Setting up a 8.0 DIRAC server to use tokens

[marianne013]

Hi,

I'm trying to convince one of our preprod instances to use tokens.
I'm about half a packet of chocolate cookies in and it's not going well.....
Looking at:
https://dirac.readthedocs.io/en/latest/AdministratorGuide/HowTo/authentication.html
and
https://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/identityprovider.html
(what a "Framework/Auth endpoint" in this context ? I can see that I have to install the TokenManager, but I am not sure what this is meant to tell me)
and
https://github.com/DIRACGrid/DIRAC/wiki/DIRAC-8.0 (cause I look at the upgrade nodes, but is that really a 'preview' any more ?)

there is a wild mixture of proxies and tokens and while this probably reflects reality (given that we need to use both?) I cannot find anywhere that would tell me how to configure DIRAC for the simplest (?) scenario which the WLCG experiments typically support, i.e. pilots use tokens for job submission, proxies for everything else.

Before I get a tame LHCb user to retrieve the LHCb DIRAC configuration for me from the server, is there any place in the documentation on "how to add token support" to your server that at least lists the minimum changes to the server necessary ?

I tried to do a dirac-login test, which threw (correctly as it turns out) the following error: "Cannot prepare authorization server metadata. Path /DIRAC/Security/Authorization does not exist or it's not a section", which I have now copied from the certification server, but is that documented somewhere obvious ?

I'm switching to beer now.

Daniela

[fstagni]

So, indeed this is not yet documented because of the several PRs that modified/updated/improved thing in the meanwhile. @aldbr will do it once he's back from holiday, but if you want you can give a try to the following instructions and let us know:

• Add the /Resources/IdProviders section, such as:

Resources
{
  IdProviders
  {
    GridPP_IAM
    {
      ProviderType = OAuth2
      issuer = https://something-auth.web.cern.ch/
    }
  }
}

• Add IdProvider = GridPP_IAM in /Registry/VO/the_vo/

• Install the Framework/TokenManager service:

Then, for each CE at a time:

• Add Tag = Token in the CE configuration.
• Restart the associated SiteDirector
• Check the logs

[marianne013]

Thanks.

I just tried dirac-login against the certification server, but I got the following error:

(base) lxplus791:8.1.0a15 :~] dirac-login dteam_user --token
No CFG file loaded, was that intentional?
Cannot prepare authorization server metadata. Path /DIRAC/Security/Authorization does not exist or it's not a section

Is that not meant to work ?

[marianne013]

When I installed my TokenManagerHandler it made the following config:
Systems/Framework/Devel/TokenManager

{
Protocol = https
Authorization  {
  Default = authenticated
  getUsersTokenInfo = ProxyManagement
}
}

which looks different to the certification server, but then I get an error from the certification server, so not sure what to make of this.

[fstagni]

Why dirac-login dteam_user --token ? Just log in with dirac-proxy-init. Asking for a token here is not necessary.

The configuration of TokenManager is correctly created. What is on the DIRAC cert instance is not.

[marianne013]

I also have the error:

2023-07-26 08:56:49 UTC Framework/TokenManager FATAL: Missing mandatory local configuration option /Systems/Framework/Devel/Services/TokenManager/Port
2023-07-26 08:56:49 UTC Framework/TokenManager ERROR: There were errors when loading configuration

even though I don't see anywhere that a a) have to define a port and b) what it should be.

[marianne013]

So Simon points out to me that this should probably be installed as a tornado based service.

