schrodinger.job.cert module

Provide an interface for generating user certificates for job server. Wraps ‘$SCHRODINGER/jsc cert’ commands to create a single entrypoint. The $SCHRODINGER environment variable is assumed to be an unescaped path.

Authentication can occur in two ways:

1. Using LDAP. In this case, the ‘jsc ldap-get’ command communicates the username and password to the job server using a gRPC method and saves the user certificate. The LDAP password can be submitted to the command either through an interactive commandline prompt or through piped stdin.

2. Using a Unix socket. In this case, the user must be on the server host to get a user certificate. The flow is as follows:

   1. The ‘jsc get-auth-socket-path’ command gets the path of the Unix socket from the server using a gRPC method.

   2. We then ssh to the server host and send a request over that Unix socket to retrieve a user certificate. (If the user is already on the same server host, we can skip ssh).

   3. That certificate is communicated back to the client machine over ssh, where a separate jsc command saves it.

exception schrodinger.job.cert.AuthenticationException

Bases: Exception

__init__(*args, **kwargs)

Initialize self. See help(type(self)) for accurate signature.

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.SocketAuthenticationException

Bases: Exception

__init__(*args, **kwargs)

Initialize self. See help(type(self)) for accurate signature.

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.LDAPAuthenticationException

Bases: schrodinger.job.cert.AuthenticationException

__init__(*args, **kwargs)

Initialize self. See help(type(self)) for accurate signature.

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.BadLDAPInputException

Bases: Exception

__init__(*args, **kwargs)

Initialize self. See help(type(self)) for accurate signature.

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

schrodinger.job.cert.get_cert_with_ldap(schrodinger, address, user, ldap_password=None)

Generates a user certificate job server at the given address. Wraps ‘$SCHRODINGER/jsc cert ldap-get –user [user] [address]’

Parameters

• schrodinger (str) – $SCHRODINGER environment variable for the current system

• address (str) – Server Address of the job server to authenticate with

• user (str) – Username to authenticate as. This must be the same as the username that will be used to submit jobs to the job server.

• ldap_password (str) – LDAP password for the given username. If None, the command is assumed to be in interactive mode.

Returns

True if authentication succeeds. False if authentication fails, or raises an exception if not in interactive mode.

Return type

bool

Raises

BADLDAPInputException if ldap_password is None and sys.stdin is not a tty

Raises

LDAPAuthenticationException if the authentication fails

schrodinger.job.cert.get_cert_with_socket_auth(schrodinger: str, hostname: str, port: Union[int, str], user: str, socket_path: str, ssh_password: Optional[str] = None, host_for_schrodinger: Optional[str] = None)

Generate a user certificate for job server using socket authentication through SSH.

Parameters

• schrodinger (str) – $SCHRODINGER environment variable, path to schrodinger suite

• hostname (str) – hostname for the job server to authenticate wtih

• port (int, str) – port for the job server to authenticate with; can be either an int or a str representation of an int

• user (str) – user for which to generate certificate, used as remote user for ssh if required.

• socket_path – the path on the server where the auth socket is located

• ssh_password (str) – the SSH password for the given user. If None, the SSH password will be requested via a terminal prompt unless passwordless SSH is configured.

• host_for_schrodinger (str) – host entry from schrodinger.hosts from which to retrieve schrodinger value (e.g. bolt_cpu)

Returns

True if a certificate is generated, otherwise an appropriate error.

Return type

bool

Raises

paramiko.ssh_exception.AuthenticationException if an SSH connection could not be established. This could be because of an incorrect password, or because an existing SSH configuration was found without passwordless authentication to the specified remote hosts.

Raises

paramiko.ssh_exception.SSHException if an SSH connection could not be established. This could be because no existing SSH configuration was found while no ssh_password was given.

Raises

RuntimeError for any other failure

schrodinger.job.cert.get_cert(hostname: str, port: Union[int, str], user: str, schrodinger: Optional[str] = None, host_for_schrodinger: Optional[str] = None, ssh_password: Optional[str] = None, ldap_password: Optional[str] = None)

Entrypoint to generate a user certificate for the requested server.

A server can have one or both of unix socket authentication and LDAP authentication.

Attempts unix socket authentication if enabled, otherwise falls back to LDAP authentication.

Parameters

• hostname – hostname for the job server to authenticate wtih

• port – port for the job server to authenticate with

• user – user for which to generate certificate, used as remote user for ssh if required.

• schrodinger – $SCHRODINGER environment variable, path to schrodinger suite. If None, the current system’s $SCHRODINGER environment variable will be used.

• host_for_schrodinger – host entry from schrodinger.hosts from which to retrieve schrodinger value (e.g. bolt_cpu)

• ssh_password – the SSH password for the given user. If None, the SSH password will be requested via a terminal prompt unless passwordless SSH is configured.

• ldap_password – LDAP password for the given username. If left blank, the LDAP password will be requested in a terminal prompt.

Returns

hostname of the registered job server upon success

Raises

BADLDAPInputException if ldap_password is left blank and sys.stdin is not a tty

Raises

AuthenticationException if the authentication fails

Raises

RuntimeError for any other failure

schrodinger.job.cert.validate_server_for_auth(serverInfo: schrodinger.job.server.ServerInfo) → bool

Validates that it is possible to authenticate with the server. Otherwise, raises an error

Returns

bool indicating if the server’s certificate hostname is known.

Raises

RuntimeError, AuthenticationException

schrodinger.job.cert.has_cert_for_server(address, schrodinger=None)

Check if the current user already has an existing cert for the given job server.

Parameters

address (str) – Address of the Job Server

Returns

True if cert exists, False if not

Return type

bool

schrodinger.job.cert.verify_cert(address: str, schrodinger: Optional[str] = None)

Verify that an rpc can be made using a TLS gRPC connection to the jobserver at the given address.

schrodinger.job.cert.configured_servers()

Check to see if the SCHRODINGER install has default job servers configured.

Returns

a set of server addresses

Return type

set of str

schrodinger.job.cert.servers_without_registration() → Set[str]

Check to see if the current user is missing registration for default job servers.

Returns

a set of server address that are lacking registration.

schrodinger.job.cert.hostname_and_port(addr)

Get the hostname and port of the provided address. If no port is provided, return the default.

Returns

a tuple of address and port

Return type

(str, int)

schrodinger.job.cert.join_host_port(hostname: str, port: Union[str, int]) → str

Join a hostname and port into a network address. Taken from the Go implementation of net.JoinHostPort.