TokenManagerHandler
TokenManager service is responsible for token management, namely storing, updating, requesting new tokens for DIRAC components that have the appropriate permissions.
# Section to describe TokenManager system
TokenManager
{
Port = 9181
# Description of rules for access to methods
Authorization
{
# Settings by default:
Default = authenticated
getUsersTokensInfo = ProxyManagement
}
}
The most common use of this service is to obtain tokens with certain scope to return to the user for its purposes,
or to provide to the DIRAC service to perform asynchronous tasks on behalf of the user.
This is mainly about the export_getToken()
method.
The client has a mechanism for caching the received tokens. This helps reduce the number of requests to both the service and the Identity Provider (IdP).
If the client has a valid access token in the cache, it is used until it expires.
After that you need to update. The client can update it independently if on the server where it is in dirac.cfg
client_id
and client_secret
of the Identity Provider client are registered.
Otherwise, the client makes an RPC call to the TornadoManager service.
The refresh token
from TokenDB
is taken and the exchange token request to Identity Provider is made.
- class DIRAC.FrameworkSystem.Service.TokenManagerHandler.TokenManagerHandler(handlerInitDict, trid)
Bases:
TokenManagerHandlerMixin
,RequestHandler
- DEFAULT_AUTHORIZATION = ['authenticated']
- __init__(handlerInitDict, trid)
Constructor
- Parameters:
handlerInitDict (dictionary) – Information vars for the service
trid (object) – Transport to use
- auth_getUserTokensInfo = ['authenticated']
- auth_getUsersTokensInfo = ['ProxyManagement']
- auth_ping = ['all']
- auth_refreshConfiguration = ['CSAdministrator']
- auth_whoami = ['all']
- export_deleteToken(userDN: str)
Delete a token from the DB
- Parameters:
userDN – user DN
- Returns:
S_OK()/S_ERROR()
- static export_echo(data)
This method is used for testing performance of the service
- Parameters:
data (str) – data to be sent back to the caller
- Returns:
S_OK, Value is the input data
- export_getToken(username: str = None, userGroup: str = None, scope: list[str] = None, audience: str = None, identityProvider: str = None, requiredTimeLeft: int = 0)
Get an access token for a user/group.
- Properties:
FullDelegation <- permits full delegation of tokens
LimitedDelegation <- permits downloading only limited tokens
PrivateLimitedDelegation <- permits downloading only limited tokens for one self
- Parameters:
username – user name
userGroup – user group
scope – requested scope
audience – requested audience
identityProvider – Identity Provider name
requiredTimeLeft – requested minimum life time
- Returns:
S_OK(dict)/S_ERROR()
- export_getTokensByUserID(userID: str)
Retrieve a token from the DB
- Parameters:
userID – user’s token id
- Returns:
S_OK(list)/S_ERROR() token row in dict format
- export_getUserTokensInfo()
Generate information dict about user tokens
- Returns:
dict
- export_getUsersTokensInfo(users: list)
Get the info about the user tokens in the database
- Parameters:
users – user names
- Returns:
S_OK(list) – return list of tokens dictionaries
- export_ping()
- static export_refreshConfiguration(fromMaster)
Force refreshing the configuration data
- Parameters:
fromMaster (bool) – flag to refresh from the controller configuration service
- export_updateToken(token: dict, userID: str, provider: str, rt_expired_in: int = 86400)
Using this method, you can transfer user tokens for storage in the TokenManager.
It is important to note that TokenManager saves only one token per user and, accordingly, the Identity Provider from which it was issued. So when a new token is delegated, keep in mind that the old token will be deleted.
- Parameters:
token – token
userID – user ID
provider – provider name
rt_expired_in – refresh token expires time (in seconds)
- Returns:
S_OK(list)/S_ERROR() – list contain uploaded tokens info as dictionaries
- export_whoami()
A simple whoami, returns all credential dictionary, except certificate chain object.
- classmethod getCSOption(optionName, defaultValue=False)
Get an option from the CS section of the services
- Returns:
Value for serviceSection/optionName in the CS being defaultValue the default
- getRemoteAddress()
Get the address of the remote peer.
- Returns:
Address of remote peer.
- getRemoteCredentials()
Get the credentials of the remote peer.
- Returns:
Credentials dictionary of remote peer.
