[v7r3] login with tokens (first part of the #5045)#5149
Conversation
|
to pass tests I need to add new packages to DIRACOS? |
fstagni
left a comment
There was a problem hiding this comment.
This is just a very quick review, I didn't analyze in depth.
Yes. |
chaen
left a comment
There was a problem hiding this comment.
It's only a partial review, it's too long for me to review at once
04cd181 to
ec4ed9b
Compare
f7eb9ed to
59fd067
Compare
68d885b to
63c355b
Compare
| self.lifetime = None | ||
| self.provider = 'DIRACCLI' | ||
| self.issuer = None | ||
| self.proxyLoc = '/tmp/x509up_u%s' % os.getuid() |
There was a problem hiding this comment.
to get a proxy certificate instead of a token, I will add the keys
There was a problem hiding this comment.
Sorry, I am confused then: isn't dirac-proxy-init for the proxy, dirac-login for the token?
There was a problem hiding this comment.
dirac-proxy-init use user certificate to generate proxy with DIRAC group extension.
dirac-login use DIRAC authorization server authorization_endpoint to AuthN through IdP(IAM/CheckIn) and AuthZ:
- by obtaining access tokens with scopes that related to DIRAC group from IdP(IAM/CheckIn).
- by obtaining proxy with DIRAC group extension from DIRAC
ProxyManager
There was a problem hiding this comment.
I'll think about how to combine it all.
| return writeToTokenFile(json.dumps(tokenDict), fileName) | ||
|
|
||
|
|
||
| class OAuth2Token(_OAuth2Token): |
There was a problem hiding this comment.
The WLCG Bearer Token Discovery document also mentions handling multiple tokens, for cases where multiple VOs are being used. I know very little about multi-vo DIRAC but is this something that should be included in the design of this interface?
There was a problem hiding this comment.
It is not implemented yet, but it can be implemented later based on practical use
63c355b to
0b56c5f
Compare
756b910 to
e64ec59
Compare
|
restart tests |
|
I avoided using token authentication when using python 2. I hope I understood the latest requirements correctly. |
b09b3dd to
9876263
Compare
This is the first part of the main release #5045 and attempt to implement the code with the least changes to the main project.
Here the opportunity to log in using identity providers and access to DIRAC services with the help of tokens is realized.
UPDATE:
TODO:
DIRACOS2How to test it?
Usual tests
If you are testing without the use of tokens, for example to make sure that the usual behavior has not changed without the use of token authorization, then you do not need to do anything special. Everything must be backward compatible. Just do the tests as usual.
Try tokens
wlcggroupsDIRAC CLI test
~/diracos/etc/dirac.cfgwith required options /DIRAC/Security/Authorization/issuer=https://lbcertifdiracoauth.cern.ch/auth, /DIRAC/Setup=DIRAC-CertifOauth, DIRAC/Configuration/Servers=https://lbcertifdiracoauth.cern.ch:9135/Configuration/Server (if you already have configured dirac.cfg you can add it manually):Note If you are not yet registered in DIRAC, the first time you try to log in through DIRAC admins will receive a message asking to add you, after which you can try again.
Note when you use login you get access token from Identity provide with scopes that described for DIRAC group. If you whant to get proxy as usual use
--proxykey.ProxyManageras usual):Note to use proxy to access to https services
/DIRAC/Security/UseTokensCS option andDIRAC_USE_ACCESS_TOKENenviron must be noty,yesortrue.DIRAC WEB test
IAM. Click Settings --> User --> IAM_dev.Note If you are not yet registered in DIRAC, the first time you try to log in through DIRAC admins will receive a message asking to add you, after which you can try again.
Note: every time you login the tokens are updated by TokenManager and you can check them in the
Token Managerapplication.Note: The server may not be available from time to time, for temporary reasons (eg puppet)
Prepare certification server
Set values:
vX.Y.Z-TIMESTAMPformat:Install DIRACOS2
versionspath if not exist:pro(use-sfnkey):Install DIRAC and WebApp
Restart services:
BEGINRELEASENOTES
*Configuration
NEW: add helpers methods to work with identity providers and APIs
FIX: decode bytes to utf-8
*Core
CHANGE: add possibility to use restful endpoints to TornadoServer framework
NEW: add possibility to use token authorisation to Tornado clients
*Framework
NEW: add Authorisation Server based on authlib package and AuthDB database to serve sessions
NEW: add restful API for Authorisation Server
NEW: add dirac-login, dirac-logout scripts
NEW: add TokenManager service with TokenDB database
*Resources
NEW: add identity providers
*tests
NEW: add AuthDB, TokenDB tests
ENDRELEASENOTES