New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accessing ATLAS data from EOS/Tier2 through UChicago AF #507
Comments
Ok - I think I understand the problem. Let me try to rephrase and let me know if I've understood correctly:
Possible WorkaroundsWhat could be done right now without changes to ServiceX?
Modifications to ServiceX@BenGalewsky probably can point out a specific story
|
One variation on (1): ServiceX uses a captive service account to access ATLAS resources. We could add the owner of that account as membership in the private ATLAS group. Every user of that serviceX instance would have access to the files. Maybe another pattern would be to deploy a private ServiceX at the AF that uses the account of a member of the private group as the service account. But yes, passing tokens all the way through serviceX is a major (and ultimately necessary) change. See #321 for a skeletal story. |
Hi @BenGalewsky and @gordonwatts -- Thanks a lot for your replies :) You've got the story right, thanks a lot for summarising! I'm sure you know how painful it would be to try and convince conveners to give full access to a group disk in ATLAS to the entire collaboration, but I can ask if this is possible. I think it could potentially be easier to ask the for access for the service account, so I can suggest both solutions to the group conveners. Am I right to assume the accoung is associated with Ilija? can you provide me an account name that would need access? |
Hi! I think we can reasonably request access to for a service account on a one-by-one basis. It might be difficult for a personal account, however. For token-based access, I've put in a request for the ATLAS EOS folks to have this enabled. Brian |
This It is possible to check permission with
(for full picture it is also necessary to understand identity mapping, e.g. ATLAS EOS grid-mapfile, but that's basically same for all ATLAS users). Because Also this simple model with tokens would require quite a lot of knowledge on user side (e.g. user will be able to get token with |
Anyway, I think that EOS-5460 issue needs to be resolved first for I mean, it may take some time before we are ready to use tokens for EOS ATLAS, but I would like to have something ready in Q1 2023. |
Hello!
I have some files on EOS that are accessible by custom permissions within ATLAS. I have managed with help from @oshadura to access the file with
uproot.open()
, however I still cannot access the file with uproot serviceX. My setup is:I end up with
I am not running explicitly any distributed code, so I believe this should have worked unless there is some permission issues with the proxy being used to access the file.
Are there any further checks I should do to understand/resolve this?
The text was updated successfully, but these errors were encountered: