Skip to content

Commit

Permalink
Merge pull request #7252 from DIRACGridBot/cherry-pick-2-9649f6e39-in…
Browse files Browse the repository at this point in the history
…tegration

[sweep:integration] feat: add documentation to setup pilots with tokens
  • Loading branch information
fstagni authored Oct 20, 2023
2 parents f5629f3 + cf16387 commit 5b7f542
Show file tree
Hide file tree
Showing 2 changed files with 88 additions and 0 deletions.
1 change: 1 addition & 0 deletions docs/source/AdministratorGuide/HowTo/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ FIXME: These sections describes things
multiVO
pitExport
dedicateddfc
pilotsWithTokens
87 changes: 87 additions & 0 deletions docs/source/AdministratorGuide/HowTo/pilotsWithTokens.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
.. _pilots-with-tokens:

=====================================
Submitting pilots to CEs using tokens
=====================================


This guide outlines the process of setting up DIRAC to submit pilots using access tokens obtained via a ``client_credentials`` flow from a token provider.

Setting up an ``IdProvider``
----------------------------

- Set up an OAuth2 client in the token provider and obtain a ``client_id`` and a ``client_secret``.

.. warning:: The client credentials obtained are confidential, store them in a secure place.
Any malicious user able to get access to them would be able to generate access tokens on your behalf.
To avoid any major issue, we recommend you to only grant essential privileges to the client (``compute`` scopes).

- Add the client credentials in the ``dirac.cfg`` of the relevant server configuration such as:

.. code-block:: guess
Resources
{
IdProviders
{
<IdProvider name>
{
client_id = <client_id>
client_secret = <client_secret>
}
}
}
- Then in your global configuration, add the following section to set up an ``IdProvider`` interface:

.. code-block:: guess
Resources
{
IdProviders
{
<IdProvider name>
{
issuer = <OIDC provider issuer URL>
}
}
}
- Finally, connect the OIDC provider to a specific VO by adding the following option:

.. code-block:: guess
Registry
{
VO
{
<VO name>
{
IdProvider = <IdProvider name>
}
}
}
.. note:: Get more details about the DIRAC configuration from the :ref:`Configuration <dirac-configuration>` section.

Launching the ``TokenManagerHandler``
-------------------------------------

Run the following commands from a DIRAC client to install the ``Framework/TokenManager`` Tornado service:

.. code-block:: console
$ dirac-proxy-init -g dirac_admin
$ dirac-admin-sysadmin-cli --host <dirac host>
> install service Framework TokenManager
.. note:: ``Tornado`` and then ``TokenManager`` might need to be restarted.
.. note:: Get more details about the system administrator interface from the :ref:`System Administrator Interface <system-admin-console>` section.

Marking computing resources and VOs as token-ready
--------------------------------------------------

To specify that a given VO is ready to use tokens on a given CE, add the ``Tag = Token:<VO>`` option within the CE section, and then restart the ``Site Directors``.
Once all your VOs are ready to use tokens, just specify ``Tag = Token``.

0 comments on commit 5b7f542

Please sign in to comment.