Add support for tokens requested via oidc-agent. #17
Conversation
|
Ok, I am done hacking for the day! Ready for review... |
| @@ -58,7 +58,7 @@ extended=0 | |||
| tokenType=macaroon | |||
There was a problem hiding this comment.
[Unfortunately, githib doesn't allow me to make this comment any earlier]
I think the patch should define WLCG_THIRDPARTY_PRIVATE_URL and WLCG_THIRDPARTY_UPLOAD_BASE_URL (as with dteam, escape and atlas VOs), and update the code to use these default values if the client configures smoke-test to use the wlcg VO.
There was a problem hiding this comment.
Hi @paulmillar -
Finally started to look at this and I noticed that something appears to be misconfigured on the prometheus side.
This works:
voms-proxy-init -voms dteam
curl --verbose --connect-timeout 60 -D /tmp/tmp.CNpXBTEwRC \
-s -f -L --capath /etc/grid-security/certificates -H 'X-No-Delegate: true' \
--cacert /tmp/x509up_u1221 -E /tmp/x509up_u1221 -H 'Credential: none' \
-m30 -X POST -H 'Content-Type: application/macaroon-request' \
-d '{"caveats": ["activity:DOWNLOAD"], "validity": "PT30M"}' -o/tmp/tmp.FbihlmyRjK \
https://prometheus.desy.de:2443/VOs/dteam/private-file
This doesn't work:
voms-proxy-init -voms wlcg
curl --verbose --connect-timeout 60 -D /tmp/tmp.CNpXBTEwRC \
-s -f -L --capath /etc/grid-security/certificates -H 'X-No-Delegate: true' \
--cacert /tmp/x509up_u1221 -E /tmp/x509up_u1221 -H 'Credential: none' \
-m30 -X POST -H 'Content-Type: application/macaroon-request' \
-d '{"caveats": ["activity:DOWNLOAD"], "validity": "PT30M"}' -o/tmp/tmp.FbihlmyRjK \
https://prometheus.desy.de:2443/VOs/wlcg/private-file
Only difference is replacing the dteam string with wlcg. Access with DAVIX clients appears OK, so I think X.509 auth is working overall -- but perhaps just an issue with the macaroon generation?
There was a problem hiding this comment.
Yes, indeed. The problem was that prometheus was missing the .lsc file for the WLCG VOMS server.
I've installed the missing file, so the problem should be fixed now.
Could you give it another go?
- Add new WLCG-specific default URLs. - Make the VO be set by the `-v` option. - Rename `wlcg` token type to `oidcagent`. - Make it an error to set the `oidcagent` token type but not specify an account name.
|
Ok, I think I got the comments addressed - except for this issue (I think) with the WLCG VO requesting macaroons noted above. |
Example invocation:
(assuming that you have already run
oidc-add WLCG-XFER)