Merge pull request #121 from opensciencegrid/cms-x509less

matyasselmeci · web-flow · commit 4abe013dea5a · 2026-02-13T19:15:42.000-06:00
adding first version of x509less cmsxcache
diff --git a/Dockerfile b/Dockerfile
@@ -116,6 +116,8 @@ RUN chmod 0644 /etc/cron.d/*
 COPY cms-xcache/image-config.d/* /etc/osg/image-init.d/
 COPY cms-xcache/xcache-consistency-check-wrapper.sh /usr/bin/xcache-consistency-check-wrapper.sh
 COPY cms-xcache/rsyslog-cms-xcache.conf /etc/rsyslog.d/cms-xcache.conf
+COPY cms-xcache/sbin/* /usr/local/sbin/
+RUN chmod 0544 /usr/local/sbin/fetch_scitoken.sh
 
 RUN mkdir -p /var/log/xrootd/cms-xcache && \
     touch    /var/log/xrootd/cms-xcache/xrootd.log && \
diff --git a/cms-xcache/cron.d/fetch-scitoken b/cms-xcache/cron.d/fetch-scitoken
@@ -0,0 +1,2 @@
+@reboot root /usr/local/sbin/fetch_scitoken.sh &>> /tmp/fetch-cms-scitoken.cron.log
+0 */6 * * * root /usr/local/sbin/fetch_scitoken.sh &>> /tmp/fetch-cms-scitoken.cron.log
diff --git a/cms-xcache/sbin/fetch_scitoken.sh b/cms-xcache/sbin/fetch_scitoken.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+if [ -f  /etc/grid-security/fetch_scitoken_secret ]; then
+  USER=`cat /etc/grid-security/fetch_scitoken_secret |  awk -F ":" '{print $1}'`
+  PASS=`cat /etc/grid-security/fetch_scitoken_secret |  awk -F ":" '{print $2}'`
+
+  if [[ -z "$USER" || -z "$PASS" ]]; then
+    echo "Wrong format in secret file"
+    exit 1
+  fi
+
+  curl -s --user $USER:$PASS -d grant_type=client_credentials -d scope="storage.read:/" https://cms-auth.cern.ch/token \
+    | python3 -c 'import sys,json; print(json.loads(sys.stdin.read())["access_token"])' > /tmp/jwt_xrdcache
+
+  if [ $? -ne 0 ]; then
+    echo "Failed to retrieve token"
+    exit 2
+  fi
+
+  chown xrootd: /tmp/jwt_xrdcache
+  chmod 600 /tmp/jwt_xrdcache
+
+else
+  echo "Secret file not found"
+fi
diff --git a/cms-xcache/supervisord.d/10-cms-xcache.conf b/cms-xcache/supervisord.d/10-cms-xcache.conf
@@ -2,5 +2,5 @@
 command=xrootd -c /etc/xrootd/xrootd-cms-xcache.cfg -k fifo -n cms-xcache -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-cms-xcache.pid -l /var/log/xrootd/xrootd.log
 user=xrootd
 autorestart=true
-environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10
+environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10,BEARER_TOKEN_FILE=/tmp/jwt_xrdcache,XrdSecPROTOCOL="ztn"
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+@reboot root /usr/local/sbin/fetch_scitoken.sh &>> /tmp/fetch-cms-scitoken.cron.log`
	`2`	`+0 /6 * * root /usr/local/sbin/fetch_scitoken.sh &>> /tmp/fetch-cms-scitoken.cron.log`