Difference between revisions of "Dirac GridPP DIRAC Tokens"

From GridPP Wiki
Jump to: navigation, search
 
(11 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
<p style="color:red">'''This Wiki page has been frozen and will soon become obsolete. The current version can be found under [https://github.com/ic-hep/gridpp-dirac-users/wiki/GridPP-DIRAC-Tokens https://github.com/ic-hep/gridpp-dirac-users/wiki/GridPP-DIRAC-Tokens].'''</p>
  
 
== Enabling Tokens for VOs supported on the GridPP DIRAC instance  ==
 
== Enabling Tokens for VOs supported on the GridPP DIRAC instance  ==
  
We are rolling out pilot submissions using token for the pilots on the GridPP DIRAC instance. Users are still expected to use certificates. VOs that are currently supported on the GridPP voms servers will use an IAM instance co-located with the DIRAC instance. VOs not supported by the GridPP voms servers have been advised to commission their own IAM server. For all practical purposes this mainly concerns the Moedal VO who has been told that it will take CERN until "early 2024" to deploy an IAM server for them: [https://cern.service-now.com/service-portal?id=ticket&table=u_request_fulfillment&n=RQF2470783 CERN ticket].
+
We are rolling out pilot submissions using tokens for the pilots on the GridPP DIRAC instance. Users are still expected to use certificates. VOs that are currently supported on the GridPP voms servers will use an IAM instance co-located with the DIRAC instance. VOs not supported by the GridPP voms servers have been advised to commission their own IAM server.  
  
Apart from its production server GridPP has a DIRAC pre-prod server where new releases are tested to ensure they comply with the GridPP use cases. This pre-prod server is using a different client id, so we can distinguish were the pilots are coming from. The GridPP DIRAC support team, aka Simon and Daniela would appreciate it if you could configure these clients as well and preferentially map them to a distinct pilot account. We only use the gridpp and lz VOs for testing in pre-prod. We use a very small number of UK sites for certification of new DIRAC releases at CERN, which also uses tokens (or at least tries to). If this concerns your site, we will talk to you.
+
Apart from its production server GridPP hosts a DIRAC pre-prod server where new releases are tested to ensure they comply with the GridPP use cases. This pre-prod server is using a different client id, so we can distinguish were the pilots are coming from. The GridPP DIRAC support team, aka Simon and Daniela would appreciate it if you could configure these clients as well and preferentially map them to a distinct pilot account. We only use the gridpp and lz VOs for testing in pre-prod. We also use a very small number of UK sites for certification of new DIRAC releases at CERN, which also uses tokens (or at least tries to). If this concerns your site, we will talk to you.
  
d19ac000-1c1c-4444-1c1c-d19ac000001
+
For the production server:
  
 +
{|class="wikitable"
 +
|-
 +
| gridpp || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac000001
 +
|-
 +
| cernatschool.org || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac000002
 +
|-
 +
| comet.j-parc.jp || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac000003
 +
|-
 +
| eucliduk.net ||  https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac000004
 +
|-
 +
| hyperk.org ||  https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac000005
 +
|-
 +
| lz || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac000006
 +
|-
 +
| mice || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac000007
 +
|-
 +
| mu3e.org || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac000008
 +
|-
 +
| na62.vo.gridpp.ac.uk || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac000009
 +
|-
 +
| pheno ||  https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac00000a
 +
|-
 +
| snoplus.snolab.ca || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac00000b
 +
|-
 +
| solidexperiment.org || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac00000c
 +
|-
 +
| t2k.org || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac00000d
 +
|-
 +
| vo.moedal.org || https://moedal-auth.cern.ch/ || c781e891-3dc7-4571-b66e-034b6ffd27d3
 +
|-
 +
| vo.northgrid.ac.uk || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac00000e
 +
|-
 +
| vo.scotgrid.ac.uk || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac000-1c1c-4444-1c1c-d19ac00000f
 +
|}
 +
 +
For the pre-prod server (optional):
 +
{|class="wikitable"
 +
|-
 +
| gridpp || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac001-1c1c-4444-1c1c-d19ac000001
 +
|-
 +
| lz  || https://iam.grid.hep.ph.ic.ac.uk/ || d19ac001-1c1c-4444-1c1c-d19ac000006
 +
|}
  
 
=== Notes on ARC6 ===
 
=== Notes on ARC6 ===
Line 27: Line 70:
  
