def add_user(vo, usercert, use_voms_admin=False): """Add the user identified by the given cert to the specified VO. May use voms-admin or direct MySQL statements. The CA cert that issued the user cert must already be in the database's 'ca' table - this happens automatically if the CA cert is in /etc/grid-security/certificates when the VOMS database is created. """ usercert_dn, usercert_issuer = cagen.certificate_info(usercert) if use_voms_admin: hostname = socket.getfqdn() command = ('voms-admin', '--vo', core.config['voms.vo'], '--host', hostname, '--nousercert', 'create-user', usercert_dn, usercert_issuer, 'OSG Test User', 'root@localhost') core.check_system(command, 'Add VO user') else: dbname = 'voms_' + vo # Find the index in the "ca" table ("cid") for the OSG Test CA that gets created by voms_install_db. output, _, _, = mysql.check_execute(r'''SELECT cid FROM ca WHERE ca='%(usercert_issuer)s';''' % locals(), 'Get ID of user cert issuer from database', dbname) output = output.strip() assert output, "User cert issuer not found in database" ca = int(output) mysql.check_execute(r''' INSERT INTO `usr` VALUES (1,'%(usercert_dn)s',%(ca)d,NULL,'root@localhost',NULL); INSERT INTO `m` VALUES (1,1,1,NULL,NULL);''' % locals(), 'Add VO user', dbname)
def test_06_add_local_admin(self): core.skip_ok_unless_installed('voms-admin-server', 'voms-mysql-plugin') host_dn, host_issuer = \ cagen.certificate_info(core.config['certs.hostcert']) command = ('voms-db-deploy.py', 'add-admin', '--vo', core.config['voms.vo'], '--dn', host_dn, '--ca', host_issuer) core.check_system(command, 'Add VO admin')
def advertise_lsc(vo, hostcert='/etc/grid-security/hostcert.pem'): """Create the VO directory and .lsc file under /etc/grid-security/vomsdir for the given VO""" host_dn, host_issuer = cagen.certificate_info(hostcert) hostname = socket.getfqdn() lsc_dir = os.path.join('/etc/grid-security/vomsdir', vo) if not os.path.isdir(lsc_dir): os.makedirs(lsc_dir) vo_lsc_path = os.path.join(lsc_dir, hostname + '.lsc') files.write(vo_lsc_path, (host_dn + '\n', host_issuer + '\n'), backup=False, chmod=0o644)
def test_03_configure_ce(self): core.skip_ok_unless_installed('condor', 'htcondor-ce', 'htcondor-ce-client') # Set up Condor, PBS, and Slurm routes # Leave the GRIDMAP knob in tact to verify that it works with the LCMAPS VOMS plugin core.config['condor-ce.condor-ce-cfg'] = '/etc/condor-ce/config.d/99-osgtest.condor-ce.conf' # Add host DN to condor_mapfile if core.options.hostcert: core.config['condor-ce.condorce_mapfile'] = '/etc/condor-ce/condor_mapfile.osg-test' hostcert_dn, _ = cagen.certificate_info(core.config['certs.hostcert']) mapfile_contents = files.read('/etc/condor-ce/condor_mapfile') mapfile_contents.insert(0, re.sub(r'([/=\.])', r'\\\1', "GSI \"^%s$\" " % hostcert_dn) + \ "%[email protected]\n" % core.get_hostname()) files.write(core.config['condor-ce.condorce_mapfile'], mapfile_contents, owner='condor-ce', chmod=0o644) else: core.config['condor-ce.condorce_mapfile'] = '/etc/condor-ce/condor_mapfile' condor_contents = """GRIDMAP = /etc/grid-security/grid-mapfile CERTIFICATE_MAPFILE = %s ALL_DEBUG=D_FULLDEBUG JOB_ROUTER_DEFAULTS = $(JOB_ROUTER_DEFAULTS) [set_default_maxMemory = 128;] JOB_ROUTER_ENTRIES = \\ [ \\ GridResource = "batch pbs"; \\ TargetUniverse = 9; \\ name = "Local_PBS"; \\ Requirements = target.osgTestBatchSystem =?= "pbs"; \\ ] \\ [ \\ GridResource = "batch slurm"; \\ TargetUniverse = 9; \\ name = "Local_Slurm"; \\ Requirements = target.osgTestBatchSystem =?= "slurm"; \\ ] \\ [ \\ TargetUniverse = 5; \\ name = "Local_Condor"; \\ Requirements = (target.osgTestBatchSystem =!= "pbs" && target.osgTestBatchSystem =!= "slurm"); \\ ] JOB_ROUTER_SCHEDD2_SPOOL=/var/lib/condor/spool JOB_ROUTER_SCHEDD2_NAME=$(FULL_HOSTNAME) JOB_ROUTER_SCHEDD2_POOL=$(FULL_HOSTNAME):9618 """ % core.config['condor-ce.condorce_mapfile'] if core.rpm_is_installed('htcondor-ce-view'): condor_contents += "\nDAEMON_LIST = $(DAEMON_LIST), CEVIEW, GANGLIAD, SCHEDD" core.config['condor-ce.view-port'] = condor.ce_config_val('HTCONDORCE_VIEW_PORT') files.write(core.config['condor-ce.condor-ce-cfg'], condor_contents, owner='condor-ce', chmod=0o644)
