TWiki>
LCG Web>WebPreferences>WLCGAuthorizationWG>WLCGvoTokenUsageExamples (2023-10-29, MaartenLitmaath)
EditAttachPDF
LCG Web>WebPreferences>WLCGAuthorizationWG>WLCGvoTokenUsageExamples (2023-10-29, MaartenLitmaath) EditAttachPDFWLCG VO token usage examples
On this page we spell out how to getSciTokens from the WLCG VO
that can be used for development and tests.
To register in the WLCG VO, follow the instructions on its login page:
Then, on the client host as root:
---------------------------------------------------------------------- yum install https://github.com/indigo-dc/oidc-agent/releases/download/v3.3.1/oidc-agent-3.3.1-1.el7.x86_64.rpm yum install https://repo.opensciencegrid.org/osg/3.6/el7/release/x86_64/htgettoken-1.11-1.osg36.el7.x86_64.rpm ----------------------------------------------------------------------Newer versions of
oidc-agent are available
from GitHub
,
while the newest releases are only available from repo.data.kit.edu. The latest version tested with these examples was
4.5.1 so far. NOTE: installing
oidc-agent-cli is sufficient for simple (e.g. non-interactive) CLI use cases!
As an unprivileged user:
---------------------------------------------------------------------- (umask 077; oidc-agent > oidc-env.sh) source oidc-env.sh (umask 077; uuidgen > oidc-pw.txt) (umask 077; oidc-gen --pw-cmd="cat $PWD/oidc-pw.txt" -w device wlcg) ----------------------------------------------------------------------Follow the instructions... If all went well, a token can be acquired and examined as follows:
---------------------------------------------------------------------- (umask 077; oidc-token -t 3500 wlcg > /tmp/wlcg-token) httokendecode -H /tmp/wlcg-token ----------------------------------------------------------------------One can restrict the scopes and audiences like this:
---------------------------------------------------------------------- (umask 077; oidc-token -s compute.create -s compute.read -s compute.cancel -s compute.modify \ --aud 'target-ce-1.domain:9619 target-ce-2.somewhere:9619 .....' -t 3500 wlcg > /tmp/wlcg-token) ----------------------------------------------------------------------An environment variable can be used for convenience:
---------------------------------------------------------------------- export BEARER_TOKEN_FILE=/tmp/wlcg-token httokendecode -H ----------------------------------------------------------------------NOTE: for the WLCG VO, the token has a maximum lifetime of 1 hour,
which also is the value used whenever a new token needs to be acquired,
viz. when the lifetime of the most recently acquired token is lower than
the minimum lifetime requested in the
oidc-token command.
Get the token subject string as follows:
----------------------------------------------------------------------
httokendecode -H /tmp/wlcg-token | awk '$1 ~ /sub/ { print $2 }' | tr -d \",
----------------------------------------------------------------------
On an HTCondor CE that should accept jobs submitted with these tokens, it must be added to a mapfile under
/etc/condor-ce/mapfiles.d e.g. like this (replace the example UUID with the token subject; the target account must exist):
---------------------------------------------------------------------- # cat /etc/condor-ce/mapfiles.d/11-scitokens.conf SCITOKENS /^https:\/\/wlcg\.cloud\.cnaf\.infn\.it\/,8c3c01a9-ee96-4f6e-989c-ad1e279244ae$/ wlcg001 ----------------------------------------------------------------------On the next login, presuming the
oidc-agent is still running:
---------------------------------------------------------------------- source oidc-env.sh ps -p $OIDCD_PID -o command= | grep -q oidc-agent && echo Running || echo Not running ----------------------------------------------------------------------If the original
oidc-agent is no longer running
(and presuming $PWD is the same as before):
---------------------------------------------------------------------- (umask 077; oidc-agent > oidc-env.sh) source oidc-env.sh oidc-add --pw-cmd="cat $PWD/oidc-pw.txt" wlcg ----------------------------------------------------------------------Then tokens can again be acquired as before:
---------------------------------------------------------------------- (umask 077; oidc-token -t 3500 wlcg > /tmp/wlcg-token) export BEARER_TOKEN_FILE=/tmp/wlcg-token httokendecode -H ----------------------------------------------------------------------
Topic revision: r7 - 2023-10-29 - MaartenLitmaath
LCG Wikis
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback