From 4ee638b1854e80c3c00817e2d85d6b29fe316116 Mon Sep 17 00:00:00 2001 From: Kaushik Malapati Date: Wed, 11 Oct 2023 15:31:21 -0700 Subject: [PATCH 1/5] DEV: tool to run kinit/aklog for you if needed (#147) --- scripts/kinit_helper | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100755 scripts/kinit_helper diff --git a/scripts/kinit_helper b/scripts/kinit_helper new file mode 100755 index 00000000..5f852d3e --- /dev/null +++ b/scripts/kinit_helper @@ -0,0 +1,41 @@ +#!/bin/bash + +function kauth { + # If token doesn't exist, create it (will query for password) + if ! klist -s + then + while ! kinit + do + : + done + fi +} + +function afsauth { + # afs needs kerberos token + kauth + # only available on psbuild servers + if [[ $(hostname) != psbuild-rhel* ]] + then + echo "You must be on psbuild to create afs tokens" + exit + fi + + # need to be in g-pcds afs grup + if ! pts membership g-pcds 2>&1 | grep -q "$(whoami)" + then + echo "You do not have permission to use afs. See https://confluence.slac.stanford.edu/display/PCDS/Onboarding+Staff+Members" + exit + fi + + # If token doesn't exist, create it + if ! tokens | grep -q $UID + then + aklog + fi +} + +# if name == '__main__': +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + afsauth +fi From 422e6353e6212fd2cf04e0890945700da6e926e3 Mon Sep 17 00:00:00 2001 From: Kaushik Malapati Date: Wed, 11 Oct 2023 15:45:28 -0700 Subject: [PATCH 2/5] BUG: replacing exit with return --- scripts/kinit_helper | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/kinit_helper b/scripts/kinit_helper index 5f852d3e..7556953f 100755 --- a/scripts/kinit_helper +++ b/scripts/kinit_helper @@ -9,6 +9,7 @@ function kauth { : done fi + return 0 } function afsauth { @@ -18,14 +19,14 @@ function afsauth { if [[ $(hostname) != psbuild-rhel* ]] then echo "You must be on psbuild to create afs tokens" - exit + return 1 fi # need to be in g-pcds afs grup if ! pts membership g-pcds 2>&1 | grep -q "$(whoami)" then echo "You do not have permission to use afs. See https://confluence.slac.stanford.edu/display/PCDS/Onboarding+Staff+Members" - exit + return 1 fi # If token doesn't exist, create it @@ -33,6 +34,7 @@ function afsauth { then aklog fi + return 0 } # if name == '__main__': From 826b1f9b6fda3f0b6d179351ba2c20fdae8365c8 Mon Sep 17 00:00:00 2001 From: Kaushik Malapati Date: Thu, 12 Oct 2023 10:57:57 -0700 Subject: [PATCH 3/5] DEV: kauth creates tokens with max lifetime and tries to renew --- scripts/kinit_helper | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/kinit_helper b/scripts/kinit_helper index 7556953f..d13d7ff7 100755 --- a/scripts/kinit_helper +++ b/scripts/kinit_helper @@ -4,10 +4,12 @@ function kauth { # If token doesn't exist, create it (will query for password) if ! klist -s then - while ! kinit + while ! kinit -l 365d -r 365d do : done + else + kinit -R &> /dev/null fi return 0 } @@ -15,7 +17,8 @@ function kauth { function afsauth { # afs needs kerberos token kauth - # only available on psbuild servers + + # afs should be used from psbuild servers if [[ $(hostname) != psbuild-rhel* ]] then echo "You must be on psbuild to create afs tokens" From fe0090fb396109a8ec1084918ac4d840ff1e73dd Mon Sep 17 00:00:00 2001 From: Kaushik Malapati Date: Tue, 17 Oct 2023 09:55:49 -0700 Subject: [PATCH 4/5] DEV: rearranging afsauth checks and kauth call --- scripts/kinit_helper | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/scripts/kinit_helper b/scripts/kinit_helper index d13d7ff7..bb7076ee 100755 --- a/scripts/kinit_helper +++ b/scripts/kinit_helper @@ -15,8 +15,12 @@ function kauth { } function afsauth { - # afs needs kerberos token - kauth + # need to be in g-pcds afs grup + if ! pts membership g-pcds 2>&1 | grep -q "$(whoami)" + then + echo "You do not have permission to use afs. See https://confluence.slac.stanford.edu/display/PCDS/Onboarding+Staff+Members" + return 1 + fi # afs should be used from psbuild servers if [[ $(hostname) != psbuild-rhel* ]] @@ -25,17 +29,12 @@ function afsauth { return 1 fi - # need to be in g-pcds afs grup - if ! pts membership g-pcds 2>&1 | grep -q "$(whoami)" - then - echo "You do not have permission to use afs. See https://confluence.slac.stanford.edu/display/PCDS/Onboarding+Staff+Members" - return 1 - fi - # If token doesn't exist, create it if ! tokens | grep -q $UID - then - aklog + then + # afs needs kerberos token + kauth + aklog fi return 0 } From 730c464a18382785be3bb5abe6d5e6fa1857bacf Mon Sep 17 00:00:00 2001 From: Kaushik Malapati Date: Tue, 17 Oct 2023 10:42:59 -0700 Subject: [PATCH 5/5] DOC: added kinit_helper entry to README --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index c982d2eb..d0af553e 100644 --- a/README.md +++ b/README.md @@ -321,6 +321,19 @@ usage: ipmConfigEpics [-b boxname] [-H hutch] [-d] [-h] [-l]
+ + kinit_helper + +usage: kinit_helper
+ Defines two functions - kauth and afsauth.
+ kauth will create a new kerberos token, renew an existing one, or do nothing if a + valid token exists.
+ afsauth will check that the user and host are able to access afs; if so, and an afs + token doesn't already exist, kauth will be called and a new afs token will be made.
+ By default, calls afsauth. + + + makepeds