[9.0] Include DiracX token in proxy PEM files #7261
Conversation
| @@ -511,10 +511,12 @@ def _request(self, retry=0, outputFile=None, **kwargs): | |||
| # getting certificate | |||
| # Do we use the server certificate ? | |||
| if self.kwargs[self.KW_USE_CERTIFICATES]: | |||
| # TODO: Does this code path need to work with DiracX? | |||
There was a problem hiding this comment.
Probably yes for agent without shifter proxy and webapp
There was a problem hiding this comment.
So, remove this comment and following ones in this module?
There was a problem hiding this comment.
Actually it's more
| # TODO: Does this code path need to work with DiracX? | |
| # TODO: make this code path work with DiracX for Agents and possibly webapp ? |
There was a problem hiding this comment.
We were leaning towards opening an issue rather than getting hung up on this right now
chrisburr
force-pushed
the
token-in-pem
branch
6 times, most recently
from
ec316b2 to
34f5ac6
Compare
chaen
force-pushed
the
token-in-pem
branch
2 times, most recently
from
60c3d70 to
dcf0f47
Compare
chrisburr
force-pushed
the
token-in-pem
branch
from
dcf0f47 to
68ddd48
Compare
chrisburr
force-pushed
the
token-in-pem
branch
from
68ddd48 to
dd3b525
Compare
chrisburr
force-pushed
the
token-in-pem
branch
from
2155a4e to
7dcb3d6
Compare
chrisburr
force-pushed
the
token-in-pem
branch
from
7dcb3d6 to
d87ac64
Compare
| @@ -511,10 +511,12 @@ def _request(self, retry=0, outputFile=None, **kwargs): | |||
| # getting certificate | |||
| # Do we use the server certificate ? | |||
| if self.kwargs[self.KW_USE_CERTIFICATES]: | |||
| # TODO: Does this code path need to work with DiracX? | |||
There was a problem hiding this comment.
So, remove this comment and following ones in this module?
| # Ensure the proxy is working with DiracX | ||
| try: | ||
| with DiracXClient() as api: | ||
| api.auth.userinfo() | ||
| except Exception as e: | ||
| invalidProxy(f"Failed to access DiracX: {e}") |
There was a problem hiding this comment.
It this absolutely needed at this stage?
There was a problem hiding this comment.
If what is absolutely need ?
tests/Jenkins/dirac_ci.sh
Outdated
| fi | ||
| pip install "${wheels[0]}" | ||
| else | ||
| pip install "git+https://github.com/DIRACGrid/diracx.git@main#egg=diracx-${wheel_name}&subdirectory=diracx-${wheel_name}" |
There was a problem hiding this comment.
Why not simply
| pip install "git+https://github.com/DIRACGrid/diracx.git@main#egg=diracx-${wheel_name}&subdirectory=diracx-${wheel_name}" | |
| pip install diracx-core | |
| pip install diracx-client |
?
There was a problem hiding this comment.
because we want to install from the main branch of the repository
| @@ -29,6 +29,8 @@ install_requires = | |||
| cachetools | |||
| certifi | |||
| diraccfg | |||
| diracx-client | |||
| diracx-core | |||
There was a problem hiding this comment.
in dirac_ci.sh you also added diracx-cli
There was a problem hiding this comment.
This is for normal installation. In dirac_ci.sh, we install what's in the main branch
There was a problem hiding this comment.
It's only needed for the integration test setup itself
tests/Jenkins/dirac_ci.sh
Outdated
| source "${SERVERINSTALLDIR}/bashrc" | ||
|
|
||
| echo "==> Installing main branch of diracx" | ||
| for wheel_name in core client cli; do |
There was a problem hiding this comment.
| for wheel_name in core client cli; do | |
| for wheel_name in core client; do |
?
There was a problem hiding this comment.
The CLI is needed for the CS sync that runs in this container. It's not ideal but it's good enough.
There was a problem hiding this comment.
No we need the cli for the CS exporter cron
chrisburr
force-pushed
the
token-in-pem
branch
from
d87ac64 to
cfe2fc4
Compare
This pull request makes it so that a DiracX token is included in the PEM files (i.e. proxies) written by DIRAC. This makes it so that doing
dirac-proxy-init,dirac-admin-get-proxyand similar all result in credentials being accessible by DIRAC for use with the legacy adaptor mechanism.This is done by added the base64 encoded token to a
-----BEGIN DIRACX-----/-----END DIRACX-----section in the PEM file. Software other than DIRAC completely ignores this, as required in the various RFCs that define the PEM format.The main reason for suggesting this approach is so that setting
X509_USER_PROXYand similar still functions in the people would expect without needing to define a convention with by which to associate the proxy to the DiracX token (which then gets messy once you consider containers, e.g. SinularityCE or LHCb's use of containers withlb-run).Builds on top of #7258
Closes DIRACGrid/diracx#132
BEGINRELEASENOTES
*DiracX
NEW: DiracX credentials are now included in proxy PEM files created by DIRAC
NEW: DiracX is now mandatory 🎉
ENDRELEASENOTES