From b3590a06cf1019db83828f398cbfd4224475117e Mon Sep 17 00:00:00 2001 From: aldbr Date: Mon, 21 Aug 2023 18:47:39 +0200 Subject: [PATCH] feat: add documentation to setup pilots with tokens --- .../source/AdministratorGuide/HowTo/index.rst | 1 + .../HowTo/pilotsWithTokens.rst | 87 +++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 docs/source/AdministratorGuide/HowTo/pilotsWithTokens.rst diff --git a/docs/source/AdministratorGuide/HowTo/index.rst b/docs/source/AdministratorGuide/HowTo/index.rst index 493e7590a9b..0181737f59d 100644 --- a/docs/source/AdministratorGuide/HowTo/index.rst +++ b/docs/source/AdministratorGuide/HowTo/index.rst @@ -15,3 +15,4 @@ FIXME: These sections describes things multiVO pitExport dedicateddfc + pilotsWithTokens diff --git a/docs/source/AdministratorGuide/HowTo/pilotsWithTokens.rst b/docs/source/AdministratorGuide/HowTo/pilotsWithTokens.rst new file mode 100644 index 00000000000..9fdaf1dbbf0 --- /dev/null +++ b/docs/source/AdministratorGuide/HowTo/pilotsWithTokens.rst @@ -0,0 +1,87 @@ +.. _pilots-with-tokens: + +===================================== +Submitting pilots to CEs using tokens +===================================== + + +This guide outlines the process of setting up DIRAC to submit pilots using access tokens obtained via a ``client_credentials`` flow from a token provider. + +Setting up an ``IdProvider`` +---------------------------- + +- Set up an OAuth2 client in the token provider and obtain a ``client_id`` and a ``client_secret``. + + .. warning:: The client credentials obtained are confidential, store them in a secure place. + Any malicious user able to get access to them would be able to generate access tokens on your behalf. + To avoid any major issue, we recommend you to only grant essential privileges to the client (``compute`` scopes). + +- Add the client credentials in the ``dirac.cfg`` of the relevant server configuration such as: + + .. code-block:: guess + + Resources + { + IdProviders + { + + { + client_id = + client_secret = + } + } + } + +- Then in your global configuration, add the following section to set up an ``IdProvider`` interface: + + .. code-block:: guess + + Resources + { + IdProviders + { + + { + issuer = + } + } + } + +- Finally, connect the OIDC provider to a specific VO by adding the following option: + + .. code-block:: guess + + Registry + { + VO + { + + { + IdProvider = + } + } + } + +.. note:: Get more details about the DIRAC configuration from the :ref:`Configuration ` section. + +Launching the ``TokenManagerHandler`` +------------------------------------- + +Run the following commands from a DIRAC client to install the ``Framework/TokenManager`` Tornado service: + +.. code-block:: console + + $ dirac-proxy-init -g dirac_admin + + $ dirac-admin-sysadmin-cli --host + + > install service Framework TokenManager + +.. note:: ``Tornado`` and then ``TokenManager`` might need to be restarted. +.. note:: Get more details about the system administrator interface from the :ref:`System Administrator Interface ` section. + +Marking computing resources and VOs as token-ready +-------------------------------------------------- + +To specify that a given VO is ready to use tokens on a given CE, add the ``Tag = Token:`` option within the CE section, and then restart the ``Site Directors``. +Once all your VOs are ready to use tokens, just specify ``Tag = Token``.