Dirac GridPP DIRAC Tokens
Enabling Tokens for VOs supported on the GridPP DIRAC instance
We are rolling out pilot submissions using tokens for the pilots on the GridPP DIRAC instance. Users are still expected to use certificates. VOs that are currently supported on the GridPP voms servers will use an IAM instance co-located with the DIRAC instance. VOs not supported by the GridPP voms servers have been advised to commission their own IAM server. For all practical purposes this mainly concerns the Moedal VO who has been told that it will take CERN until "early 2024" to deploy an IAM server for them: CERN ticket.
Apart from its production server GridPP hosts a DIRAC pre-prod server where new releases are tested to ensure they comply with the GridPP use cases. This pre-prod server is using a different client id, so we can distinguish were the pilots are coming from. The GridPP DIRAC support team, aka Simon and Daniela would appreciate it if you could configure these clients as well and preferentially map them to a distinct pilot account. We only use the gridpp and lz VOs for testing in pre-prod. We also use a very small number of UK sites for certification of new DIRAC releases at CERN, which also uses tokens (or at least tries to). If this concerns your site, we will talk to you.
For the production server:
| gridpp | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac000001 |
| cernatschool.org | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac000002 |
| comet.j-parc.jp | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac000003 |
| eucliduk.net | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac000004 |
| hyperk.org | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac000005 |
| lz | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac000006 |
| mice | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac000007 |
| mu3e.org | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac000008 |
| na62.vo.gridpp.ac.uk | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac000009 |
| pheno | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac00000a |
| snoplus.snolab.ca | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac00000b |
| solidexperiment.org | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac00000c |
| t2k.org | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac00000d |
| vo.moedal.org | TBD (CERN) | TBD (CERN) |
| vo.northgrid.ac.uk | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac00000e |
| vo.scotgrid.ac.uk | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac000-1c1c-4444-1c1c-d19ac00000f |
For the pre-prod server (optional):
| gridpp | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac001-1c1c-4444-1c1c-d19ac000001 |
| lz | https://iam.grid.hep.ph.ic.ac.uk/ | d19ac001-1c1c-4444-1c1c-d19ac000006 |
Notes on ARC6
Courtesy of Chris Brew. The "/" at the end of the URL is important.
[authtokens] … [authgroup: gridpp_iam_prod] authtokens = d19ac000-1c1c-4444-1c1c-d19ac000001 https://iam.grid.hep.ph.ic.ac.uk/ * * * [authgroup: gridpp_iam_test] authtokens = d19ac001-1c1c-4444-1c1c-d19ac000001 https://iam.grid.hep.ph.ic.ac.uk/ * * * [mapping] … map_to_user = gridpp_iam_prod pltgpp01:pltgpp map_to_user = gridpp_iam_test pltgpp02:pltgpp
Notes on HTCondorCE
The first line is for the gridpp VO on the production server, the second line on the pre-prod server.
/etc/condor-ce/mapfiles.d/10-scitokens.conf
SCITOKENS /^https\:\/\/iam\.grid\.hep\.ph\.ic\.ac\.uk\/,d19ac000\-1c1c\-4444\-1c1c\-d19ac000001$/ ce3-gridpptkn1 SCITOKENS /^https\:\/\/iam\.grid\.hep\.ph\.ic\.ac\.uk\/,d19ac001\-1c1c\-4444\-1c1c\-d19ac000001$/ ce3-gridpptkn2