- initialize()
Initialize this instance of the handler (to be overwritten)
- classmethod initializeHandler(*args)
Initialization
- Returns:
S_OK()/S_ERROR()
- srv_disconnect(trid=None)
- classmethod srv_disconnectClient(trid)
- srv_getActionTuple()
- classmethod srv_getCSOption(optionName, defaultValue=False)
Get an option from the CS section of the services
- Returns:
Value for serviceSection/optionName in the CS being defaultValue the default
- srv_getClientSetup()
- srv_getClientVO()
- srv_getClientVersion()
- srv_getFormattedRemoteCredentials()
- classmethod srv_getMonitor()
- srv_getRemoteAddress()
Get the address of the remote peer.
- Returns:
Address of remote peer.
- srv_getRemoteCredentials()
Get the credentials of the remote peer.
- Returns:
Credentials dictionary of remote peer.
- classmethod srv_getServiceName()
- srv_getTransportID()
- classmethod srv_getURL()
- classmethod srv_msgCreate(msgName)
- srv_msgReply(msgObj)
- classmethod srv_msgSend(trid, msgObj)
- transfer_bulkFromClient(bulkId, token, bulkSize, fileHelper)
- transfer_bulkToClient(bulkId, token, fileHelper)
- transfer_fromClient(fileId, token, fileSize, fileHelper)
- transfer_listBulk(bulkId, token, fileHelper)
- transfer_toClient(fileId, token, fileHelper)
- types_deleteToken = [<class 'str'>]
- types_echo = [<class 'str'>]
- types_getToken = [None, None, None, None, None]
- types_getTokensByUserID = [<class 'str'>]
- types_getUserTokensInfo = [<class 'list'>]
- types_ping = []
- types_refreshConfiguration = [<class 'bool'>]
- types_updateToken = [<class 'dict'>, <class 'str'>, <class 'str'>, <class 'int'>]
- types_whoami = []
- class DIRAC.FrameworkSystem.Service.TokenManagerHandler.TokenManagerHandlerMixin
Bases:
object
- DEFAULT_AUTHORIZATION = ['authenticated']
- auth_getUserTokensInfo = ['authenticated']
- auth_getUsersTokensInfo = ['ProxyManagement']
- export_deleteToken(userDN: str)
Delete a token from the DB
- Parameters:
userDN – user DN
- Returns:
S_OK()/S_ERROR()
- export_getToken(username: str = None, userGroup: str = None, scope: list[str] = None, audience: str = None, identityProvider: str = None, requiredTimeLeft: int = 0)
Get an access token for a user/group.
- Properties:
FullDelegation <- permits full delegation of tokens
LimitedDelegation <- permits downloading only limited tokens
PrivateLimitedDelegation <- permits downloading only limited tokens for one self
- Parameters:
username – user name
userGroup – user group
scope – requested scope
audience – requested audience
identityProvider – Identity Provider name
requiredTimeLeft – requested minimum life time
- Returns:
S_OK(dict)/S_ERROR()
- export_getTokensByUserID(userID: str)
Retrieve a token from the DB
- Parameters:
userID – user’s token id
- Returns:
S_OK(list)/S_ERROR() token row in dict format
- export_getUserTokensInfo()
Generate information dict about user tokens
- Returns:
dict
- export_getUsersTokensInfo(users: list)
Get the info about the user tokens in the database
- Parameters:
users – user names
- Returns:
S_OK(list) – return list of tokens dictionaries
- export_updateToken(token: dict, userID: str, provider: str, rt_expired_in: int = 86400)
Using this method, you can transfer user tokens for storage in the TokenManager.
It is important to note that TokenManager saves only one token per user and, accordingly, the Identity Provider from which it was issued. So when a new token is delegated, keep in mind that the old token will be deleted.
- Parameters:
token – token
userID – user ID
provider – provider name
rt_expired_in – refresh token expires time (in seconds)
- Returns:
S_OK(list)/S_ERROR() – list contain uploaded tokens info as dictionaries
- classmethod initializeHandler(*args)
Initialization
- Returns:
S_OK()/S_ERROR()
- types_deleteToken = [<class 'str'>]
- types_getToken = [None, None, None, None, None]
- types_getTokensByUserID = [<class 'str'>]
- types_getUserTokensInfo = [<class 'list'>]
- types_updateToken = [<class 'dict'>, <class 'str'>, <class 'str'>, <class 'int'>]