def advertise_vomses(vo, hostcert='/etc/grid-security/hostcert.pem'): """Edit /etc/vomses to advertise the current host as the VOMS server for the given VO. Caller is responsible for preserving and restoring /etc/vomses. """ host_dn, _ = cagen.certificate_info(hostcert) hostname = core.get_hostname() vomses_path = '/etc/vomses' contents = ('"%s" "%s" "%d" "%s" "%s"\n' % (vo, hostname, VOPORT, host_dn, vo)) files.write(vomses_path, contents, backup=False, chmod=0o644)
def advertise_vomses(vo, hostcert='/etc/grid-security/hostcert.pem'): """Edit /etc/vomses to advertise the current host as the VOMS server for the given VO. Caller is responsible for preserving and restoring /etc/vomses. """ host_dn, _ = cagen.certificate_info(hostcert) hostname = socket.getfqdn() vomses_path = '/etc/vomses' contents = ('"%s" "%s" "%d" "%s" "%s"\n' % (vo, hostname, 15151, host_dn, vo)) files.write(vomses_path, contents, backup=False, chmod=0o644)
def advertise_lsc(vo, hostcert='/etc/grid-security/hostcert.pem'): """Create the VO directory and .lsc file under /etc/grid-security/vomsdir for the given VO""" host_dn, host_issuer = cagen.certificate_info(hostcert) hostname = core.get_hostname() lsc_dir = os.path.join('/etc/grid-security/vomsdir', vo) if not os.path.isdir(lsc_dir): os.makedirs(lsc_dir) vo_lsc_path = os.path.join(lsc_dir, hostname + '.lsc') files.write(vo_lsc_path, (host_dn + '\n', host_issuer + '\n'), backup=False, chmod=0o644)
def test_01_add_user(self): core.state['voms.added-user'] = False core.skip_ok_unless_installed('voms-admin-server', 'voms-admin-client') self.skip_bad_unless(core.state['voms.started-webapp']) pwd_entry = pwd.getpwnam(core.options.username) cert_path = os.path.join(pwd_entry.pw_dir, '.globus', 'usercert.pem') user_cert_dn, user_cert_issuer = cagen.certificate_info(cert_path) hostname = socket.getfqdn() command = ('voms-admin', '--vo', core.config['voms.vo'], '--host', hostname, '--nousercert', 'create-user', user_cert_dn, user_cert_issuer, 'OSG Test User', 'root@localhost') core.check_system(command, 'Add VO user') core.state['voms.added-user'] = True
def test_04_add_mysql_admin(self): core.skip_ok_unless_installed('gums-service') host_dn, _ = cagen.certificate_info(core.config['certs.hostcert']) mysql_template_path = '/usr/lib/gums/sql/addAdmin.mysql' self.assert_(os.path.exists(mysql_template_path), 'GUMS MySQL template exists') mysql_template = files.read(mysql_template_path, as_single_string=True).strip() core.log_message(mysql_template) mysql_command = re.sub(r'@ADMINDN@', host_dn, mysql_template) core.log_message(mysql_command) command = ('mysql', '--user=gums', '-p' + core.config['gums.password'], '--execute=' + mysql_command) core.check_system(command, 'Could not add GUMS MySQL admin')
def add_user(vo, usercert): """Add the user identified by the given cert to the specified VO. Uses direct MySQL statements instead of voms-admin. The CA cert that issued the user cert must already be in the database's 'ca' table - this happens automatically if the CA cert is in /etc/grid-security/certificates when the VOMS database is created. """ usercert_dn, usercert_issuer = cagen.certificate_info(usercert) dbname = 'voms_' + vo # Find the index in the "ca" table ("cid") for the OSG Test CA that gets created by voms_install_db. output, _, _, = mysql.check_execute( r'''SELECT cid FROM ca WHERE ca='%(usercert_issuer)s';''' % locals(), 'Get ID of user cert issuer from database', dbname) output = output.strip() assert output, "User cert issuer not found in database" ca = int(output) mysql.check_execute( r''' INSERT INTO `usr` VALUES (1,'%(usercert_dn)s',%(ca)d,NULL,'root@localhost',NULL); INSERT INTO `m` VALUES (1,1,1,NULL,NULL);''' % locals(), 'Add VO user', dbname)
