EOS and oauth2 with INDIGO-IAM

1

Hello,
Reading: Using OAUTH2 for authentication — EOS CITRINE documentation
I believe it would be possible to link an EOS instance to the INDIGO-IAM that is in test for WLCG : https://wlcg.cloud.cnaf.infn.it/login ?
Has someone attempted this already ? What has to be defined in EOS to make the link with the INDIGO-IAM server ?
Is there also something to do on the INDIGO-IAM server ?
Just exploring in order to understand better these technologies…
Thank you

JM

2

Hello Jean-Michel,
sorry for the late response to your request. You can point EOS to an IAM server as we point in the example to the CERN OAUTH2 endpoint. The only ‘problem’ is, that this server does not resolve the username for a token. For this you have to add a manual entry from the ‘sub’ field to the local EOS user … it has the same ‘beauty’ as a grid mapfile, but it is done via EOS console commands ‘vid’
Cheers Andreas.

3

Thank you Andreas, I will certainly try again, but not before a few weeks, I am currently busy elsewhere. Il will let you know in this thread…
One question already however : I suppose cannot be considered practical to manually add each potential user with vid command when operating storage in a grid environement, we would need an automatic way of provisioning such mapping, right ?
JM

4

Hi Andreas, I think I made it work if I trust the output of whoami (my name and email were retrieved from the IAM server):

Virtual Identity: uid=99 (2,99) gid=99 (99) [authz:oauth2] host=nanpc118.in2p3.fr domain=in2p3.fr key= fullname=‘Jean-Michel Barbet’ email=‘jean-michel.barbet@subatech.in2p3.fr’

But I had also defined a mapping based on the sub attribute:

eos vid ls
211124 15:31:41 16906 secgsi_ParseCAlist: nothing to parse
oauth2:“”:gid => root
oauth2:“”:uid => root
oauth2:“key:wlcg.cloud.cnaf.infn.it/userinfo”:uid => root
oauth2:“sub:d5e1a81d-286c-4803-b8f4-1c4ce9082d2e”:uid => 1000
publicaccesslevel: => 1024
sss:“”:gid => root
sss:“”:uid => root
sudoer => uids()

… So I would expect to be mapped as vid 1000 ?

JM

5

The problem is, that you have to map to a username, not a uid.
1000 is not a username and the code currently has no automatic test if you provide a uid or username in the mapping.

6

Thank Andreas,
Does this means that I have to use vuid:x with x an existing local user id ? I tried:

id cms
uid=17101(cms) gid=17100(cms) groups=17100(cms)

eos vid set map -oauth2 sub:d5e1a81d-286c-4803-b8f4-1c4ce9082d2e vuid:17101
211124 16:16:22 19209 secgsi_ParseCAlist: nothing to parse
success: set vid [ eos.rgid=0 eos.ruid=0 mgm.cmd=vid mgm.subcmd=set mgm.vid.auth=oauth2 mgm.vid.cmd=map mgm.vid.key= mgm.vid.pattern=sub:d5e1a81d-286c-4803-b8f4-1c4ce9082d2e mgm.vid.uid=17101 ]

eos vid ls
211124 16:16:30 19224 secgsi_ParseCAlist: nothing to parse
oauth2:“”:gid => root
oauth2:“”:uid => root
oauth2:“key:wlcg.cloud.cnaf.infn.it/userinfo”:uid => root
oauth2:“sub:d5e1a81d-286c-4803-b8f4-1c4ce9082d2e”:uid => cms
publicaccesslevel: => 1024
sss:“”:gid => root
sss:“”:uid => root
sudoer => uids()

And it seems to work:

eos root://cceostest02.in2p3.fr whoami
[…]
Virtual Identity: uid=17101 (2,99,17101) gid=17100 (99,17100) [authz:oauth2] host=nanpc118.in2p3.fr domain=in2p3.fr key= fullname=‘Jean-Michel Barbet’ email=‘jean-michel.barbet@subatech.in2p3.fr’

Is that correct ?

JM

7

Yes, yes,
you did exactly the right thing. My previous statement was not 100% correct. You have to map to a user ID, which can be resolved from a uid to username, if not you will end up as nobody.

Cheers Andreas.