During the transition from X.509 certificates to JWT, it could be necessary to migrate all the users from a VOMS server to the experiment's IAM instance and keep the two databases periodically synchronized.
In this regard, a voms-importer script has been developed: https://github.com/indigo-iam/voms-importer.
In order to properly implement the script above, a user needs to be both a VO and IAM administrator.
The first steps are the following:
- ensure that the personal X.509 certificate is linked to the IAM account
- create an X.509 grid-proxy from the command line interface (
grid-proxy-init
orvoms-proxy-init)
- add the grid-proxy to the own IAM account
After that, it is enough to pull the docker container available on the Docker Hub and run it.
docker pull indigoiam/voms-importer
A useful full set of commands to run the container follows below.
docker run -it --entrypoint /bin/bash indigoiam/voms-importer sudo su cat >/etc/yum.repos.d/egi.repo <<EOF [EGI-trustanchors] name=EGI-trustanchors baseurl=https://repository.egi.eu/sw/production/cas/1/current/ gpgkey=https://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3 gpgcheck=1 EOF yum install ca-policy-egi-core -y cp /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/ update-ca-trust exit eval `oidc-agent` oidc-gen -w device <client-name> (the proxy:generate scope is required) [...] export IAM_ENDPOINT=<iam-URL> export OIDC_AGENT_ALIAS=<client-name> export OIDC_AGENT_SECRET=*** export REQUESTS_CA_BUNDLE=/etc/pki/tls/cert.pem init-credentials.sh export X509_USER_PROXY=<generated-proxy-path> vomsimporter --vo <vo-name> --voms-host <voms-server-host> --voms-port <voms-server-port> --iam-host <iam-hostname> (as example: vomsimporter --vo juno --voms-host voms-juno.ihep.ac.cn --voms-port 8443 --iam-host iam-juno.cloud.cnaf.infn.it)
When a user has been imported from a VOMS server to IAM, the new username inside IAM will be the juxtaposition of the "user." string and the number id of the user inside the VOMS server.
A valid example could be "user.44".