htcondor / scitokens-credmon

HTCondor implementation of the Scitokens credential monitor
Apache License 2.0
3 stars 7 forks source link

Proper system packaging of credmon #15

Open bbockelm opened 5 years ago

bbockelm commented 5 years ago

We should really include proper packaging of the credmon itself in order to make this straightforward to install "alongside" a schedd.

Thoughts that come to mind:

The end goal is that yum install scitokens-credmon - with very minimal config changes - should result in a working local issuer.

jasoncpatton commented 5 years ago

For the configs (condor and apache) there are now command line options to scitokens_credmon to install them. Some tweaking is needed to make the install script more configurable/universal, and this should probably be done before tagging 1.0. But this means configs aren't haphazardly added to condor and apache by pip/rpm/etc. until the admin is ready to enable the credmon.

The install script drops two condor configs, one that configures the credd and credmon ("infrequently edited") and another that contains a commented out example for adding a Box OAuth client ("must be edited").

bbockelm commented 5 years ago

Going the install/config script route is pretty nasty. Very difficult to manage via puppet, for example.

Instead, you want to drop the configs in place and let the admin flip the boolean from disabled to enabled.

jasoncpatton commented 5 years ago

Would it be better to drop inert, commented-out configs in the right locations, and then have the script modify them in place? In addition to flipping everything on, it would be nice to have a single script to modify both condor and webserver configs simultaneously so that they are consistent (e.g. port number, web subdirectory).

bbockelm commented 5 years ago

Sure, that’s fine. Just be aware that admins will mostly care about what they need to put into Puppet. So, we want to make sure we explain the relevant config files.