startup $1 'frontend'|'entries'|entry_name [delay]"
+        exit 1
+    fi
+    
+    if [ "$1" == "down" ]; then
+       echo -n "Setting downtime for"
+    elif [ "$1" == "up" ]; then
+       echo -n "Removing downtime for"
+    else
+       echo -n "Infosys-based downtime management for"
+    fi
+    
+    if [ "$2" == "frontend" ]; then
+       echo -n " frontend:"
        else
-	   echo -n " entry $2:"
-	 fi
-
-	 "manageFrontendDowntimes" "$frontend_dir" $2 $1 $3 2>/dev/null 1>&2 </dev/null && success || failure
-	 RETVAL=$?
-	 echo
+       echo -n " entry $2:"
+    fi
+    
+    "manageFrontendDowntimes" "$frontend_dir" $2 $1 $3 2>/dev/null 1>&2 </dev/null && success || failure
+    RETVAL=$?
+    echo
 }
 
 case $1 in
-        start)
-                start
-        ;;
-        stop)
-                stop
-        ;;
-        restart)
-                restart
-        ;;
-        status)
-               "checkFrontend" "$frontend_dir"
-	         RETVAL=$?
-        ;;
-        reconfig)
-                reconfig "$@"
-        ;;
-        upgrade)
-                upgrade $2
-        ;;
-        *)
-        echo $"Usage: frontend_startup {start|stop|restart|status|reconfig}"
-        exit 1
+    start)
+            start
+    ;;
+    stop)
+            stop
+    ;;
+    restart)
+            restart
+    ;;
+    status)
+           "checkFrontend" "$frontend_dir"
+         RETVAL=$?
+    ;;
+    reconfig)
+            reconfig "$@"
+    ;;
+    upgrade)
+            upgrade $2
+    ;;
+    *)
+    echo $"Usage: frontend_startup {start|stop|restart|status|reconfig}"
+    exit 1
 esac
 
 exit $RETVAL
+
diff --git a/build/packaging/rpm/glideinwms.spec b/build/packaging/rpm/glideinwms.spec
@@ -643,9 +643,11 @@ if [ ! -e %{frontend_passwd_dir} ]; then
     mkdir -p %{frontend_passwd_dir}
     chown frontend.frontend %{frontend_passwd_dir}
 fi
-openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@${fqdn_hostname}" -f "/etc/condor/passwords.d/FRONTEND" add > /dev/null 2>&1
-/bin/cp /etc/condor/passwords.d/FRONTEND /var/lib/gwms-frontend/passwords.d/FRONTEND
-chown frontend.frontend /var/lib/gwms-frontend/passwords.d/FRONTEND
+# The IDTOKEN password creation is now in the startup script
+# For manual creation you can use:
+#  openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@${fqdn_hostname}" -f "/etc/condor/passwords.d/FRONTEND" add > /dev/null 2>&1
+#  /bin/cp /etc/condor/passwords.d/FRONTEND /var/lib/gwms-frontend/passwords.d/FRONTEND
+#  chown frontend.frontend /var/lib/gwms-frontend/passwords.d/FRONTEND
 
 %post vofrontend-httpd
 # Protecting from failure in case it is not running/installed

diff --git a/creation/templates/frontend_initd_startup_template b/creation/templates/frontend_initd_startup_template
@@ -230,8 +230,32 @@ help_usage() {
     fi
 }
 
+check_idtoken_password() {
+    # Make sure that the IDTOKEN password exists
+    frontend_root_dir="$frontend_dir/.."
+    if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+        if [ $THIS_ID -ne 0 ]; then
+            echo "Must be root to initialize the missing IDTOKENs passwprd"
+            failure
+            exit $RET_NO_PRIVILEGE
+        fi
+        local htc_frontend_password=/etc/condor/passwords.d/FRONTEND
+        if [ ! -f "$htc_frontend_password" ]; then
+            openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@$(hostname -f)" -f "$htc_frontend_password" add > /dev/null 2>&1
+        fi
+        /bin/cp "$htc_frontend_password" "$frontend_root_dir"/passwords.d/FRONTEND
+        chown $FRONTEND_USER: "$frontend_root_dir"/passwords.d/FRONTEND
+        if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+            echo 'Cannot create IDTOKENs password!'
+            failure
+            exit $RET_NOT_CONFIGURED
+        fi
+    fi
+}
+
 start() {
         check_installed
+        check_idtoken_password
         check_configured
         echo -n "Starting glideinWMS frontend $id_str: "
 
@@ -540,3 +564,4 @@ case $1 in
 esac
 
 exit $RETVAL
+
diff --git a/creation/templates/frontend_initd_startup_template_sl7 b/creation/templates/frontend_initd_startup_template_sl7
@@ -232,8 +232,32 @@ help_usage() {
     fi
 }
 
+check_idtoken_password() {
+    # Make sure that the IDTOKEN password exists
+    frontend_root_dir="$frontend_dir/.."
+    if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+        if [ $THIS_ID -ne 0 ]; then
+            echo "Must be root to initialize the missing IDTOKENs passwprd"
+            failure
+            exit $RET_NO_PRIVILEGE
+        fi
+        local htc_frontend_password=/etc/condor/passwords.d/FRONTEND
+        if [ ! -f "$htc_frontend_password" ]; then
+            openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@$(hostname -f)" -f "$htc_frontend_password" add > /dev/null 2>&1
+        fi
+        /bin/cp "$htc_frontend_password" "$frontend_root_dir"/passwords.d/FRONTEND
+        chown $FRONTEND_USER: "$frontend_root_dir"/passwords.d/FRONTEND
+        if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+            echo 'Cannot create IDTOKENs password!'
+            failure
+            exit $RET_NOT_CONFIGURED
+        fi
+    fi
+}
+
 start() {
         check_installed
+        check_idtoken_password
         check_configured
         echo -n "Starting glideinWMS frontend $id_str: "
 
@@ -548,3 +572,4 @@ case $1 in
 esac
 
 exit $RETVAL
+