CERN Accelerating science

"Re-"Authentication question

Hi SWANs :slightly_smiling_face:,

[not sure where exactly to post this, let me know … ]

In one of my notebooks, I need to use authenticate against another SSO service, so at present I’m using the “cern-get-sso-cookie” with the “–krb” option. To use that, I will have to open a swan-terminal first and do a 'kinit". So far, so good.

Other people (from outside CERN) who use a clone of that notebook say that they loose the token frequently during a session, so I’m wondering if there is another way to do this kind of “re-authorisation” – after all, the SWAN session and the notebook are already SSO authenticated.

So here is my question: is there a way to get access to “forward” the SSO authentication from SWAN to another, different, URL ? If SWAN would keep somewhere the krb token around, I could use that one, for example …

Thanks,
cheers, andreas

Hi Andreas,

When you start a SWAN session, we get you a “limited” kerberos ticket that allows you to access your CERNBox. We make sure that ticket is refreshed as long as your session is alive. Recently, we have also added the capability to submit to Spark clusters without retyping your password, but that is it I’m afraid.

The SWAN users you mention, they say they lose frequently the token they created with cern-get-sso-cookie. How often is frequently in this case? Do they lose it even without restarting their SWAN session?

Cheers,
Enric

Hi Enric,
Thanks for your fast reply !

I quote here from a mail I got today: “It was so severe yesterday that we connected probably only a few times in 2 hours! It was just painful.” I’m not sure if they got disconnected and ended up on a different node after re-connecting, will try to see if I can get that info.

Could you please let me know where the “limited” ticket is stored ? As far as I understand it, the cern-get-sso-cookie looks in the usual /tmp/krb_XXXX location, so if I could simply copy the limited ticket over to there and re-use it (assuming it would be “good enough”, that would be good. :smiley:

Thanks,
cheers, andreas

Hi Andreas,

The kerberos ticket is not visible from inside your container (session). But even if it were visible, it is no use for any service that is not CERNBox anyway.

Just a few comments about losing the tickets:

  • If a SWAN user keeps working on their session, the ticket they generated with cern-get-sso-cookie should be there and usable until it expires. We garbage collect user sessions after 6 hours of inactivity.
  • If a SWAN user connects to a different SWAN machine and opens a new session, it is expected that no ticket will be available there since a new container is created for them. Note that this would not happen if the user created the ticket on their CERNBox space (instead of in the container): they would just need to point to it from the second session.

Cheers,
Enric

Hi Enric,

I got more info from the user, which is confusing to me … just after starting SWAN, he does a kinit in the SWAN terminal, then klist which shows the token, still the cern-get-sso-cookie fails and prompts with the SSO login page. Do you want me to continue the discussion with the details here or do you prefer a SNOW ticket ?

Thanks,
cheers, andreas

Hi Andreas,

You can continue here, this might be useful for other people in the future.

I would need to know the exact sequence of commands that the user runs. Does the same think not happen on lxplus, for instance?

Hi Enric,

OK, fine with me ! :slight_smile:

I just got a short screenshot movie from the user, you can find it in [1] below. The issue seems that the cern-get-sso-cookie does not recognise/use/… the krb token created by kinit in the clone of the shared project, while it does work in my original project area.

The sequence is to setup SWAN for the 95a_Python3 environment, then start the terminal, do kinit there, provide the pwd, check with klist, then open the cloned project [2], run the cells of the script and see that in cell 5 the authentication fails. The “dump” of the result page from cern-get-sso-cookie shows the standard CERN SSO login page [3].

The user can login on the application (in a different location) which is used for the cern-get-sso-cookie …

Let me know if you have any idea.

Thanks,
cheers, andreas

[1] https://cernbox.cern.ch/index.php/s/vY3RrwDCHAHzwNs
[2] in my CERNbox: SWAN_Projects/iCMS-statistics – I’ve added you to the people who can see it.
[3] https://cernbox.cern.ch/index.php/s/FGDd8fwPUPkWGny

Hi Andreas,

So in your user account the whole sequence works perfectly, but not in the account of this user? The creation of the kerberos ticket is not related in any way with the SWAN projects, so that is not the reason.

Could the user try to do a similar sequence of steps from lxplus?

Something else I was thinking of was trying to create an SLC6 session instead of CC7 and see what happens. But if you say it works for your user in CC7, it must be something else.

Enric