TokenManagerHandler

TokenManager service is responsible for token management, namely storing, updating, requesting new tokens for DIRAC components that have the appropriate permissions.

TokenManager options
# Section to describe TokenManager system
TokenManager
{
  Port = 9181
  # Description of rules for access to methods
  Authorization
  {
    # Settings by default:
    Default = authenticated
    getUsersTokensInfo = ProxyManagement
  }
}

The most common use of this service is to obtain tokens with certain scope to return to the user for its purposes, or to provide to the DIRAC service to perform asynchronous tasks on behalf of the user. This is mainly about the export_getToken() method.

https://dirac.readthedocs.io/en/integration/_images/TokenManager_getToken.png (source https://github.com/TaykYoku/DIRACIMGS/raw/main/TokenManagerService_getToken.ai)

The client has a mechanism for caching the received tokens. This helps reduce the number of requests to both the service and the Identity Provider (IdP).

If the client has a valid access token in the cache, it is used until it expires. After that you need to update. The client can update it independently if on the server where it is in dirac.cfg client_id and client_secret of the Identity Provider client are registered.

Otherwise, the client makes an RPC call to the TornadoManager service. The refresh token from TokenDB is taken and the exchange token request to Identity Provider is made.

class DIRAC.FrameworkSystem.Service.TokenManagerHandler.TokenManagerHandler(handlerInitDict, trid)

Bases: TokenManagerHandlerMixin, RequestHandler

DEFAULT_AUTHORIZATION = ['authenticated']
__init__(handlerInitDict, trid)

Constructor

Parameters:
  • handlerInitDict (dictionary) – Information vars for the service

  • trid (object) – Transport to use

auth_getUserTokensInfo = ['authenticated']
auth_getUsersTokensInfo = ['ProxyManagement']
auth_ping = ['all']
auth_refreshConfiguration = ['CSAdministrator']
auth_whoami = ['all']
export_deleteToken(userDN: str)

Delete a token from the DB

Parameters:

userDN – user DN

Returns:

S_OK()/S_ERROR()

static export_echo(data)

This method is used for testing performance of the service

Parameters:

data (str) – data to be sent back to the caller

Returns:

S_OK, Value is the input data

export_getToken(username: str = None, userGroup: str = None, scope: list[str] = None, audience: str = None, identityProvider: str = None, requiredTimeLeft: int = 0)

Get an access token for a user/group.

  • Properties:
    • FullDelegation <- permits full delegation of tokens

    • LimitedDelegation <- permits downloading only limited tokens

    • PrivateLimitedDelegation <- permits downloading only limited tokens for one self

Parameters:
  • username – user name

  • userGroup – user group

  • scope – requested scope

  • audience – requested audience

  • identityProvider – Identity Provider name

  • requiredTimeLeft – requested minimum life time

Returns:

S_OK(dict)/S_ERROR()

export_getTokensByUserID(userID: str)

Retrieve a token from the DB

Parameters:

userID – user’s token id

Returns:

S_OK(list)/S_ERROR() token row in dict format

export_getUserTokensInfo()

Generate information dict about user tokens

Returns:

dict

export_getUsersTokensInfo(users: list)

Get the info about the user tokens in the database

Parameters:

users – user names

Returns:

S_OK(list) – return list of tokens dictionaries

export_ping()
static export_refreshConfiguration(fromMaster)

Force refreshing the configuration data

Parameters:

fromMaster (bool) – flag to refresh from the controller configuration service

export_updateToken(token: dict, userID: str, provider: str, rt_expired_in: int = 86400)

Using this method, you can transfer user tokens for storage in the TokenManager.

It is important to note that TokenManager saves only one token per user and, accordingly, the Identity Provider from which it was issued. So when a new token is delegated, keep in mind that the old token will be deleted.

Parameters:
  • token – token

  • userID – user ID

  • provider – provider name

  • rt_expired_in – refresh token expires time (in seconds)

Returns:

S_OK(list)/S_ERROR() – list contain uploaded tokens info as dictionaries

export_whoami()

A simple whoami, returns all credential dictionary, except certificate chain object.

classmethod getCSOption(optionName, defaultValue=False)

Get an option from the CS section of the services

Returns:

Value for serviceSection/optionName in the CS being defaultValue the default

getRemoteAddress()

Get the address of the remote peer.

Returns:

Address of remote peer.

getRemoteCredentials()

Get the credentials of the remote peer.