(base) lx03:diracdev_8.0.21 > dirac-install-tornado-service Framework TokenManager
2023-07-26 09:24:47 UTC Framework WARN: MySQL root password not found
2023-07-26 09:24:47 UTC Framework WARN: Using 'Dirac' as MySQL user name
2023-07-26 09:24:47 UTC Framework WARN: MySQL password not found
2023-07-26 09:24:47 UTC Framework WARN: Using the same host for MySQL as dirac services
2023-07-26 09:24:47 UTC Framework WARN: Using port '3306' as MySQL port
2023-07-26 09:24:47 UTC Framework WARN: Using 'root' as root MySQL user
2023-07-26 09:24:47 UTC Framework WARN: Using the same host for NoSQL as dirac services
2023-07-26 09:24:47 UTC Framework WARN: Using the default port 9200
2023-07-26 09:24:47 UTC Framework WARN: NoSQL user not found
2023-07-26 09:24:47 UTC Framework WARN: NoSQL password not found
2023-07-26 09:24:47 UTC Framework WARN: NoSQL SSL choice not found
Loading configuration template from DIRAC.FrameworkSystem
Adding to CS service Framework/TokenManager
2023-07-26 09:24:53 UTC Tornado/Tornado DEBUG: Trying to auto-discover the Services handlers for Tornado
2023-07-26 09:24:53 UTC Tornado/Tornado VERBOSE: Checking Framework/TokenManager
2023-07-26 09:24:53 UTC Tornado/Tornado VERBOSE: Module Framework/TokenManager seems to be a valid name. Try to load it!
2023-07-26 09:24:53 UTC Tornado/Tornado INFO: Loading Framework/TokenManager
2023-07-26 09:24:53 UTC Tornado/Tornado INFO: Trying to autodiscover Framework/TokenManager
2023-07-26 09:24:53 UTC Tornado/Tornado VERBOSE: Trying to load DIRAC.FrameworkSystem.Service.TokenManagerHandler
2023-07-26 09:24:55 UTC Tornado/Tornado VERBOSE: Found DIRAC.FrameworkSystem.Service.TokenManagerHandler
2023-07-26 09:24:55 UTC Tornado/Tornado NOTICE: Loaded module Framework/TokenManager
2023-07-26 09:24:55 UTC Tornado/Tornado VERBOSE: Checking WorkloadManagement/JobManager
2023-07-26 09:24:55 UTC Tornado/Tornado VERBOSE: Module WorkloadManagement/JobManager seems to be a valid name. Try to load it!
2023-07-26 09:24:55 UTC Tornado/Tornado INFO: Loading WorkloadManagement/JobManager
2023-07-26 09:24:55 UTC Tornado/Tornado INFO: Trying to WorkloadManagement/JobManager from CS defined path DIRAC/WorkloadManagementSystem/Service/TornadoJobManagerHandler.py
2023-07-26 09:24:55 UTC Tornado/Tornado VERBOSE: Found handler for WorkloadManagement/JobManager: DIRAC/WorkloadManagementSystem/Service/TornadoJobManagerHandler.py

Successfully installed component TokenManager in Framework system, now setting it up
Creating startup link at /home/hep/dbauer/diracdev_8.0.21/diracos/startup/Tornado_Tornado
Failed to find supervise/ok for component Tornado_Tornado

Sigh.

[fstagni]

Did you follow https://dirac.readthedocs.io/en/latest/AdministratorGuide/ServerInstallations/HTTPSServices.html?

(in case you are using v8.1, check https://dirac.readthedocs.io/en/integration/AdministratorGuide/ServerInstallations/HTTPSServices.html)

[marianne013]

Installing the TokenManager as a tornado service has triggered this bug:
#7126

Having another go at the certification server, using the card from trello:

(base) lxplus791:8.1.0a15 :~] dirac-login --issuer=https://lbcertifdirac70.cern.ch:8443/auth

No CFG file loaded, was that intentional?
Use the following link to continue
https://lbcertifdirac70.cern.ch:8443/auth/device?user_code=BHBG-SDXX
Authorization pending.. (use CNTL + C to stop)

Going to the website indicated gives me:

Unable to connect

An error occurred during a connection to lbcertifdirac70.cern.ch:8443. 

[fstagni]

This is not-fully-tested part, and in this sense this is "experimental" code. The good news is that you don't need a user token, as the submission to CEs is done through the client_credentials flow, see #6950 for implementation details.

[marianne013]

I've got one more specific complaint.
We had to set:
DIRAC->Security->Authorization->issuer
It's currently literally set to the word 'placeholder', but we couldn't leave it out.

[aldbr]

What happens if you remove the /DIRAC/Security/Authorization/issuer option? This should not be needed for submitting pilots with tokens.

[sfayer]

From memory, I think it gets an S_ERROR back from this line (as the section doesn't exist), which prevents something further up from initialising:

DIRAC/src/DIRAC/ConfigurationSystem/Client/Utilities.py

Line 632 in 20480d6

result = gConfig.getOptionsDictRecursively("/DIRAC/Security/Authorization")

[aldbr]

Which v8.0 micro version have you used? Do you still see this issue?

I got a similar issue the first time I tried to submit pilots with tokens using the client_credentials flow and I made a fix here (by moving a block of code in a specific condition that should not be called if tokens are only used to submit pilots): b9028ac#diff-3e2701144744cd08a6ce9daa609eb5ad2aa2299e5c06a991ac509c9f31b623e0R60