 
=== Notes on HTCondorCE ===
 
=== Notes on HTCondorCE ===
 +
The first line is for the gridpp VO on the production server, the second line on the pre-prod server. <br>
 +
/etc/condor-ce/mapfiles.d/10-scitokens.conf
 +
<pre>
 +
SCITOKENS /^https\:\/\/iam\.grid\.hep\.ph\.ic\.ac\.uk\/,d19ac000\-1c1c\-4444\-1c1c\-d19ac000001$/  ce3-gridpptkn1
 +
SCITOKENS /^https\:\/\/iam\.grid\.hep\.ph\.ic\.ac\.uk\/,d19ac001\-1c1c\-4444\-1c1c\-d19ac000001$/  ce3-gridpptkn2
 +
</pre>

Latest revision as of 17:21, 25 June 2024

This Wiki page has been frozen and will soon become obsolete. The current version can be found under https://github.com/ic-hep/gridpp-dirac-users/wiki/GridPP-DIRAC-Tokens.

Enabling Tokens for VOs supported on the GridPP DIRAC instance

We are rolling out pilot submissions using tokens for the pilots on the GridPP DIRAC instance. Users are still expected to use certificates. VOs that are currently supported on the GridPP voms servers will use an IAM instance co-located with the DIRAC instance. VOs not supported by the GridPP voms servers have been advised to commission their own IAM server.

Apart from its production server GridPP hosts a DIRAC pre-prod server where new releases are tested to ensure they comply with the GridPP use cases. This pre-prod server is using a different client id, so we can distinguish were the pilots are coming from. The GridPP DIRAC support team, aka Simon and Daniela would appreciate it if you could configure these clients as well and preferentially map them to a distinct pilot account. We only use the gridpp and lz VOs for testing in pre-prod. We also use a very small number of UK sites for certification of new DIRAC releases at CERN, which also uses tokens (or at least tries to). If this concerns your site, we will talk to you.

For the production server:

gridpp https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac000001
cernatschool.org https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac000002
comet.j-parc.jp https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac000003
eucliduk.net https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac000004
hyperk.org https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac000005
lz https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac000006
mice https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac000007
mu3e.org https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac000008
na62.vo.gridpp.ac.uk https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac000009
pheno https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac00000a
snoplus.snolab.ca https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac00000b
solidexperiment.org https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac00000c
t2k.org https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac00000d
vo.moedal.org https://moedal-auth.cern.ch/ c781e891-3dc7-4571-b66e-034b6ffd27d3
vo.northgrid.ac.uk https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac00000e
vo.scotgrid.ac.uk https://iam.grid.hep.ph.ic.ac.uk/ d19ac000-1c1c-4444-1c1c-d19ac00000f

For the pre-prod server (optional):

gridpp https://iam.grid.hep.ph.ic.ac.uk/ d19ac001-1c1c-4444-1c1c-d19ac000001
lz https://iam.grid.hep.ph.ic.ac.uk/ d19ac001-1c1c-4444-1c1c-d19ac000006

Notes on ARC6

Courtesy of Chris Brew. The "/" at the end of the URL is important. 

[authtokens]
…
[authgroup: gridpp_iam_prod]
authtokens = d19ac000-1c1c-4444-1c1c-d19ac000001 https://iam.grid.hep.ph.ic.ac.uk/ * * *
[authgroup: gridpp_iam_test]
authtokens = d19ac001-1c1c-4444-1c1c-d19ac000001 https://iam.grid.hep.ph.ic.ac.uk/ * * *

[mapping]
…
map_to_user = gridpp_iam_prod pltgpp01:pltgpp
map_to_user = gridpp_iam_test pltgpp02:pltgpp

Notes on HTCondorCE

The first line is for the gridpp VO on the production server, the second line on the pre-prod server.
/etc/condor-ce/mapfiles.d/10-scitokens.conf 

SCITOKENS /^https\:\/\/iam\.grid\.hep\.ph\.ic\.ac\.uk\/,d19ac000\-1c1c\-4444\-1c1c\-d19ac000001$/  ce3-gridpptkn1
SCITOKENS /^https\:\/\/iam\.grid\.hep\.ph\.ic\.ac\.uk\/,d19ac001\-1c1c\-4444\-1c1c\-d19ac000001$/  ce3-gridpptkn2
Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=Dirac_GridPP_DIRAC_Tokens&oldid=21564"