-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v8.0] feat: add documentation to setup pilots with tokens #7176
[v8.0] feat: add documentation to setup pilots with tokens #7176
Conversation
b29bff5
to
cf3c0c3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In principle almost all back ticks should probably be double backticks.
(Single backticks are references, double backticks are "code")
But is fine to me, except maybe for some clarifications.
Also maybe @marianne013 or @sfayer want to read through this as they have tried it?
cf3c0c3
to
eed94af
Compare
This needs a warning that this is not multi-VO compatible, i.e. for a given CE either all or none of the VOs using the CE have to use tokens. |
eed94af
to
a16c43a
Compare
I added a warning. |
Did we ever agree on any strategy for multi-VO ? I guess we could have a property of the CE along the line of X509VOs = ...., then as VOs transition to tokens there would be less and less of them in that list until the've all transitioned and it's empty. |
Not really actually 😅
But then you would have to manually update this list right? What about having the logic in the
If one of these 2 conditions is not satisfied, then the Site Director submits pilots with proxies. What do you think @marianne013 ? |
What if we have a VO and some sites use tokens and other don't ? I believe that is still the case for CMS (not that they are using DIRAC, but if CMS can't convince all their sites to update, what chance do I have ?) The transition will be a mess one way or the other. There is certainly something to be said for not trying tokens for a VO that doesn't have an non-X509 id provider. |
The |
We assume that will be the most common scenario, not all VOs will get their tokens ready at the same time. |
With the solution I proposed:
The only problem I see with the solution I proposed is the transition period. Here is an example:
Do you think it would be a problem? |
Hi, Unfortunately I think this is likely to be a problem: It's likely that we will want to switch VOs over to tokens one at a time, test it on a small number of CE/Sites for a while and then scale it up to other sites (e.g. a long transition period). Would it be possible to add a setting or something to allow us to accommodate that? Regards, |
a16c43a
to
b3590a0
Compare
This PR can be merged once #7208 is merged. |
Sweep summary Sweep ran in https://github.com/DIRACGrid/DIRAC/actions/runs/6582746336 Successful:
|
Related to #7123
BEGINRELEASENOTES
*docs
NEW: add documentation about setting up DIRAC to submit pilots with tokens
ENDRELEASENOTES