You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Currently, two technologies are involved in Authentication (AuthN for short) and Authorization (AuthZ) in the computing grid:

  • Virtual Organization Membership Service (VOMS), based on the X.509 standard for SSL certificates;
  • JSON Web Token (JWT), based on openid-connect and OAuth2.

They allow users to interact with the grid middleware, for example HTCondor-CE and Arc-CE for computing job submission, StoRM, dCache, XRootD, etc... for storage management.

VOMS

A VOMS proxy is a file, typically stored in /tmp/x509up_u$UID, that contains a certificate chain and a private key, used to interact with grid middleware. The proxy descends from a grid-enabled (i.e. IGTF) personal certificate and is shorter-lived, typically 12 hours.

For generating a proxy certificate without VOMS extensions, a user can issue the following command: 

[ashtimmerman@ui-tier1 ~]$ voms-proxy-init
Enter GRID pass phrase for this identity:
Created proxy in /tmp/x509up_u10171.
Your proxy is valid until Wed Jun 18 07:04:04 CEST 2025

For generating a proxy with VOMS extensions:

$ voms-proxy-init --voms <VO_name>

To display basic information about the current VOMS proxy:

[ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all 
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1171514709
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
identity  : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u10171
timeleft  : 11:58:42
key usage : Digital Signature, Key Encipherment
=== VO juno extension information ===
VO        : juno
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=voms-juno.cloud.cnaf.infn.it
attribute : /juno/Role=NULL/Capability=NULL
timeleft  : 11:58:42
uri       : voms-juno.cloud.cnaf.infn.it:15008

Often for debugging purposes, is useful to display the entire certificate chain, including intermediate and root certificates used to validate the proxy: 

[ashtimmermanus@ui-tier1 ~]$ voms-proxy-info --all --chain
=== Proxy Chain Information ===
X.509 v3 certificate
Subject: CN=1479623907,CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Issuer: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Valid from: Tue Jun 17 19:04:04 CEST 2025
Valid to: Wed Jun 18 07:04:04 CEST 2025
CA: false
Signature alg: SHA384WITHRSA
Public key type: RSA 2048bit
Allowed usage: digitalSignature keyEncipherment
Serial number: 1479623907
VOMS extensions: no.

X.509 v3 certificate
Subject: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Issuer: CN=GEANT TCS Authentication RSA CA 4B,O=GEANT Vereniging,C=NL
Valid from: Fri Nov 22 09:08:54 CET 2024
Valid to: Mon Dec 22 09:08:54 CET 2025
Subject alternative names: 
  email: aksieniia.shtimmerman@cnaf.infn.it
CA: false
Signature alg: SHA384WITHRSA
Public key type: RSA 2048bit
Allowed usage: digitalSignature keyEncipherment
Allowed extended usage: clientAuth emailProtection
Serial number: 101113208650839486715316733014861942537

=== Proxy Information ===
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1479623907
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
identity  : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u10171
timeleft  : 11:42:28
key usage : Digital Signature, Key Encipherment

For removing the current VOMS proxy certificate: 

[ashtimmerman@ui-tier1 ~]$ voms-proxy-destroy
[ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all
Proxy not found: /tmp/x509up_u10171 (No such file or directory)

JWT

Once registered within the token issuer (e.g. IAM), an access token can be retrieved using OIDC-agent, which is available in ui-tier1. A full set of commands follows below.

At first, we have to start the process with the command

[ashtimmerman@ui-tier1 ~]$ eval $(oidc-agent-service use)  
54956

To avoid having to manually run eval $(oidc-agent-service use) every time a user opens a new terminal session, it is possible to add

 eval "$(oidc-agent-service use)"

to the .bashrc file.  and load the changes with: source ~/.bashrc.

Then, one needs to register its own client (this has to be done just the first time to create a new local IAM client):

$ oidc-gen -w device <device name>

following the steps required by the application, and namely:

  • initialize his OIDC client's name
  • insert IAM URL (e.g. https://iam-t1-computing.cloud.cnaf.infn.it/)
  • when a web page for authentication opens, enter the credentials of the IAM account
  • authorize the new client
  • insert your client's password twice.

For example:

[ashtimmerman@ui-tier1 ~]$ oidc-gen -w device axy
[1] https://iam-t1-computing.cloud.cnaf.infn.it/
[...]
Issuer [https://iam-t1-computing.cloud.cnaf.infn.it/]: 
The following scopes are supported: openid profile email address phone offline_access eduperson_scoped_affiliation eduperson_entitlement eduperson_assurance entitlements wlcg.groups compute.read compute.create compute.cancel compute.modify storage.read storage.create storage.modify storage.stage
Scopes or 'max' (space separated) [openid profile offline_access]: compute.read compute.create compute.cancel compute.modify openid profile offline_access
Registering Client ...
Generating account configuration ...
accepted

Using a browser on any device, visit:
https://iam-t1-computing.cloud.cnaf.infn.it/device

And enter the code: REDACTED
Alternatively you can use the following QR code to visit the above listed URL.

Enter encryption password for account configuration <client_name>: 
Confirm encryption password: 
Everything setup correctly!

Whereas, from the second time it is enough to load an existing account configuration,:

[ashtimmerman@ui-tier1 ~]$ oidc-add axy
Enter decryption password for account config 'axy': 
success

and eventually get the access token and save it in the BEARER_TOKEN environment variable:

[ashtimmerman@ui-tier1 ~]$ export BEARER_TOKEN=$(oidc-token <client_name>)

The token will be valid for 60 minutes. It can be obtained a new token issuing the oidc-token command again.
At the end, stop oidc-agent daemon:

oidc-agent-service stop

A user can also get the list of all existing account configurations issuing

[ashtimmerman@ui-tier1 ~]$ oidc-add -l
The following account configurations are usable: 
axy
myobolicatest
t1-computing

Moreover, the list of the currently loaded accounts can be retrieved with:

[ashtimmermanus@ui-tier1 ~]$ oidc-add -a
The following account configurations are currently loaded: 
axy
  • No labels