search

fermitools / managed-tokens

Managed Tokens service for FIFE Experiments at Fermilab
Apache License 2.0
0 stars 0 forks source link

See if we can only procure vault token #9

Open shreyb opened 1 year ago

shreyb commented 1 year ago

There's a --nobearertoken option or something like that for HTGETTOKEN. See if we can use that to not get bearer tokens at all. This will be a lot easier to investigate once #5 is done.

shreyb commented 1 year ago

This is very strange - if I ask for --nobearertoken, I don't get a vault token either:

[sbhat@fermicloud525 ~]$ kinit -k -t /path/to/keytab.keytab testuser/kerberos@PRINCIPAL.DOMAIN
[sbhat@fermicloud525 ~]$ export HTGETTOKENOPTS="--credkey=correct_credkey --nobearertoken"
[sbhat@fermicloud525 ~]$ htgettoken -a htvaultprod.fnal.gov -i mu2e -r production -v
Initializing kerberos client for host@htvaultprod.fnal.gov
Negotiating kerberos with https://htvaultprod.fnal.gov:8200
  at path auth/kerberos-mu2e_production
Connecting to 131.225.110.229
Attempting to get bearer token from https://htvaultprod.fnal.gov:8200
[sbhat@fermicloud525 ~]$ ls /tmp/vt*
ls: cannot access /tmp/vt*: No such file or directory

So there's no vault token either. If I take out --nobearertoken, then it gets both the vault and bearer token:

<re-export HTGETTOKENOPTS to exclude --nobearertoken>
[sbhat@fermicloud525 ~]$ htgettoken -a htvaultprod.fnal.gov -i mu2e -r production -v
Initializing kerberos client for host@htvaultprod.fnal.gov
Negotiating kerberos with https://htvaultprod.fnal.gov:8200
  at path auth/kerberos-mu2e_production
Connecting to 131.225.110.229
Attempting to get bearer token from https://htvaultprod.fnal.gov:8200
  at path SECRET_PATH
Storing vault token in /tmp/vt_u10610
Storing bearer token in /run/user/10610/bt_u10610