diff --git a/scripts/setup_fnal_security b/scripts/setup_fnal_security index e3ee8e4..f135652 100755 --- a/scripts/setup_fnal_security +++ b/scripts/setup_fnal_security @@ -8,20 +8,20 @@ usage () { echo "" >&2 - echo "Setup the tickets, certificates, and proxies required to use FNAL computing" >&2 + echo "Setup the tickets and tokens required to use FNAL computing" >&2 echo "">&2 echo "usage: setup_fnal_security [options]" >&2 echo "options:" >&2 echo " -h/--help: Prints this usage message. " >&2 - echo " -f/--force: Force a new proxy to be generated." >&2 - echo " -c/--check: Just check the proxy, don't get a new one." >&2 + echo " -f/--force: Force a new token to be generated." >&2 + echo " -c/--check: Just check the token, don't get a new one." >&2 echo " -b/--batch: Do not ask for user input." >&2 echo " -k/--kerberos: Also check kerberos ticket." >&2 echo " -q/--quiet: Suppress regular output, errors still shown" >&2 echo " -p/--production: Get a Production role proxy instead" >&2 echo " shown. Can only be used in batch mode." >&2 echo " " >&2 - exit 1 + exit 1 } @@ -108,82 +108,55 @@ do_kinit () } -################################################################################### -# Get a certificate -################################################################################### - -do_getcert () -{ - # Check the CI certificate - RETRY=0 - #while ! cigetcert -ns fifebatch.fnal.gov; do - while ! kx509; do - let RETRY=RETRY+1 - if [ $RETRY -gt 3 ]; then - echo "Failed 3 times. Aborting." - exit 1 - fi - - echo "Failed to get a certificate." - do_kinit - done -} - ################################################################################### # Main body for this script ################################################################################### main () { - - # Check the proxy location - default_proxy=/tmp/x509up_u$(id -u) - if [[ ! -z $X509_USER_PROXY ]]; then - if [[ $X509_USER_PROXY != $default_proxy ]]; then + + # Check token location + default_token=/tmp/bt_token_dune_${ROLE}_$(id -u) + if [[ ! -z $BEARER_TOKEN_FILE ]]; then + if [[ $BEARER_TOKEN_FILE != $default_token ]]; then echo "##########" echo "WARNING:" - echo "Warning: The X509_USER_PROXY environment variable is set to a non-standard location: $X509_USER_PROXY." + echo "The BEARER_TOKEN_FILE environment variable is set to a non-standard location: $BEARER_TOKEN_FILE." echo "If authentication is not working, try reverting to the default value:" - echo "export X509_USER_PROXY=$default_proxy" + echo "export BEARER_TOKEN_FILE=$default_token" echo "##########" echo "" fi + else + export BEARER_TOKEN_FILE=$default_token fi - # If the -f/--force option is given force a new proxy to be made - if [[ ! -z $FORCE ]]; then - echo "Forcing regeneration of proxy by removing existing one from X509_USER_PROXY=$X509_USER_PROXY" - if [[ -z $X509_USER_PROXY ]]; then - echo "X509_USER_PROXY is not set, so remove from default location $default_proxy" - X509_USER_PROXY=$default_proxy + + # If the -f/--force option is given, remove existing token + if [[ -f $BEARER_TOKEN_FILE ]]; then + if [[ -z $FORCE ]]; then + echo "Existing token found at BEARER_TOKEN_FILE=$BEARER_TOKEN_FILE" + else + echo "Forcing regeneration of token by removing existing one from BEARER_TOKEN_FILE=$BEARER_TOKEN_FILE" + echo "rm $BEARER_TOKEN_FILE" + rm $BEARER_TOKEN_FILE fi - echo "rm $X509_USER_PROXY" - rm $X509_USER_PROXY + else + echo "Generating a token at BEARER_TOKEN_FILE=$BEARER_TOKEN_FILE" fi - - + + # get a new token if there is no existing one + if [[ ! -f $BEARER_TOKEN_FILE ]]; then + htgettoken -a htvaultprod.fnal.gov -i nova + fi + # Check Kerberos Ticket if [[ ! -z $KERBEROS ]]; then if ! klist -5 -s && ! klist -s; then do_kinit fi fi - - do_getcert - - # Check the VOMS proxy - if [ -z "`voms-proxy-info -all|grep "^attribute.*$ROLE"`" ]; then - if [ -z "`voms-proxy-info -all|grep "^attribute"`" ]; then - echo "No valid VOMS proxy found, getting one" - else - echo "Proxy with the wrong role found, replacing it." - rm $X509_USER_PROXY - do_getcert - fi - voms-proxy-init -rfc -noregen -voms=dune:/dune/Role=$ROLE -valid 120:00 - fi - - + } @@ -192,19 +165,20 @@ main () { ################################################################################### check () { - - # Check the proxy location - default_proxy=/tmp/x509up_u$(id -u) - if [[ ! -z $X509_USER_PROXY ]]; then - if [[ $X509_USER_PROXY != $default_proxy ]]; then - echo "##########" - echo "WARNING:" - echo "Warning: The X509_USER_PROXY environment variable is set to a non-standard location: $X509_USER_PROXY." - echo "If authentication is not working, try reverting to the default value:" - echo "export X509_USER_PROXY=$default_proxy" - echo "##########" - echo "" - fi + + # Check token location + default_token=/tmp/bt_token_dune_${ROLE}_$(id -u) + if [[ ! -z $BEARER_TOKEN_FILE ]]; then + echo "BEARER_TOKEN_FILE is set to a non-standard location: $BEARER_TOKEN_FILE" + else + export BEARER_TOKEN_FILE=$default_token + echo "BEARER_TOKEN_FILE is set to the standard location: $BEARER_TOKEN_FILE" + fi + if [[ ! -f $BEARER_TOKEN_FILE ]]; then + echo "No token found." + exit 1 + else + echo "Existing token found." fi # Check Kerberos Ticket @@ -214,17 +188,6 @@ check () { exit 1 fi fi - - # Check the VOMS proxy - if [ -z "`voms-proxy-info -all|grep "^attribute.*$ROLE"`" ]; then - if [ -z "`voms-proxy-info -all|grep "^attribute"`" ]; then - echo "No valid VOMS proxy found" - exit 1 - else - echo "VOMS proxy found with the wrong role." - exit 1 - fi - fi }