Skip to content

Commit

Permalink
HTCONDOR-2649 Remove GSI configuration and environment variables
Browse files Browse the repository at this point in the history
  • Loading branch information
JaimeFrey committed Oct 17, 2024
1 parent 24f5b92 commit 5bc62eb
Show file tree
Hide file tree
Showing 33 changed files with 14 additions and 63 deletions.
3 changes: 1 addition & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -138,9 +138,8 @@ CE_DEFAULT_CONFIG_FILES := \
contrib/apelscripts/50-ce-apel-defaults.conf

CE_MAP_FILES := \
config/mapfiles.d/10-gsi.conf \
config/mapfiles.d/10-ssl.conf \
config/mapfiles.d/10-scitokens.conf \
config/mapfiles.d/50-gsi-callout.conf \
config/mapfiles.d/90-ban.conf

CE_CONDOR_CONFIG_FILES := \
Expand Down
2 changes: 1 addition & 1 deletion config/01-ce-auth.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
# By default, regular expressions in the second field of HTCondor-CE
# mapfiles must be enclosed with '/'. For exmaple:
#
# GSI /(.*)/ GSS_ASSIST_GRIDMAP
# SSL /(.*/CN=Jane)/ jane
#
# To restore the previous behavior where the second field is enclosed
# in double-quotes and they are all treated as potential regular
Expand Down
2 changes: 1 addition & 1 deletion config/01-common-auth-defaults.conf
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ use security:recommended_v9_0
# Pool password directory for the CE and collector.
SEC_PASSWORD_DIRECTORY = /etc/condor-ce/passwords.d

# GSI settings
# Authentication settings
CERTIFICATE_MAPFILE=/etc/condor-ce/condor_mapfile

# Alter SSL settings to work with both standard and grid file locations
Expand Down
10 changes: 2 additions & 8 deletions config/05-ce-collector-auth.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,8 @@
###############################################################################

# Allow site CEs to advertise to the central collector via SSL (SOFTWARE-3939)
if version > 9.0.6
# 9.0.6 includes AUTH_SSL_REQUIRE_CLIENT_CERTIFICATE (HTCONDOR-236)
COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = SSL, GSI
COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = SSL, GSI
else
COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = GSI, SSL
COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = GSI, SSL
endif
COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = SSL
COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = SSL

# Allow CEs and XCache hosts not in the grid-mapfile to advertise to the central collector
COLLECTOR.ALLOW_ADVERTISE_SCHEDD = $(COLLECTOR.ALLOW_ADVERTISE_SCHEDD), $(UNMAPPED_USERS), $(USERS)
Expand Down
2 changes: 1 addition & 1 deletion config/05-ce-view-defaults.conf
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ else
# CE View drops privs after startup to the condor user, which doesn't
# have access to the host key for auth. Use FS auth instead.
CEVIEW.SEC_CLIENT_AUTHENTICATION_METHODS = FS
MASTER.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI
MASTER.SEC_DEFAULT_AUTHENTICATION_METHODS = FS
endif

# Cherrypy does not respect SIGTERM signals from the master, so kill it (and everything else) quickly
Expand Down
4 changes: 0 additions & 4 deletions config/condor-ce
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,6 @@
# /opt/condor
# export PATH=/opt/condor/bin:/opt/condor/sbin:$PATH

# Example: Have GSI authorization use a different plugin for Condor than the
# rest of the system.
# export GSI_AUTHZ_CONF=/etc/condor-ce/gsi-authz.conf

# Example: Have the HTCondor-CE use a different hostname from the rest of
# the system.
# export CONDORCE_HOSTNAME=condorce.example.com
Expand Down
4 changes: 0 additions & 4 deletions config/condor-ce-collector
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,6 @@
# /opt/condor
# export PATH=/opt/condor/bin:/opt/condor/sbin:$PATH

# Example: Have GSI authorization use a different plugin for Condor than the
# rest of the system.
# export GSI_AUTHZ_CONF=/etc/condor-ce/gsi-authz.conf

# Example: Have the HTCondor-CE collector use a different hostname from the rest of
# the system.
# export CONDORCE_HOSTNAME=condorce.example.com
Expand Down
10 changes: 5 additions & 5 deletions config/mapfiles.d/10-gsi.conf → config/mapfiles.d/10-ssl.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
#
###############################################################################

# Using GSI authentication for certificates requires the issuer CAs to be
# installed in /etc/grid-security/certificates. If you would also like to
# Using SSL authentication for IGTF certificates requires the issuer CAs to
# be installed in /etc/grid-security/certificates. If you would also like to
# authenticate VOMS attributes, *.lsc files should be installed in
# /etc/grid-security/vomsdir/

Expand All @@ -16,16 +16,16 @@
# with '\/') with the Distinguished Name (DN) of the incoming user certificate
# and the unix account under which the job should run, respectively:
#
# GSI /<DISTINGUISHED NAME>/ <USERNAME>
# SSL /<DISTINGUISHED NAME>/ <USERNAME>

