|
| 1 | +.. _pilots-with-tokens: |
| 2 | + |
| 3 | +===================================== |
| 4 | +Submitting pilots to CEs using tokens |
| 5 | +===================================== |
| 6 | + |
| 7 | + |
| 8 | +This guide outlines the process of setting up DIRAC to submit pilots using access tokens obtained via a ``client_credentials`` flow from a token provider. |
| 9 | + |
| 10 | +Setting up an ``IdProvider`` |
| 11 | +---------------------------- |
| 12 | + |
| 13 | +- Set up an OAuth2 client in the token provider and obtain a ``client_id`` and a ``client_secret``. |
| 14 | + |
| 15 | + .. warning:: The client credentials obtained are confidential, store them in a secure place. |
| 16 | + Any malicious user able to get access to them would be able to generate access tokens on your behalf. |
| 17 | + To avoid any major issue, we recommend you to only grant essential privileges to the client (``compute`` scopes). |
| 18 | + |
| 19 | +- Add the client credentials in the ``dirac.cfg`` of the relevant server configuration such as: |
| 20 | + |
| 21 | + .. code-block:: guess |
| 22 | +
|
| 23 | + Resources |
| 24 | + { |
| 25 | + IdProviders |
| 26 | + { |
| 27 | + <IdProvider name> |
| 28 | + { |
| 29 | + client_id = <client_id> |
| 30 | + client_secret = <client_secret> |
| 31 | + } |
| 32 | + } |
| 33 | + } |
| 34 | +
|
| 35 | +- Then in your global configuration, add the following section to set up an ``IdProvider`` interface: |
| 36 | + |
| 37 | + .. code-block:: guess |
| 38 | +
|
| 39 | + Resources |
| 40 | + { |
| 41 | + IdProviders |
| 42 | + { |
| 43 | + <IdProvider name> |
| 44 | + { |
| 45 | + issuer = <OIDC provider issuer URL> |
| 46 | + } |
| 47 | + } |
| 48 | + } |
| 49 | +
|
| 50 | +- Finally, connect the OIDC provider to a specific VO by adding the following option: |
| 51 | + |
| 52 | + .. code-block:: guess |
| 53 | +
|
| 54 | + Registry |
| 55 | + { |
| 56 | + VO |
| 57 | + { |
| 58 | + <VO name> |
| 59 | + { |
| 60 | + IdProvider = <IdProvider name> |
| 61 | + } |
| 62 | + } |
| 63 | + } |
| 64 | +
|
| 65 | +.. note:: Get more details about the DIRAC configuration from the :ref:`Configuration <dirac-configuration>` section. |
| 66 | + |
| 67 | +Launching the ``TokenManagerHandler`` |
| 68 | +------------------------------------- |
| 69 | + |
| 70 | +Run the following commands from a DIRAC client to install the ``Framework/TokenManager`` Tornado service: |
| 71 | + |
| 72 | +.. code-block:: console |
| 73 | +
|
| 74 | + $ dirac-proxy-init -g dirac_admin |
| 75 | +
|
| 76 | + $ dirac-admin-sysadmin-cli --host <dirac host> |
| 77 | +
|
| 78 | + > install service Framework TokenManager |
| 79 | +
|
| 80 | +.. note:: ``Tornado`` and then ``TokenManager`` might need to be restarted. |
| 81 | +.. note:: Get more details about the system administrator interface from the :ref:`System Administrator Interface <system-admin-console>` section. |
| 82 | + |
| 83 | +Marking computing resources and VOs as token-ready |
| 84 | +-------------------------------------------------- |
| 85 | + |
| 86 | +To specify that a given VO is ready to use tokens on a given CE, add the ``Tag = Token:<VO>`` option within the CE section, and then restart the ``Site Directors``. |
| 87 | +Once all your VOs are ready to use tokens, just specify ``Tag = Token``. |
0 commit comments