Made IDTOKEN password creation dynamic, in the startup script

.github/ISSUE_TEMPLATE/bug_report.md

@@ -19,8 +19,8 @@ A clear and concise description of what you expected to happen.
 If applicable, add screenshots and/or console outputs to help explain your problem.
 
 **Info (please complete the following information):**
-Stakeholders and components can be a comma separated list or on multiple lines.
-If you add a new stakeholder or component, not on the sample list, add it on a line by its own.
+Stakeholders and components can be a comma-separated list or on multiple lines.
+If you add a new stakeholder or component, not on the sample list, add it on a line on its own.
 
 -   GlideinWMS version:
 -   Python version:

.github/ISSUE_TEMPLATE/feature_request.md

@@ -16,8 +16,8 @@ A clear and concise description of what you want to happen.
 A clear and concise description of any alternative solutions or features you've considered.
 
 **Info (please complete the following information):**
-Stakeholders and components can be a comma separated list or on multiple lines.
-If you add a new stakeholder or component, not on the sample list, add it on a line by its own.
+Stakeholders and components can be a comma-separated list or on multiple lines.
+If you add a new stakeholder or component, not on the sample list, add it on a line on its own.
 
 -   Priority: Priority level for this feature [critical, high, medium, low]
 -   Stakeholders: Concerned stakeholder(s) [CMS, FactoryOps, Fermilab, FIFE, HEPCloud, IGWN, OSG]

CHANGELOG.md

@@ -23,6 +23,7 @@ Changes since the last release
 -   Fixed root unable to remove other users' jobs in the Factory (PR #433)
 -   HTCondor TRUST_DOMAIN configuration macro set to string to avoid Glidein config error (PR #420)
 -   Disabled shebang mangling in rpm_build to avoid gwms-python not finding the shell (Issue #436, PR #437)
+-   Dynamic creation of HTCondor IDTOKEN password (Issue #440, PR #441)
 
 ### Testing / Development
 

build/packaging/rpm/frontend_startup

@@ -8,18 +8,19 @@
 
 # Emulate function library.
 success() {
- echo -en "\033[60G[OK]"
- return 0
+    echo -en "\033[60G[OK]"
+    return 0
 }
 
 failure() {
- echo -en "\033[60G[FAILED]"
- return 1
+    echo -en "\033[60G[FAILED]"
+    return 1
 }
 
 [ -f /etc/sysconfig/gwms-frontend ] && . /etc/sysconfig/gwms-frontend
 
-frontend_dir='/var/lib/gwms-frontend/vofrontend'
+frontend_root_dir='/var/lib/gwms-frontend'
+frontend_dir="$frontend_root_dir/vofrontend"
 glideinWMS_dir=$frontend_dir
 frontend_config=/etc/gwms-frontend/frontend.xml
 export HOME="/var/lib/gwms-frontend"
@@ -43,120 +44,137 @@ then
 fi
 id_str="$frontend_name"
 
+check_idtoken_password() {
+    # Make sure that the IDTOKEN password exists
+    if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+        local htc_frontend_password=/etc/condor/passwords.d/FRONTEND
+        if [ ! -f "$htc_frontend_password" ]; then
+            openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@$(hostname -f)" -f "$htc_frontend_password" add > /dev/null 2>&1
+        fi
+        /bin/cp "$htc_frontend_password" "$frontend_root_dir"/passwords.d/FRONTEND
+        chown $FRONTEND_USER: "$frontend_root_dir"/passwords.d/FRONTEND
+        if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+            echo 'Cannot create IDTOKENs password!'
+            failure
+        fi
+    fi
+}
+
 start() {
-        echo -n "Starting glideinWMS frontend $id_str: "
-        su -s /bin/bash $FRONTEND_USER -c "nice -2 \"glideinFrontend\" \"$frontend_dir\"" 2>/var/log/gwms-frontend/frontend/startup.log 1>&2 </dev/null &
-        sleep 5
-        "checkFrontend" "$frontend_dir"  2>/dev/null 1>&2 </dev/null && success || failure
-        RETVAL=$?
-        echo
+    check_idtoken_password
+    echo -n "Starting glideinWMS frontend $id_str: "
+    su -s /bin/bash $FRONTEND_USER -c "nice -2 \"glideinFrontend\" \"$frontend_dir\"" 2>/var/log/gwms-frontend/frontend/startup.log 1>&2 </dev/null &
+    sleep 5
+    "checkFrontend" "$frontend_dir"  2>/dev/null 1>&2 </dev/null && success || failure
+    RETVAL=$?
+    echo
 }
 
 stop() {
-        echo -n "Shutting down glideinWMS frontend $id_str: "
-        "stopFrontend" "$frontend_dir" 2>/dev/null 1>&2 </dev/null && success || failure
-        RETVAL=$?
-        echo
+    echo -n "Shutting down glideinWMS frontend $id_str: "
+    "stopFrontend" "$frontend_dir" 2>/dev/null 1>&2 </dev/null && success || failure
+    RETVAL=$?
+    echo
 }
 
