Setup functional account for Fragalysis

[Waztom]

@alanbchristie Diamond SC has agreed to setup a functional account for Fragalysis. I will include you in the ticket - they need a username and public key, can you please generate a public key for the pod.

@tdudgeon because you are a visiting scientist and considered staff at Diamond, you will very likely need to setup (SC to confirm after checking your fedid), like the rest of us, a FortiClient VPN.

[alanbchristie]

Here's a public key created without a passphrase using ssh-keygen -o: -

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDqTrmu9MFMMBzmGesIofQ2mTfVhpWpmT8VvrrPbMZHiAWULGFhrzQvU0ywSa66ZjvZAcKVGmScivRwM0ViKoELp7BinCINAQ51fHlaJgwmCi/sYWvO11yNuyA2PvPv3gdPYVGVC4qtURJuLCeiv49lvijX16mKZSu3RIhMXBoRelYDmVhI0A1Ejvl8VmqD8kaKxcJWI/yq5B1UctXklM7vVbtwRmbdu+3JyliU4Pv5lIsdr3JlB11pKdMK1gmk/JO5NPlrJUgf6naCVe/JXkst3b7XYwICJL0LDZ4p2Z4Wos/u2lON1lVeXFv9zE0QBYnCcpPDK3RyLhftcZX/BMYuUyp9zQmaaXQHkE50zTxcY1MxdgHA3RAKJz7EvxRiN9duc3wbhj/0wjlZ64HL8lM/nMNnEPMefya5ANEyP1DmJEsK+0oNIQ2OboAlgMIy4AET93JKf6v1n6RYWagUIC+NKQKZX3HHTVoIi9Yw8Oa6Harn6X0iMSvc4RVFmzt+go0= abc@Dallas

I'll keep the private file safe for now.

It is held in our KeePass vault under the Diamond group and the record is called Fragalysis Diamond SSH Key

[Waztom]

@alanbchristie thank you! Have pinged SC (copied you and Tim in).

[mwinokan]

@alanbchristie has this authentication method been implemented but it stopped working along with the username and password as in #1316?

[alanbchristie]

We can (in theory) create an SSH tunnel (which allows us to connect to the ISPyB database) using a username/password approach, and the fragalysis-stack "functional" account and a private key file.

When last tested a tunnel could be connected with either. But I suspect that the username/password approach now no longer works. Also, when last tested, the "functional" account did allow me to create a tunnel but I could not connect to the ISPyB database through it. Whereas the username/password resulted in a tunnel and connection to the DB.

[alanbchristie]

The "functional" stack uses a private key file. The username is Fragalysis-stack. When we were able to create an SSH tunnel we were (and still are) using src15435. The host mane in both cases is ssh.diamond.ac.uk.

Our connections are made from the Kubernetes cluster on the STFC hardware. SSH connection attempts will come from 192.168.253.* addresses and 130.246.212.100.

I suspect: -

• Password access has now been permanently blocked
• SSH from the "functional" account may well be working (I think I get a tunnel using that approach) and we are blocked by ISPyB disallowing a connection.

So ...

1. we need help from ISPyB (James Hall) if we are forced to use the "functional" account or
2. the ability to return to using the username/password account for src15435

[alanbchristie]

The ISPyB connection appear to have been working up to around 11:00 (GMT) today. there were some intermittent failures but it seems to have stopped completely at about 11:20, when the stack was restarted.

[mwinokan]

@alanbchristie please continue the conversation / ticket with Richard from SC to see if we can have more robust access

[mwinokan]

@tdudgeon @alanbchristie, what is the status of this ticket. Is there much left to do?

[alanbchristie]

We are using a service (generic) account for the SSH tunnel using the user fragalysis-stack and a keyfile. I believe we are also using a service account for the ISPyB queries, using the user ispyb_api_fragalysis.

So this issue is effectively Done (in production)