[8.0] Pilot submission with tokens #6580
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DIRACGridBot
added
the
alsoTargeting:integration
|
@atsareg If there is an issue with the CloudComputingElement (selecting projects in Openstack), could you please make a separate issue for Simon ? We'll not port VMDIRAC, we'd consider this obsolete. |
[8.0] Minor fixes for docs and code
…5500ea-rel-v8r0 [sweep:v8r0] Reorder pilot downloads to minimise race condition
|
The PR was screwed while rebasing and will be redone |
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds possibility to submit pilots with tokens. The tokens are obtained by SiteDirectors via a standard mechanism from the TokenManager. In order to use the oidc-agent instead of the OAuth2 flow, a new OidcAgentIdProvider is added. This can be useful in some environments, also for debugging. Using OAuth2 IdProviders with pilot tokens generated from the long tokens in the TokenDB are also supported
SiteDirector is enabled to select queues by Tag values. Queues can define Token tag to be used with tokens, otherwise with certificates. Later on, the default will be switched to Token I hope :).
The oidc-agent is supposed to have a client created with the name of the user submitting pilots and having necessary compute scopes.
The following ComputingElement should be enabled with the tokens:
HTCondorCE
ARC/ARC6
AREX
The case of CloudComputingElement is not addressed specifically as the case can be solved by using Application Credentials authentication mechanism where Application Credentials can be created after authentication with OAuth2 tokens.
BEGINRELEASENOTES
*Framework
NEW: OidcAgentIdProvider identity provider class
*WorkloadManagement
NEW: SiteDirector enabled to select queues by tags
NEW: SiteDirector sets up tokens for ComputingElements configured with the Token tag
*Resources
NEW: HTCondorComputingElement and ARC(6)ComputingElement enabled to for job operations with tokens
*Configuration
CHANGE: Registry - IdProvider can be defined either on VO or Group level
ENDRELEASENOTES