Skip to content

[v7r3] login with tokens (first part of the #5045)#5149

Merged
atsareg merged 178 commits into
DIRACGrid:integrationfrom
TaykYoku:integration_oauth_p01
Sep 5, 2021
Merged

[v7r3] login with tokens (first part of the #5045)#5149
atsareg merged 178 commits into
DIRACGrid:integrationfrom
TaykYoku:integration_oauth_p01

Conversation

@TaykYoku

@TaykYoku TaykYoku commented May 19, 2021

Copy link
Copy Markdown
Contributor

This is the first part of the main release #5045 and attempt to implement the code with the least changes to the main project.
Here the opportunity to log in using identity providers and access to DIRAC services with the help of tokens is realized.

UPDATE:

  • Added TokenManager service

TODO:

  • update to use last authlib, pyjwt packages.
  • add required packages to DIRACOS2
  • approve puppet commit

How to test it?

Usual tests

If you are testing without the use of tokens, for example to make sure that the usual behavior has not changed without the use of token authorization, then you do not need to do anything special. Everything must be backward compatible. Just do the tests as usual.

Try tokens

DIRAC CLI test

  • Install DIRAC Client with last DIRACOS2, e.g.:
curl -LO https://github.com/DIRACGrid/DIRACOS2/releases/latest/download/DIRACOS-Linux-x86_64.sh
bash DIRACOS-Linux-x86_64.sh
source ~/diracos/diracosrc
pip install git+https://github.com/TaykYoku/DIRAC.git@integration_oauth_p01
dirac-configure --login=https://lbcertifdiracoauth.cern.ch/auth

Note If you are not yet registered in DIRAC, the first time you try to log in through DIRAC admins will receive a message asking to add you, after which you can try again.

  • check installation and authorization status, when you configure script:
dirac-info
dirac-login --info

Note when you use login you get access token from Identity provide with scopes that described for DIRAC group. If you whant to get proxy as usual use --proxy key.

  • try to access to https service:
dirac-dms-filecatalog-cli
  • Most services work through DISET so you can try to get proxy instead of token (proxy must be uploaded into ProxyManager as usual):
dirac-login -g dirac_user --proxy
  • check proxy:
dirac-login --info
dirac-proxy-info
  • try to access to https service or DISET service:
dirac-proxy-get-uploaded-info
dirac-dms-filecatalog-cli

Note to use proxy to access to https services /DIRAC/Security/UseTokens CS option and DIRAC_USE_ACCESS_TOKEN environ must be not y, yes or true.

  • logout, to destroy tokens.
dirac-logout

DIRAC WEB test

  • Go to https://lbcertifdiracoauth.cern.ch/DIRAC
  • Try to login with IAM. Click Settings --> User --> IAM_dev.
    Note If you are not yet registered in DIRAC, the first time you try to log in through DIRAC admins will receive a message asking to add you, after which you can try again.

Note: every time you login the tokens are updated by TokenManager and you can check them in the Token Manager application.
Note: The server may not be available from time to time, for temporary reasons (eg puppet)

Prepare certification server

Set values:

  • Root DIRAC directory:
install_root="/opt/dirac"
  • DIRAC version in vX.Y.Z-TIMESTAMP format:
version_and_date="v7.3.0a23-$(date -u '+%s')"
  • platform and DIRACOS installation path:
platform="$(uname -s)-$(uname -m)"
install_diracos_root="${install_root}/versions/${version_and_date}/${platform}"

Install DIRACOS2

  • Create versions path if not exist:
mkdir -p "${install_root}/versions" && cd "${install_root}"
  • install DIRACOS2:
curl -LO "https://github.com/DIRACGrid/DIRACOS2/releases/latest/download/DIRACOS-${platform}.sh"
bash "DIRACOS-${platform}.sh" -p "${install_diracos_root}" && rm "DIRACOS-${platform}.sh"
source "${install_diracos_root}/diracosrc"
  • create symlink for pro(use -sfn key):
ln -sfn "${install_root}/versions/${version_and_date}" "${install_root}/pro"

Install DIRAC and WebApp

  • install DIRAC and WebApp
pip install git+https://github.com/TaykYoku/DIRAC.git@integration_oauth_p01
pip install git+https://github.com/TaykYoku/WebAppDIRAC.git@integration_oauth_token

Restart services:

runsvctrl t /opt/dirac/startup/*

BEGINRELEASENOTES

*Configuration
NEW: add helpers methods to work with identity providers and APIs
FIX: decode bytes to utf-8

*Core
CHANGE: add possibility to use restful endpoints to TornadoServer framework
NEW: add possibility to use token authorisation to Tornado clients

*Framework
NEW: add Authorisation Server based on authlib package and AuthDB database to serve sessions
NEW: add restful API for Authorisation Server
NEW: add dirac-login, dirac-logout scripts
NEW: add TokenManager service with TokenDB database

*Resources
NEW: add identity providers

*tests
NEW: add AuthDB, TokenDB tests

ENDRELEASENOTES

@TaykYoku TaykYoku requested review from atsareg and fstagni as code owners May 19, 2021 19:05
@TaykYoku

Copy link
Copy Markdown
Contributor Author

to pass tests I need to add new packages to DIRACOS?

authlib == 1.0.0
pyjwt
dominate

@fstagni fstagni left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just a very quick review, I didn't analyze in depth.