def test_02_edg_mkgridmap(self): core.skip_ok_unless_installed('edg-mkgridmap', 'voms-server') command = ('edg-mkgridmap', '--conf', core.config['edg.conf']) os.environ['GRIDMAP'] = '/usr/share/osg-test/grid-mapfile' os.environ['USER_VO_MAP'] = '/usr/share/osg-test/user-vo-map' os.environ['EDG_MKGRIDMAP_LOG'] = \ '/usr/share/osg-test/edg-mkgridmap.log' os.environ['VO_LIST_FILE'] = '/usr/share/osg-test/vo-list-file' os.environ['UNDEFINED_ACCTS_FILE'] = '/usr/share/osg-test/undef-ids' core.check_system(command, 'Run edg-mkgridmap') core.system(('cat', os.environ['GRIDMAP'])) core.system(('cat', os.environ['EDG_MKGRIDMAP_LOG'])) pwd_entry = pwd.getpwnam(core.options.username) cert_path = os.path.join(pwd_entry.pw_dir, '.globus', 'usercert.pem') user_cert_dn, _ = cagen.certificate_info(cert_path) expected = '"%s" %s' % (user_cert_dn, core.options.username) contents = files.read(os.environ['GRIDMAP'], True) self.assert_(expected in contents, 'Expected grid-mapfile contents')
def test_02_user(self): core.state['system.wrote_mapfile'] = False if core.options.skiptests: core.skip('no user needed') return try: password_entry = pwd.getpwnam(core.options.username) except KeyError as e: self.fail("User '%s' should exist but does not" % core.options.username) self.assert_(password_entry.pw_dir != '/', "User '%s' has home directory at '/'" % (core.options.username)) self.assert_(os.path.isdir(password_entry.pw_dir), "User '%s' missing a home directory at '%s'" % (core.options.username, password_entry.pw_dir)) cert_path = os.path.join(password_entry.pw_dir, '.globus', 'usercert.pem') core.config['user.cert_subject'], core.config['user.cert_issuer'] = certificate_info(cert_path) # Add user to mapfile files.append(core.config['system.mapfile'], '"%s" %s\n' % (core.config['user.cert_subject'], password_entry.pw_name), owner='user') core.state['system.wrote_mapfile'] = True os.chmod(core.config['system.mapfile'], 0o644)
def test_003_setup_grid_mapfile(self): core.skip_ok_unless_installed('rsv') # Register the cert in the gridmap file cert_subject = cagen.certificate_info(core.config['rsv.certfile'])[0] files.append(core.config['system.mapfile'], '"%s" rsv\n' % (cert_subject), owner='rsv')
class TestUser(osgunittest.OSGTestCase): def test_01_add_user(self): core.state['general.user_added'] = False core.state['general.user_cert_created'] = False # Bail out if this step is not needed if not core.options.adduser: core.skip('not requested') return try: pwd.getpwnam(core.options.username) except KeyError: pass # expected else: core.skip('user exists') return # Add home_dir = core.config['user.home'] if not os.path.isdir(home_dir): os.mkdir(home_dir) # SSH requires that the user have a password - even if password # auth is disabled. Set a random password for the vdttest user password = encrypted_password(random_string(16)) command = ('useradd', '--base-dir', home_dir, '--password', password, '--shell', '/bin/sh', core.options.username) core.check_system(command, 'Add user %s' % core.options.username) core.state['general.user_added'] = True # Set up directories user = pwd.getpwnam(core.options.username) os.chown(user.pw_dir, user.pw_uid, user.pw_gid) os.chmod(user.pw_dir, 0755) # Set up certificate globus_dir = os.path.join(user.pw_dir, '.globus') user_cert = os.path.join(globus_dir, 'usercert.pem') test_ca = CA.load(core.config['certs.test-ca']) if not os.path.exists(user_cert): test_ca.usercert(core.options.username, core.options.password) core.state['general.user_cert_created'] = True def test_02_user(self): core.state['system.wrote_mapfile'] = False if core.options.skiptests: core.skip('no user needed') return try: password_entry = pwd.getpwnam(core.options.username) except KeyError, e: self.fail("User '%s' should exist but does not" % core.options.username) self.assert_( password_entry.pw_dir != '/', "User '%s' has home directory at '/'" % (core.options.username)) self.assert_( os.path.isdir(password_entry.pw_dir), "User '%s' missing a home directory at '%s'" % (core.options.username, password_entry.pw_dir)) cert_path = os.path.join(password_entry.pw_dir, '.globus', 'usercert.pem') core.config['user.cert_subject'], core.config[ 'user.cert_issuer'] = certificate_info(cert_path) # Add user to mapfile files.append( core.config['system.mapfile'], '"%s" %s\n' % (core.config['user.cert_subject'], password_entry.pw_name), owner='user') core.state['system.wrote_mapfile'] = True os.chmod(core.config['system.mapfile'], 0644)