OpenID
Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication[BR] This page explains how to use them yourself at T2B[BR] IMPORTANT: these instructions only work on M19 for the time being!!!!!!
Getting an OpenID identity
- Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in
- At the left, you can see you active tokens. At the moment, you have none.
- Go to the M machines and issue the following command:
oidc-gen --iss https://cms-auth.web.cern.ch/ --scope openid -w device cms-id
- Follow the onscreen instructions.
- 'cms-id' now contains the reference to your online identity and will be used in subsequent commands. Feel free to use your own name.
- You can now go to the IAM site and see that you have just created this identity with the 'openid' scope.
- For more detailed information about the available options, you can see this page
- Youcan make as many IDs a you wish. Each can have a different scope and thus different use cases.
Register your OpenID identity at T2B
for now, I have no idea on how to do this.You need to tell me when you connect and then I'll be able to
Creating a token
On the CMS IAM page, you will see that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.[BR] The renewal token can also be recreated, but this does require you to give in a password.[BR] A token is created via the following command:
oidc-token cms-id
Notice the use of 'cms-id' that must be the same name as the ID you created in the previous step.[BR]
Using your token at T2B
If your ID is registered at T2B and you made a new token, you can now use it easily via the usual 'gfal' commands. [BR] The gfal commands can take on both a proxy and a token depending on a environment variable. In the case of tokens, the varibal can be set in the following way:
export BEARER_TOKEN=$(oidc-token cms-id)