Comment thread environment-py3.yml Outdated
Comment thread src/DIRAC/ConfigurationSystem/Client/Utilities.py Outdated
Comment thread src/DIRAC/ConfigurationSystem/Client/Utilities.py Outdated
Comment thread src/DIRAC/Core/Security/TokenInfo.py Outdated
Comment thread src/DIRAC/Core/Security/TokenInfo.py Outdated
Comment thread tests/Integration/Framework/Test_AuthDB.py
Comment thread src/DIRAC/FrameworkSystem/scripts/dirac_login.py Outdated
Comment thread src/DIRAC/FrameworkSystem/private/authorization/utils/__init__.py Outdated
Comment thread src/DIRAC/FrameworkSystem/scripts/dirac_login.py Outdated
@fstagni

fstagni commented May 20, 2021

Copy link
Copy Markdown
Contributor

to pass tests I need to add new packages to DIRACOS?

authlib == 1.0.0
pyjwt
dominate

Yes.

Comment thread environment.yml Outdated
Comment thread src/DIRAC/Core/Security/Locations.py Outdated
Comment thread src/DIRAC/Core/Security/Locations.py Outdated
Comment thread src/DIRAC/Core/Security/TokenFile.py Outdated
Comment thread src/DIRAC/Core/Security/TokenFile.py Outdated
Comment thread src/DIRAC/Core/Tornado/scripts/tornado_start_web.py Outdated
Comment thread src/DIRAC/FrameworkSystem/API/AuthHandler.py
Comment thread src/DIRAC/FrameworkSystem/scripts/dirac_login.py Outdated
Comment thread src/DIRAC/FrameworkSystem/scripts/dirac_login.py
Comment thread src/DIRAC/Resources/IdProvider/IdProviderFactory.py Outdated

@chaen chaen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's only a partial review, it's too long for me to review at once

Comment thread dirac.cfg Outdated
Comment thread setup.cfg Outdated
Comment thread src/DIRAC/ConfigurationSystem/Client/Helpers/Resources.py Outdated
Comment thread src/DIRAC/ConfigurationSystem/Client/Helpers/Resources.py Outdated
Comment thread src/DIRAC/ConfigurationSystem/Client/Helpers/Resources.py Outdated
Comment thread src/DIRAC/Core/Security/TokenInfo.py Outdated
Comment thread src/DIRAC/Core/Security/TokenInfo.py Outdated
Comment thread src/DIRAC/Core/Tornado/Client/private/TornadoBaseClient.py
Comment thread src/DIRAC/Core/Tornado/Server/BaseRequestHandler.py
Comment thread src/DIRAC/Core/Tornado/Server/TornadoServer.py Outdated
@TaykYoku TaykYoku force-pushed the integration_oauth_p01 branch from 04cd181 to ec4ed9b Compare May 24, 2021 16:41

@fstagni fstagni left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A non-complete review

Comment thread dirac.cfg Outdated
Comment thread environment-py3.yml Outdated
Comment thread setup.cfg Outdated
Comment thread src/DIRAC/ConfigurationSystem/Client/Utilities.py Outdated
Comment thread src/DIRAC/ConfigurationSystem/Client/Utilities.py
Comment thread src/DIRAC/ConfigurationSystem/Client/Utilities.py
Comment thread src/DIRAC/Core/Tornado/Client/private/TornadoBaseClient.py Outdated
Comment thread src/DIRAC/Core/Tornado/Server/HandlerManager.py Outdated
Comment thread src/DIRAC/Core/Tornado/Server/BaseRequestHandler.py
@TaykYoku TaykYoku force-pushed the integration_oauth_p01 branch from f7eb9ed to 59fd067 Compare June 1, 2021 23:48
@TaykYoku TaykYoku closed this Jun 2, 2021
@TaykYoku TaykYoku reopened this Jun 2, 2021
@TaykYoku TaykYoku force-pushed the integration_oauth_p01 branch from 68d885b to 63c355b Compare June 4, 2021 12:11
@TaykYoku TaykYoku requested a review from andresailer as a code owner June 4, 2021 12:11
Comment thread environment.yml Outdated
Comment thread environment-py3.yml Outdated
Comment thread src/DIRAC/ConfigurationSystem/Client/Utilities.py Outdated
Comment thread src/DIRAC/FrameworkSystem/ConfigTemplate.cfg
self.lifetime = None
self.provider = 'DIRACCLI'
self.issuer = None
self.proxyLoc = '/tmp/x509up_u%s' % os.getuid()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this for?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to get a proxy certificate instead of a token, I will add the keys

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I am confused then: isn't dirac-proxy-init for the proxy, dirac-login for the token?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dirac-proxy-init use user certificate to generate proxy with DIRAC group extension.
dirac-login use DIRAC authorization server authorization_endpoint to AuthN through IdP(IAM/CheckIn) and AuthZ:

  • by obtaining access tokens with scopes that related to DIRAC group from IdP(IAM/CheckIn).
  • by obtaining proxy with DIRAC group extension from DIRAC ProxyManager

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll think about how to combine it all.

