Versions Compared

Old Version 1

changes.mady.by.user Andrea Rendina

Saved on

compared with

New Version Current

changes.mady.by.user Carmelo Pellegrino

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

During the transition from X.509 certificates to JWT, it could be necessary to migrate all the users from a VOMS server to the experiment's IAM instance and keep periodically synchronized the two databases periodically synchronized.

In this regard, a voms-importer script has been developed at CNAF: https://github.com/indigo-iam/voms-importer.

...

  • ensure that the personal X.509 certificate is linked to the IAM account
  • create an X.509 grid-proxy from the command line interface (grid-proxy-init or voms-proxy-init)
  • add the grid-proxy to the own IAM account

...

docker pull indigoiam/voms-importer

One-shot import

If you just need to import all users at once and never again, you can execute the following A useful full set of commands, to be run in the container follows below.:

Code Block
languagebash
themeMidnight
titleOne-shot import commands and example output
bash ~$
Code Block
docker run -it --rm --entrypoint /bin/bash indigoiam/voms-importer
[test@87e660942272 ~]$ sudo su
[root@87e660942272 test]# cat >/etc/yum.repos.d/egi.repo <<EOF
[EGI-trustanchors]
name=EGI-trustanchors
baseurl=https://repository.egi.eu/sw/production/cas/1/current/
gpgkey=https://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3
gpgcheck=1
EOF

[root@87e660942272 test]# yum install ca-policy-egi-core -y
[root@87e660942272 test]# cp /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/
[root@87e660942272 test]# update-ca-trust
[root@87e660942272 test]# exit

[test@87e660942272 ~]$ eval `oidc-agent`
[test@87e660942272 ~]$ oidc-gen -w device <client-name> # the "proxy:generate", "iam:admin.read", "iam:admin.write" and "scim:write" scopes are required
[...]

[test@87e660942272 ~]$ export IAM_ENDPOINT=https://iam-<experiment>.cloud.cnaf.infn.it/ (IAM URL)
=<iam-URL>
[test@87e660942272 ~]$ export OIDC_AGENT_ALIAS=<client-name>
[test@87e660942272 ~]$ export OIDC_AGENT_SECRET=***
[test@87e660942272 ~]$ export REQUESTS_CA_BUNDLE=/etc/pki/tls/cert.pem
[test@87e660942272 ~]$ init-credentials.sh
[test@87e660942272 ~]$ export X509_USER_PROXY=<generated-proxy-path>
[test@87e660942272 ~]$ vomsimporter --vo <vo-name> --voms-host <voms-server-host> --voms-port <voms-server-port> --iam-host <iam-hostname>
[test@87e660942272 ~]$ # (as example: vomsimporter --vo juno --voms-host voms-juno.ihep.ac.cn --voms-port 8443 --iam-host iam-juno.cloud.cnaf.infn.it)
[test@87e660942272 ~]$ oidc-gen -d <client-name> # finally, destroy the client

When a user has been imported from a VOMS server to IAM, the new username inside IAM will be the juxtaposition of the "user." string and the number ID of the user inside the VOMS server.
A valid example could be "user.44".

Continuous import

If you need to periodically synchronize the legacy VOMS server and the IAM, you can execute the following procedure, to be run in the container. The difference resides in the fact that the OIDC client is preserved within a persistent docker volume.

The persistent docker volume allows to use oidc-client without creating again a new client configuration every time the container spawns. To add the persistent docker volume for conservation of the oidc client information, use the following command:

Code Block
languagebash
themeMidnight
titleCreation and use of the persistent docker volume
bash ~$ docker volume create voms-importer
voms-importer
 
bash ~$ docker run -it --rm --entrypoint /bin/bash -v voms-importer:/home/test/.oidc-agent indigoiam/voms-importer


These preliminary command needs to be executed just the first time to change the ownership of the oidc client configuration folder:

Code Block
languagebash
themeMidnight
titleSet correct folder permissions
[test@87e660942272 ~]$ sudo chown test: /home/test/.oidc-agent


The oidc client is used to obtain access tokens. The oidc-agent will register a new client and store the client credentials encrypted inside the persistent docker volume. To register a new oidc client, use the following command (it is needed to do just the first time to create a new one):

Code Block
languagebash
themeMidnight
titleRegister an OIDC client
[test@87e660942272 ~]$ eval `oidc-agent`
[test@87e660942272 ~]$ oidc-gen -w device <client-name> # the "proxy:generate", "iam:admin.read", "iam:admin.write" and "scim:write" scopes are required
[...]
[test@87e660942272 ~]$ exit

The -w device instructs oidc-agent to use the device code flow for the authentication, which is the recommended way with INDIGO-IAM. oidc-agent will display a list of different providers that can be used for registration.

Then oidc-agent asks for the scopes. Specify the required scopes for the task the client is registered for. IAM asks you authorization for the client to operate on your behalf by requesting to authenticate with your browser and enter a code provided on the terminal to the indicated web address.


Then you can execute the following each time you need to synchronize the legacy VOMS server with IAM:

Code Block
languagebash
themeMidnight
titleExecute the import procedure
bash ~$ docker run -it --rm --entrypoint /bin/bash -v voms-importer:/home/test/.oidc-agent indigoiam/voms-importer      

[test@16df78882d8c test]# cat | sudo tee /etc/yum.repos.d/egi.repo <<EOF
[EGI-trustanchors]
name=EGI-trustanchors
baseurl=https://repository.egi.eu/sw/production/cas/1/current/
gpgkey=https://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3
gpgcheck=1
EOF

[test@16df78882d8c test]# sudo yum install ca-policy-egi-core -y
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
epel/x86_64/metalink                                                                              |  36 kB  00:00:00     
 * base: it1.mirror.vhosting-it.com
 * epel: it1.mirror.vhosting-it.com
 * extras: it1.mirror.vhosting-it.com
 * updates: it1.mirror.vhosting-it.com
EGI-trustanchors                                                                                  | 3.0 kB  00:00:00  

...
Complete!


[test@16df78882d8c test]# sudo cp /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/
[test@16df78882d8c test]# sudo update-ca-trust

[test@16df78882d8c ~]$ eval `oidc-agent`
Agent pid 173

[test@16df78882d8c ~]$ export IAM_ENDPOINT=<iam-URL>
[test@16df78882d8c ~]$ export OIDC_AGENT_ALIAS=<client-name>
[test@16df78882d8c ~]$ export OIDC_AGENT_SECRET=***
[test@16df78882d8c ~]$ export REQUESTS_CA_BUNDLE=/etc/pki/tls/cert.pem
[test@16df78882d8c ~]$ init-credentials.sh
[test@16df78882d8c ~]$ export X509_USER_PROXY=<generated-proxy-path>
[test@16df78882d8c ~]$ vomsimporter --vo <vo-name> --voms-host <voms-server-host> --voms-port <voms-server-port> --iam-host iam-<experiment><iam-hostname>
[test@16df78882d8c ~]$ # (as example: vomsimporter --vo juno --voms-host voms-juno.ihep.ac.cn --voms-port 8443 --iam-host iam-juno.cloud.cnaf.infn.it)