Submitting pilots to CEs using tokens
This guide outlines the process of setting up DIRAC to submit pilots using access tokens obtained via a client_credentials flow from a token provider.
Setting up an IdProvider
Set up an OAuth2 client in the token provider and obtain a
client_idand aclient_secret.Warning
The client credentials obtained are confidential, store them in a secure place. Any malicious user able to get access to them would be able to generate access tokens on your behalf. To avoid any major issue, we recommend you to only grant essential privileges to the client (
computescopes).Add the client credentials in the
dirac.cfgof the relevant server configuration such as:Resources { IdProviders { <IdProvider name> { client_id = <client_id> client_secret = <client_secret> } } }Then in your global configuration, add the following section to set up an
IdProviderinterface:Resources { IdProviders { <IdProvider name> { issuer = <OIDC provider issuer URL> } } }Finally, connect the OIDC provider to a specific VO by adding the following option:
Registry { VO { <VO name> { IdProvider = <IdProvider name> } } }
Note
Get more details about the DIRAC configuration from the Configuration section.
Launching the TokenManagerHandler
Run the following commands from a DIRAC client to install the Framework/TokenManager Tornado service:
$ dirac-proxy-init -g dirac_admin
$ dirac-admin-sysadmin-cli --host <dirac host>
> install service Framework TokenManager
Note
Tornado and then TokenManager might need to be restarted.
Note
Get more details about the system administrator interface from the System Administrator Interface section.
Marking computing resources and VOs as token-ready
To specify that a given VO is ready to use tokens on a given CE, add the Tag = Token:<VO> option within the CE section, and then restart the Site Directors.
Once all your VOs are ready to use tokens, just specify Tag = Token.