WLCG VO token usage examples
On this page we spell out how to get
SciTokens
from the WLCG VO
that can be used for development and tests.
To register in the WLCG VO, follow the instructions on its login page:
Then, on the client host as root:
----------------------------------------------------------------------
yum install https://github.com/indigo-dc/oidc-agent/releases/download/v3.3.1/oidc-agent-3.3.1-1.el7.x86_64.rpm
yum install https://repo.opensciencegrid.org/osg/3.6/el7/release/x86_64/htgettoken-1.11-1.osg36.el7.x86_64.rpm
----------------------------------------------------------------------
Newer versions of
oidc-agent
are available
from GitHub,
while the newest releases are only available from
repo.data.kit.edu.
The latest version tested with these examples was
4.5.1
so far.
NOTE: installing
oidc-agent-cli
is
sufficient for simple (e.g. non-interactive) CLI use cases!
As an unprivileged user:
----------------------------------------------------------------------
(umask 077; oidc-agent > oidc-env.sh)
source oidc-env.sh
(umask 077; uuidgen > oidc-pw.txt)
(umask 077; oidc-gen --pw-cmd="cat $PWD/oidc-pw.txt" -w device wlcg)
----------------------------------------------------------------------
Follow the instructions... If all went well, a token can be acquired
and examined as follows:
----------------------------------------------------------------------
(umask 077; oidc-token -t 3500 wlcg > /tmp/wlcg-token)
httokendecode -H /tmp/wlcg-token
----------------------------------------------------------------------
One can restrict the scopes and audiences like this:
----------------------------------------------------------------------
(umask 077; oidc-token -s compute.create -s compute.read -s compute.cancel -s compute.modify \
--aud 'target-ce-1.domain:9619 target-ce-2.somewhere:9619 .....' -t 3500 wlcg > /tmp/wlcg-token)
----------------------------------------------------------------------
An environment variable can be used for convenience:
----------------------------------------------------------------------
export BEARER_TOKEN_FILE=/tmp/wlcg-token
httokendecode -H
----------------------------------------------------------------------
NOTE: for the WLCG VO, the token has a maximum lifetime of 1 hour,
which also is the value used whenever a new token needs to be acquired,
viz. when the lifetime of the most recently acquired token is lower than
the minimum lifetime requested in the
oidc-token
command.
Get the token subject string as follows:
----------------------------------------------------------------------
httokendecode -H /tmp/wlcg-token | awk '$1 ~ /sub/ { print $2 }' | tr -d \",
----------------------------------------------------------------------
On an HTCondor CE that should accept jobs submitted with these tokens,
it must be added to a mapfile under
/etc/condor-ce/mapfiles.d
e.g. like this
(replace the example UUID with the token subject; the target account must exist):
----------------------------------------------------------------------
# cat /etc/condor-ce/mapfiles.d/11-scitokens.conf
SCITOKENS /^https:\/\/wlcg\.cloud\.cnaf\.infn\.it\/,8c3c01a9-ee96-4f6e-989c-ad1e279244ae$/ wlcg001
----------------------------------------------------------------------
On the next login, presuming the
oidc-agent
is still running:
----------------------------------------------------------------------
source oidc-env.sh
ps -p $OIDCD_PID -o command= | grep -q oidc-agent && echo Running || echo Not running
----------------------------------------------------------------------
If the original
oidc-agent
is no longer running
(and presuming
$PWD
is the same as before):
----------------------------------------------------------------------
(umask 077; oidc-agent > oidc-env.sh)
source oidc-env.sh
oidc-add --pw-cmd="cat $PWD/oidc-pw.txt" wlcg
----------------------------------------------------------------------
Then tokens can again be acquired as before:
----------------------------------------------------------------------
(umask 077; oidc-token -t 3500 wlcg > /tmp/wlcg-token)
export BEARER_TOKEN_FILE=/tmp/wlcg-token
httokendecode -H
----------------------------------------------------------------------