schrodinger.job.cert module

Provide an interface for generating user certificates for job server. Wraps ‘$SCHRODINGER/jsc cert’ commands to create a single entrypoint. The $SCHRODINGER environment variable is assumed to be an unescaped path.

Authentication can occur in two ways:

  1. Using LDAP.
In this case, the ‘jsc ldap-get’ command communicates the username and password to the job server using a gRPC method and saves the user certificate. The LDAP password can be submitted to the command either through an interactive commandline prompt or through piped stdin.
  1. Using a Unix socket.
In this case, the user must be on the server host to get a user certificate. The flow is as follows:
  1. The ‘jsc get-auth-socket-path’ command gets the path of the Unix socket from the server using a gRPC method.
  2. We then ssh to the server host and send a request over that Unix socket to retrieve a user certificate.
    (If the user is already on the same server host, we can skip ssh).
  3. That certificate is communicated back to the client machine over ssh, where a separate jsc command saves it.
exception schrodinger.job.cert.DisabledSocketAuthException

Bases: Exception

__init__

Initialize self. See help(type(self)) for accurate signature.

args
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.LDAPAuthenticationException

Bases: Exception

__init__

Initialize self. See help(type(self)) for accurate signature.

args
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.BadLDAPInputException

Bases: Exception

__init__

Initialize self. See help(type(self)) for accurate signature.

args
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

schrodinger.job.cert.get_cert_with_ldap(schrodinger, address, user, ldap_password=None)

Generates a user certificate job server at the given address. Wraps ‘$SCHRODINGER/jsc cert ldap-get –user [user] [address]’

Parameters:
  • schrodinger (str) – $SCHRODINGER environment variable for the current system
  • address (str) – Server Address of the job server to authenticate with
  • user (str) – Username to authenticate as. This must be the same as the username that will be used to submit jobs to the job server.
  • ldap_password (str) – LDAP password for the given username. If left blank, the LDAP password will be requested in a terminal prompt.
Returns:

True if the function succeeds, otherwise raises an appropriate error

Return type:

bool

Raises:

BADLDAPInputException if ldap_password is left blank and sys.stdin is not a tty

Raises:

LDAPAuthenticationException if the authentication fails

schrodinger.job.cert.get_cert_with_socket_auth(schrodinger, hostname, port, user, ssh_password=None, host_for_schrodinger=None)

Generate a user certificate for job server using socket authentication through SSH.

Parameters:
  • schrodinger (str) – $SCHRODINGER environment variable, path to schrodinger suite
  • hostname (str) – hostname for the job server to authenticate wtih
  • port (int, str) – port for the job server to authenticate with; can be either an int or a str representation of an int
  • user (str) – user for which to generate certificate, used as remote user for ssh if required.
  • ssh_password (str) – the SSH password for the given user. If None, the SSH password will be requested via a terminal prompt unless passwordless SSH is configured.
  • host_for_schrodinger (str) – host entry from schrodinger.hosts from which to retrieve schrodinger value (e.g. bolt_cpu)
Returns:

True if a certificate is generated, otherwise an appropriate error.

Return type:

bool

Raises:

DisabledSocketAuthException if socket authentication is not enabled on the job server

Raises:

paramiko.ssh_exception.AuthenticationException if an SSH connection could not be established. This could be because of an incorrect password, or because an existing SSH configuration was found without passwordless authentication to the specified remote hosts.

Raises:

paramiko.ssh_exception.SSHException if an SSH connection could not be established. This could be because no existing SSH configuration was found while no ssh_password was given.

Raises:

RuntimeError for any other failure

schrodinger.job.cert.get_cert(hostname, port, user, schrodinger=None, host_for_schrodinger=None, ssh_password=None, ldap_password=None)

Entrypoint to generate a user certificate for the requested server. Try to use unix socket authentication via SSH to authenticate with the job server. If that fails, try LDAP to authenticate.

Parameters:
  • hostname (str) – hostname for the job server to authenticate wtih
  • port (int, str) – port for the job server to authenticate with; can be either an int or a str representation of an int
  • user (str) – user for which to generate certificate, used as remote user for ssh if required.
  • schrodinger (str) – $SCHRODINGER environment variable, path to schrodinger suite. If None, the current system’s $SCHRODINGER environment variable will be used.
  • host_for_schrodinger (str) – host entry from schrodinger.hosts from which to retrieve schrodinger value (e.g. bolt_cpu)
  • ssh_password (str) – the SSH password for the given user. If None, the SSH password will be requested via a terminal prompt unless passwordless SSH is configured.
  • ldap_password (str) – LDAP password for the given username. If left blank, the LDAP password will be requested in a terminal prompt.
Returns:

None. Raises an exception if any problems are encountered.

Raises:

BADLDAPInputException if ldap_password is left blank and sys.stdin is not a tty

Raises:

LDAPAuthenticationException if the authentication fails

Raises:

RuntimeError for any other failure

schrodinger.job.cert.has_cert_for_server(address, schrodinger=None)

Check if the current user already has an existing cert for the given job server.

Parameters:address (str) – Address of the Job Server
Returns:True if cert exists, False if not
Return type:bool
schrodinger.job.cert.configured_servers()

Check to see if the SCHRODINGER install has default job servers configured.

Returns:a set of server addresses
Return type:set of str
schrodinger.job.cert.servers_without_registration()

Check to see if the current user is missing registration for default job servers.

Returns:a list of server address that are lacking registration.
Return type:list of str
schrodinger.job.cert.hostname_and_port(addr)

Get the hostname and port of the provided address. If no port is provided, return the default.

Returns:a tuple of address and port
Return type:(str, int)