 restart() {
-        stop
-        if [ $RETVAL -ne 0 ]; then
-          exit $RETVAL
-        fi
-        start
+    stop
+    if [ $RETVAL -ne 0 ]; then
+      exit $RETVAL
+    fi
+    start
 }
 
 reconfig() {
-        "checkFrontend" "$frontend_dir" >/dev/null 2>&1 </dev/null
-        notrun=$?
-        if [ $notrun -eq 0 ]; then
-          stop
-          if [ $RETVAL -ne 0 ]; then
-            exit $RETVAL
-          fi
-        fi
-        pushd $frontend_dir
-        su -s /bin/bash $FRONTEND_USER -c "reconfig_frontend -force_name \"$frontend_name\" -update_scripts \"no\" -xml $frontend_config"
-      RETVAL=$?
-        reconfig_failed=$?
-        echo -n "Reconfiguring the frontend"
-        test $reconfig_failed -eq 0 && success || failure
-        echo
-        if [ $notrun -eq 0 ]; then
-          start
-        fi
+    "checkFrontend" "$frontend_dir" >/dev/null 2>&1 </dev/null
+    notrun=$?
+    if [ $notrun -eq 0 ]; then
+      stop
+      if [ $RETVAL -ne 0 ]; then
+        exit $RETVAL
+      fi
+    fi
+    pushd $frontend_dir
+    su -s /bin/bash $FRONTEND_USER -c "reconfig_frontend -force_name \"$frontend_name\" -update_scripts \"no\" -xml $frontend_config"
+  RETVAL=$?
+    reconfig_failed=$?
+    echo -n "Reconfiguring the frontend"
+    test $reconfig_failed -eq 0 && success || failure
+    echo
+    if [ $notrun -eq 0 ]; then
+      start
+    fi
 }
 
 upgrade() {
-        "checkFrontend" "$frontend_dir" >/dev/null 2>&1 </dev/null
-        notrun=$?
-        if [ $notrun -eq 0 ]; then
-          stop
-          if [ $RETVAL -ne 0 ]; then
-            exit $RETVAL
-          fi
-        fi
-        pushd $frontend_dir
-        su -s /bin/bash $FRONTEND_USER -c "reconfig_frontend -force_name \"$frontend_name\" -writeback \"yes\" -update_scripts \"yes\" -xml $frontend_config"
-        reconfig_failed=$?
-        echo -n "Reconfiguring the frontend"
-        test $reconfig_failed -eq 0 && success || failure
-          RETVAL=$?
-        echo
-        if [ $notrun -eq 0 ]; then
-          start
-        fi
+    "checkFrontend" "$frontend_dir" >/dev/null 2>&1 </dev/null
+    notrun=$?
+    if [ $notrun -eq 0 ]; then
+      stop
+      if [ $RETVAL -ne 0 ]; then
+        exit $RETVAL
+      fi
+    fi
+    pushd $frontend_dir
+    su -s /bin/bash $FRONTEND_USER -c "reconfig_frontend -force_name \"$frontend_name\" -writeback \"yes\" -update_scripts \"yes\" -xml $frontend_config"
+    reconfig_failed=$?
+    echo -n "Reconfiguring the frontend"
+    test $reconfig_failed -eq 0 && success || failure
+      RETVAL=$?
+    echo
+    if [ $notrun -eq 0 ]; then
+      start
+    fi
 }
 
 downtime() {
-       if [ -z "$2" ]; then
-           echo $"Usage: frontend_startup $1 'frontend'|'entries'|entry_name [delay]"
-           exit 1
-       fi
-
-	 if [ "$1" == "down" ]; then
-	   echo -n "Setting downtime for"
-	 elif [ "$1" == "up" ]; then
-	   echo -n "Removing downtime for"
-	 else
-	   echo -n "Infosys-based downtime management for"
-	 fi
-
-	 if [ "$2" == "frontend" ]; then
-	   echo -n " frontend:"
+    if [ -z "$2" ]; then
+        echo $"Usage: frontend_startup $1 'frontend'|'entries'|entry_name [delay]"
+        exit 1
+    fi
+
+    if [ "$1" == "down" ]; then
+       echo -n "Setting downtime for"
+    elif [ "$1" == "up" ]; then
+       echo -n "Removing downtime for"
+    else
+       echo -n "Infosys-based downtime management for"
+    fi
+
+    if [ "$2" == "frontend" ]; then
+       echo -n " frontend:"
        else
-	   echo -n " entry $2:"
-	 fi
+       echo -n " entry $2:"
+    fi
 
-	 "manageFrontendDowntimes" "$frontend_dir" $2 $1 $3 2>/dev/null 1>&2 </dev/null && success || failure
-	 RETVAL=$?
-	 echo
+    "manageFrontendDowntimes" "$frontend_dir" $2 $1 $3 2>/dev/null 1>&2 </dev/null && success || failure
+    RETVAL=$?
+    echo
 }
 
 case $1 in
-        start)
-                start
-        ;;
-        stop)
-                stop
-        ;;
-        restart)
-                restart
-        ;;
-        status)
-               "checkFrontend" "$frontend_dir"
-	         RETVAL=$?
-        ;;
-        reconfig)
-                reconfig "$@"
-        ;;
-        upgrade)
-                upgrade $2
-        ;;
-        *)
-        echo $"Usage: frontend_startup {start|stop|restart|status|reconfig}"
-        exit 1
+    start)
+            start
+    ;;
+    stop)
+            stop
+    ;;
+    restart)
+            restart
+    ;;
+    status)
+           "checkFrontend" "$frontend_dir"
+         RETVAL=$?
+    ;;
+    reconfig)
+            reconfig "$@"
+    ;;
+    upgrade)
+            upgrade $2
+    ;;
+    *)
+    echo $"Usage: frontend_startup {start|stop|restart|status|reconfig}"
+    exit 1
 esac
 
 exit $RETVAL

build/packaging/rpm/glideinwms.spec

@@ -643,9 +643,11 @@ if [ ! -e %{frontend_passwd_dir} ]; then
     mkdir -p %{frontend_passwd_dir}
     chown frontend.frontend %{frontend_passwd_dir}
 fi
-openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@${fqdn_hostname}" -f "/etc/condor/passwords.d/FRONTEND" add > /dev/null 2>&1
-/bin/cp /etc/condor/passwords.d/FRONTEND /var/lib/gwms-frontend/passwords.d/FRONTEND
-chown frontend.frontend /var/lib/gwms-frontend/passwords.d/FRONTEND
+# The IDTOKEN password creation is now in the startup script
+# For manual creation you can use:
+#  openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@${fqdn_hostname}" -f "/etc/condor/passwords.d/FRONTEND" add > /dev/null 2>&1
+#  /bin/cp /etc/condor/passwords.d/FRONTEND /var/lib/gwms-frontend/passwords.d/FRONTEND
+#  chown frontend.frontend /var/lib/gwms-frontend/passwords.d/FRONTEND
 
 %post vofrontend-httpd
 # Protecting from failure in case it is not running/installed

creation/templates/frontend_initd_startup_template

@@ -230,8 +230,32 @@ help_usage() {
     fi
 }
 
+check_idtoken_password() {
+    # Make sure that the IDTOKEN password exists
+    frontend_root_dir="$frontend_dir/.."
+    if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+        if [ $THIS_ID -ne 0 ]; then
+            echo "Must be root to initialize the missing IDTOKENs passwprd"
+            failure
+            exit $RET_NO_PRIVILEGE
+        fi
+        local htc_frontend_password=/etc/condor/passwords.d/FRONTEND
+        if [ ! -f "$htc_frontend_password" ]; then
+            openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@$(hostname -f)" -f "$htc_frontend_password" add > /dev/null 2>&1
+        fi
+        /bin/cp "$htc_frontend_password" "$frontend_root_dir"/passwords.d/FRONTEND
+        chown $FRONTEND_USER: "$frontend_root_dir"/passwords.d/FRONTEND
+        if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+            echo 'Cannot create IDTOKENs password!'
+            failure
+            exit $RET_NOT_CONFIGURED
+        fi
+    fi
+}
+
 start() {
         check_installed
+        check_idtoken_password
         check_configured
         echo -n "Starting glideinWMS frontend $id_str: "
 

creation/templates/frontend_initd_startup_template_sl7

@@ -232,8 +232,32 @@ help_usage() {
     fi
 }
 
+check_idtoken_password() {
+    # Make sure that the IDTOKEN password exists
+    frontend_root_dir="$frontend_dir/.."
+    if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+        if [ $THIS_ID -ne 0 ]; then
+            echo "Must be root to initialize the missing IDTOKENs passwprd"
+            failure
+            exit $RET_NO_PRIVILEGE
+        fi
+        local htc_frontend_password=/etc/condor/passwords.d/FRONTEND
+        if [ ! -f "$htc_frontend_password" ]; then
+            openssl rand -base64 64 | /usr/sbin/condor_store_cred -u "frontend@$(hostname -f)" -f "$htc_frontend_password" add > /dev/null 2>&1
+        fi
+        /bin/cp "$htc_frontend_password" "$frontend_root_dir"/passwords.d/FRONTEND
+        chown $FRONTEND_USER: "$frontend_root_dir"/passwords.d/FRONTEND
+        if [ ! -f "$frontend_root_dir"/passwords.d/FRONTEND ]; then
+            echo 'Cannot create IDTOKENs password!'
+            failure
+            exit $RET_NOT_CONFIGURED
+        fi
+    fi
+}
+
 start() {
         check_installed
+        check_idtoken_password
         check_configured
         echo -n "Starting glideinWMS frontend $id_str: "