# VOMS attributes can also be used for mapping:
#
# GSI /<DISTINGUISHED NAME>,<VOMS FQAN 1>,<VOMS FQAN 2>,...,<VOMSFQAN N>/ <USERNAME>
# SSL /<DISTINGUISHED NAME>,<VOMS FQAN 1>,<VOMS FQAN 2>,...,<VOMSFQAN N>/ <USERNAME>

# The second field should be a Perl Compatible Regular Expression (PCRE), thus
# allowing you to accept any DN with a given VOMS FQAN. For example, to map any
# GLOW certificate with the 'htpc' role to the 'glow' user, add a line that
# looks like the following:
#
# GSI /.*,\/GLOW\/Role=htpc.*/ glow
# SSL /.*,\/GLOW\/Role=htpc.*/ glow
#
12 changes: 0 additions & 12 deletions config/mapfiles.d/50-gsi-callout.conf

This file was deleted.

3 changes: 1 addition & 2 deletions rpm/htcondor-ce.spec
Original file line number Diff line number Diff line change
Expand Up @@ -303,9 +303,8 @@ getent passwd condorce_webapp >/dev/null || \
%config(noreplace) %{_sysconfdir}/condor-ce/config.d/03-managed-fork.conf
%config(noreplace) %{_sysconfdir}/sysconfig/condor-ce

%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-gsi.conf
%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-ssl.conf
%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-scitokens.conf
%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/50-gsi-callout.conf
%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/90-ban.conf

%{_datadir}/condor-ce/config.d/01-ce-audit-payloads-defaults.conf
Expand Down
1 change: 0 additions & 1 deletion src/condor_ce_config_val
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_config_val "$@"
1 change: 0 additions & 1 deletion src/condor_ce_history
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_history "$@"
1 change: 0 additions & 1 deletion src/condor_ce_hold
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_hold "$@"
1 change: 0 additions & 1 deletion src/condor_ce_job_router_info
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ missing_tool()
}

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
CONDOR_BIN_DIR=$(/usr/bin/dirname $(/usr/bin/which condor_version 2> /dev/null ) 2> /dev/null )
if [ -z "$CONDOR_BIN_DIR" ]; then
missing_tool
Expand Down
1 change: 0 additions & 1 deletion src/condor_ce_off
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_off "$@"
1 change: 0 additions & 1 deletion src/condor_ce_on
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_on "$@"
1 change: 0 additions & 1 deletion src/condor_ce_ping
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null

exec condor_ping "$@"

1 change: 0 additions & 1 deletion src/condor_ce_q
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_q "$@"
1 change: 0 additions & 1 deletion src/condor_ce_qedit
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_qedit "$@"
1 change: 0 additions & 1 deletion src/condor_ce_reconfig
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_reconfig "$@"
1 change: 0 additions & 1 deletion src/condor_ce_release
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_release "$@"
1 change: 0 additions & 1 deletion src/condor_ce_reschedule
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_reschedule "$@"
1 change: 0 additions & 1 deletion src/condor_ce_restart
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_restart "$@"
1 change: 0 additions & 1 deletion src/condor_ce_rm
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_rm "$@"
1 change: 0 additions & 1 deletion src/condor_ce_router_q
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_router_q -S "$@"
2 changes: 1 addition & 1 deletion src/condor_ce_run
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,7 @@ def main():
opts, args = parse_opts()
if opts.remote:
os.environ.setdefault("CONDOR_CONFIG", "/etc/condor-ce/condor_config")
os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,GSI,FS')
os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,SSL,FS')

if len(args) < 2:
print("Usage: condor_ce_run <hostname> <command> [arg1] [arg2] [...]")
Expand Down
1 change: 0 additions & 1 deletion src/condor_ce_status
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_status "$@"
1 change: 0 additions & 1 deletion src/condor_ce_store_cred
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_store_cred "$@"
1 change: 0 additions & 1 deletion src/condor_ce_submit
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_submit "$@"
2 changes: 1 addition & 1 deletion src/condor_ce_trace
Original file line number Diff line number Diff line change
Expand Up @@ -332,7 +332,7 @@ def main():
raise ce.CondorRunException('ERROR: Could not find CE schedd at %s.\n' % job_info['schedd_name'] + \
'Verify that the Scheduler daemon is up with `condor_ce_status -any`.')

os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,GSI,FS')
os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,SSL,FS')
check_authz(coll_ad, schedd_ad)
try:
job_info.update(ce.generate_job_files())
Expand Down
1 change: 0 additions & 1 deletion src/condor_ce_transform_ads
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_transform_ads "$@"
1 change: 0 additions & 1 deletion src/condor_ce_upgrade_check
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null
exec condor_upgrade_check -ce "$@"
1 change: 0 additions & 1 deletion src/condor_ce_version
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
#!/bin/sh

. /usr/share/condor-ce/condor_ce_env_bootstrap
export GSI_AUTHZ_CONF=/dev/null

echo "\$HTCondorCEVersion: $(condor_ce_config_val HTCondorCEVersion | tr -d \") \$"
exec condor_version "$@"

0 comments on commit 5bc62eb

Please sign in to comment.