Returns:

Credentials dictionary of remote peer.

initialize()

Initialize this instance of the handler (to be overwritten)

classmethod initializeHandler(*args)

Initialization

Returns:

S_OK()/S_ERROR()

srv_disconnect(trid=None)
classmethod srv_disconnectClient(trid)
srv_getActionTuple()
classmethod srv_getCSOption(optionName, defaultValue=False)

Get an option from the CS section of the services

Returns:

Value for serviceSection/optionName in the CS being defaultValue the default

srv_getClientSetup()
srv_getClientVO()
srv_getClientVersion()
srv_getFormattedRemoteCredentials()
classmethod srv_getMonitor()
srv_getRemoteAddress()

Get the address of the remote peer.

Returns:

Address of remote peer.

srv_getRemoteCredentials()

Get the credentials of the remote peer.

Returns:

Credentials dictionary of remote peer.

classmethod srv_getServiceName()
srv_getTransportID()
classmethod srv_getURL()
classmethod srv_msgCreate(msgName)
srv_msgReply(msgObj)
classmethod srv_msgSend(trid, msgObj)
transfer_bulkFromClient(bulkId, token, bulkSize, fileHelper)
transfer_bulkToClient(bulkId, token, fileHelper)
transfer_fromClient(fileId, token, fileSize, fileHelper)
transfer_listBulk(bulkId, token, fileHelper)
transfer_toClient(fileId, token, fileHelper)
types_deleteToken = [<class 'str'>]
types_echo = [<class 'str'>]
types_getToken = [None, None, None, None, None]
types_getTokensByUserID = [<class 'str'>]
types_getUserTokensInfo = [<class 'list'>]
types_ping = []
types_refreshConfiguration = [<class 'bool'>]
types_updateToken = [<class 'dict'>, <class 'str'>, <class 'str'>, <class 'int'>]
types_whoami = []
class DIRAC.FrameworkSystem.Service.TokenManagerHandler.TokenManagerHandlerMixin

Bases: object

DEFAULT_AUTHORIZATION = ['authenticated']
auth_getUserTokensInfo = ['authenticated']
auth_getUsersTokensInfo = ['ProxyManagement']
export_deleteToken(userDN: str)

Delete a token from the DB

Parameters:

userDN – user DN

Returns:

S_OK()/S_ERROR()

export_getToken(username: str = None, userGroup: str = None, scope: list[str] = None, audience: str = None, identityProvider: str = None, requiredTimeLeft: int = 0)

Get an access token for a user/group.

  • Properties:
    • FullDelegation <- permits full delegation of tokens

    • LimitedDelegation <- permits downloading only limited tokens

    • PrivateLimitedDelegation <- permits downloading only limited tokens for one self

Parameters:
  • username – user name

  • userGroup – user group

  • scope – requested scope

  • audience – requested audience

  • identityProvider – Identity Provider name

  • requiredTimeLeft – requested minimum life time

Returns:

S_OK(dict)/S_ERROR()

export_getTokensByUserID(userID: str)

Retrieve a token from the DB

Parameters:

userID – user’s token id

Returns:

S_OK(list)/S_ERROR() token row in dict format

export_getUserTokensInfo()

Generate information dict about user tokens

Returns:

dict

export_getUsersTokensInfo(users: list)

Get the info about the user tokens in the database

Parameters:

users – user names

Returns:

S_OK(list) – return list of tokens dictionaries

export_updateToken(token: dict, userID: str, provider: str, rt_expired_in: int = 86400)

Using this method, you can transfer user tokens for storage in the TokenManager.

It is important to note that TokenManager saves only one token per user and, accordingly, the Identity Provider from which it was issued. So when a new token is delegated, keep in mind that the old token will be deleted.

Parameters:
  • token – token

  • userID – user ID

  • provider – provider name

  • rt_expired_in – refresh token expires time (in seconds)

Returns:

S_OK(list)/S_ERROR() – list contain uploaded tokens info as dictionaries

classmethod initializeHandler(*args)

Initialization

Returns:

S_OK()/S_ERROR()

types_deleteToken = [<class 'str'>]
types_getToken = [None, None, None, None, None]
types_getTokensByUserID = [<class 'str'>]
types_getUserTokensInfo = [<class 'list'>]
types_updateToken = [<class 'dict'>, <class 'str'>, <class 'str'>, <class 'int'>]