Frontend group throws exception unless X509 credential is provided

glideinWMS / glideinwms

The glideinWMS Project

http://tinyurl.com/glideinwms

Apache License 2.0

16 stars 46 forks source link

Frontend group throws exception unless X509 credential is provided #66

Closed bbockelm closed 2 years ago

bbockelm commented 2 years ago

If a frontend group doesn't have a credential assigned, then it will throw an exception and fail.
If you fix the obvious exceptions, you quickly run into a problem with the frontend/factory interface: the request advertisements are per-credential. As the token implementations don't utilize the credential framework, there's no way for the frontend to generate the ad names to advertise to the factory.

ddbox commented 2 years ago

Hi Brian, just to be clear, is this with a 3.7.6.rc2 frontend? I am trying to reproduce this failure mode. Thanks Dennis

ddbox commented 2 years ago

I remembered recently that there is still a place in the frontend.xml that requires a valid certificate or proxy to do the initial reconfig/upgrade. We have been working around this by pointing this at the hostcert.pem, i.e.

<security classad_proxy="/etc/grid-security/hostcert.pem" ....

Once this is done SciTokens can be specified as credentials for groups in the frontend, and frontend generated IDTOKENS are used to advertise to the factory. Is this the failure mode you are encountering or is it something else?

mambelli commented 2 years ago

The need for a host certificate should be removed as well.