Hello,
Reading: Using OAUTH2 for authentication — EOS CITRINE documentation
I believe it would be possible to link an EOS instance to the INDIGO-IAM that is in test for WLCG : https://wlcg.cloud.cnaf.infn.it/login ?
Has someone attempted this already ? What has to be defined in EOS to make the link with the INDIGO-IAM server ?
Is there also something to do on the INDIGO-IAM server ?
Just exploring in order to understand better these technologies…
Thank you
Hello Jean-Michel,
sorry for the late response to your request. You can point EOS to an IAM server as we point in the example to the CERN OAUTH2 endpoint. The only ‘problem’ is, that this server does not resolve the username for a token. For this you have to add a manual entry from the ‘sub’ field to the local EOS user … it has the same ‘beauty’ as a grid mapfile, but it is done via EOS console commands ‘vid’
Cheers Andreas.
Thank you Andreas, I will certainly try again, but not before a few weeks, I am currently busy elsewhere. Il will let you know in this thread…
One question already however : I suppose cannot be considered practical to manually add each potential user with vid command when operating storage in a grid environement, we would need an automatic way of provisioning such mapping, right ?
JM
The problem is, that you have to map to a username, not a uid.
1000 is not a username and the code currently has no automatic test if you provide a uid or username in the mapping.
Thank Andreas,
Does this means that I have to use vuid:x with x an existing local user id ? I tried:
id cms
uid=17101(cms) gid=17100(cms) groups=17100(cms)
eos vid set map -oauth2 sub:d5e1a81d-286c-4803-b8f4-1c4ce9082d2e vuid:17101
211124 16:16:22 19209 secgsi_ParseCAlist: nothing to parse
success: set vid [ eos.rgid=0 eos.ruid=0 mgm.cmd=vid mgm.subcmd=set mgm.vid.auth=oauth2 mgm.vid.cmd=map mgm.vid.key= mgm.vid.pattern=sub:d5e1a81d-286c-4803-b8f4-1c4ce9082d2e mgm.vid.uid=17101 ]
eos vid ls
211124 16:16:30 19224 secgsi_ParseCAlist: nothing to parse
oauth2:“”:gid => root
oauth2:“”:uid => root
oauth2:“key:wlcg.cloud.cnaf.infn.it/userinfo”:uid => root
oauth2:“sub:d5e1a81d-286c-4803-b8f4-1c4ce9082d2e”:uid => cms
publicaccesslevel: => 1024
sss:“”:gid => root
sss:“”:uid => root
sudoer => uids()
Yes, yes,
you did exactly the right thing. My previous statement was not 100% correct. You have to map to a user ID, which can be resolved from a uid to username, if not you will end up as nobody.