Versions Compared

Old Version 4

changes.mady.by.user Carmelo Pellegrino

Saved on

compared with

New Version Current

changes.mady.by.user Carmelo Pellegrino

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Currently, two technologies are involved in Authentication (AuthN for short) and Authorization (AuthZ) in the computing grid:

...

They allow users to interact with the grid middleware, for example HTCondor-CE and Arc-CE for computing job submission, StoRM WebDAV, dCache, XRootD, etc... for storage management.

...

For generating a proxy certificate without VOMS extensions, a user can issue the following command: 

Code Block
languagejs
themeMidnight
[ashtimmerman@ui-tier1 ~]$ voms-proxy-init --voms juno
Enter GRID pass phrase for this identity:
Created proxy in /tmp/x509up_u10171.
Your proxy is valid until Wed Jun 18 07:04:04 CEST 2025

...

Code Block
languagejs
themeMidnight
[ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all 
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1171514709
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
identity  : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u10171
timeleft  : 11:58:42
key usage : Digital Signature, Key Encipherment
=== VO juno extension information ===
VO        : juno
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=voms-juno.cloud.cnaf.infn.it
attribute : /juno/Role=NULL/Capability=NULL
timeleft  : 11:58:42
uri       : voms-juno.cloud.cnaf.infn.it:15008

Often, for debugging purposes, it is useful to display the entire certificate chain, including intermediate and root certificates used to validate the proxy: 

...

following the steps required by the application, and namely:

  • initialize initialise his OIDC client's name
  • insert IAM URL (e.g. https://iam-t1-computing.cloud.cnaf.infn.it/)
  • when a web page for authentication opens, enter the credentials of the IAM account
  • authorize authorise the new client
  • insert set a password for  your client's password twice, by typing it twice on the terminal prompt.

For example:

Code Block
languagejs
themeMidnight
[ashtimmerman@ui-tier1 ~]$ oidc-gen -w device axy
[1] https://iam-t1-computing.cloud.cnaf.infn.it/
[...]
Issuer [https://iam-t1-computing.cloud.cnaf.infn.it/]: 
The following scopes are supported: openid profile email address phone offline_access eduperson_scoped_affiliation eduperson_entitlement eduperson_assurance entitlements wlcg.groups compute.read compute.create compute.cancel compute.modify storage.read storage.create storage.modify storage.stage
Scopes or 'max' (space separated) [openid profile offline_access]: compute.read compute.create compute.cancel compute.modify openid profile offline_access
Registering Client ...
Generating account configuration ...
accepted

Using a browser on any device, visit:
https://iam-t1-computing.cloud.cnaf.infn.it/device

And enter the code: REDACTED
Alternatively you can use the following QR code to visit the above listed URL.

Enter encryption password for account configuration <client_name>: 
Confirm encryption password: 
Everything setup correctly!

Whereas, from From the second time on, it is will enough to load an the existing account configuration,:

...

Code Block
languagejs
themeMidnight
[ashtimmerman@ui-tier1 ~]$ export BEARER_TOKEN=$(oidc-token <client_name>)

To inspect the content of the JWT, the jq tool can be used:

Code Block
languagejs
themeMidnight
[ashtimmermanus@ui-tier1 ~]$ oidc-token axy | jq -R 'split(".")[1] | @base64d | fromjson'

The token will be valid for 60 minutes. It , but a new token can be obtained a new token issuing the oidc-token command again.

At the end, stop oidc-agent daemon:

...

Code Block
languagejs
themeMidnight
[ashtimmerman@ui-tier1 ~]$ oidc-add -l
The following account configurations are usable: 
axy
myobolicatest
t1-computing

MoreoverFinally, the list of the currently loaded accounts can be retrieved with:

...