Comment thread src/DIRAC/Resources/IdProvider/DIRACCLIIdProvider.py Outdated
Comment thread src/DIRAC/Resources/IdProvider/IdProviderFactory.py Outdated
Comment thread src/DIRAC/Core/Tornado/Server/BaseRequestHandler.py
Comment thread src/DIRAC/Core/Tornado/Server/BaseRequestHandler.py Outdated
Comment thread src/DIRAC/Resources/IdProvider/Utilities.py
Comment thread src/DIRAC/Core/Tornado/Server/BaseRequestHandler.py Outdated
Comment thread src/DIRAC/Core/Tornado/Server/BaseRequestHandler.py Outdated
Comment thread src/DIRAC/Core/Tornado/Server/BaseRequestHandler.py Outdated
Comment thread src/DIRAC/Core/Tornado/Server/BaseRequestHandler.py Outdated
Comment thread src/DIRAC/FrameworkSystem/API/AuthHandler.py Outdated
Comment thread src/DIRAC/FrameworkSystem/API/AuthHandler.py Outdated
Comment thread src/DIRAC/FrameworkSystem/private/authorization/utils/Tokens.py Outdated
Comment thread src/DIRAC/FrameworkSystem/private/authorization/utils/Tokens.py Outdated
Comment thread src/DIRAC/FrameworkSystem/private/authorization/utils/Tokens.py
Comment thread src/DIRAC/FrameworkSystem/private/authorization/utils/Tokens.py
Comment thread src/DIRAC/FrameworkSystem/scripts/dirac_logout.py Outdated
Comment thread src/DIRAC/FrameworkSystem/private/authorization/utils/Tokens.py Outdated
Comment thread src/DIRAC/FrameworkSystem/private/authorization/utils/Tokens.py Outdated
Comment thread src/DIRAC/FrameworkSystem/private/authorization/utils/Tokens.py Outdated
return writeToTokenFile(json.dumps(tokenDict), fileName)


class OAuth2Token(_OAuth2Token):

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The WLCG Bearer Token Discovery document also mentions handling multiple tokens, for cases where multiple VOs are being used. I know very little about multi-vo DIRAC but is this something that should be included in the design of this interface?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not implemented yet, but it can be implemented later based on practical use

Comment thread src/DIRAC/FrameworkSystem/private/authorization/utils/Tokens.py
@TaykYoku TaykYoku force-pushed the integration_oauth_p01 branch from 63c355b to 0b56c5f Compare June 16, 2021 18:02
@TaykYoku TaykYoku force-pushed the integration_oauth_p01 branch 2 times, most recently from 756b910 to e64ec59 Compare June 22, 2021 18:37
Comment thread src/DIRAC/ConfigurationSystem/Client/Helpers/Registry.py Outdated
Comment thread src/DIRAC/ConfigurationSystem/Client/Helpers/Registry.py Outdated
Comment thread src/DIRAC/ConfigurationSystem/Service/TornadoConfigurationHandler.py Outdated
Comment thread src/DIRAC/Core/Tornado/Client/private/TornadoBaseClient.py Outdated
Comment thread src/DIRAC/Core/Tornado/Client/private/TornadoBaseClient.py
@TaykYoku

Copy link
Copy Markdown
Contributor Author

restart tests

@TaykYoku TaykYoku reopened this Jun 30, 2021
@TaykYoku

Copy link
Copy Markdown
Contributor Author

I avoided using token authentication when using python 2. I hope I understood the latest requirements correctly.
Anyway, IIUC, since the next two releases are still planned the ability to install a DIRAC server with python 2, so I can create a separate PR if need to be enable OAuth2 support in such an installation.

@TaykYoku TaykYoku force-pushed the integration_oauth_p01 branch from b09b3dd to 9876263 Compare September 4, 2021 18:24
@atsareg atsareg self-requested a review September 5, 2021 17:03
@atsareg atsareg merged commit 743f5ef into DIRACGrid:integration Sep 5, 2021
@TaykYoku TaykYoku deleted the integration_oauth_p01 branch September 6, 2021 13:34
@chrisburr chrisburr mentioned this pull request Sep 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants