Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

htcondorcern: pass Kerberos secrets to Singularity unpacked image jobs #382

Open
tiborsimko opened this issue Jan 16, 2023 · 0 comments · May be fixed by #354
Open

htcondorcern: pass Kerberos secrets to Singularity unpacked image jobs #382

tiborsimko opened this issue Jan 16, 2023 · 0 comments · May be fixed by #354

Comments

@tiborsimko
Copy link
Member

Currently, REANA does not sent Kerberos credentials when it dispatches jobs to the CERN HTCondor compute backend for running Singularity unpacked image jobs.

For example, the following open data example accessing public files works:

inputs:
  files:
    - reana.yaml
workflow:
  type: serial
  specification:
    steps:
      - name: list
        environment: /cvmfs/singularity.opensciencegrid.org/opensciencegrid/osgvo-el7:latest
        unpacked_image: true
        compute_backend: htcondorcern
        htcondor_max_runtime: espresso
        kerberos: true
        commands:
          - xrdfs root://eospublic.cern.ch ls -l /eos/opendata/cms/Run2010B/BTau/AOD/Apr21ReReco-v1/0001/
outputs:
  files:
    - output.txt

However, accessing restricted files in the similar way fails due to inaccessible Kerberos credentials.

When creating HTCondor job specification, we'd need to pass along the credentials:

sub['MY.SendCredential'] = True

that also need to be mounted into the singularity call.

Note that we may need to upgrade the HTCondor submission API on the REANA side for this to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant