diff --git a/doc/frontend/configuration.html b/doc/frontend/configuration.html index 496dd01d0..6fdd2123f 100644 --- a/doc/frontend/configuration.html +++ b/doc/frontend/configuration.html @@ -108,9 +108,14 @@

Configuration

  • Example Configuration
  • Frontend Configuration
  • Singularity attributes
    • -
  • Customizing the glidein Startup
    • +
  • Customizing the Glidein Startup
  • Attribute substitution
  • Using multiple proxies
    • +
  • + Using the credential generator plugin +
  • Using multiple wms collectors
  • Example Configuration
    <credentials>
    - <credential absfname="/etc/osg/tokens/my_token.scitoken" + + <credential absfname="/etc/osg/tokens/my_token.scitoken" security_class="frontend" trust_domain="OSG" type="scitoken" - comment="generated by osg-token-renewer" />
    - <credential Comment="deprecated, use scitoken if possible" + + <credential generator="token_generator" + security_class="frontend" trust_domain="OSG" type="scitoken" + comment="python module w/ credential generator function, see + the credential generator plug-in section" />
    + + <credential Comment="deprecated, use scitoken if possible" absfname="/tmp/x509up_u" security_class="frontend" trust_domain="OSG" type="grid_proxy" vm_id="123" vm_type="type1" pool_idx_len="5" pool_idx_list="2,4-6,10" - />
    </credentials>
    @@ -2140,11 +2151,73 @@

    absfname="/home/frontend/.globus/x509_pilot09_cms_prio.proxy" security_class="cmsprio"/>

    - <proxies>
    + </credentials>
    + </security>
    + + + + +
    + +

    Using the credential generator plug-in

    + +

    + Credential generators allow to generate credentials dynamically. + Instead of specifying a file, absfilename, you can specify a + generator, the name of a Python module somewhere in the + PYTHONPATH, e.g. in /etc/gwms-frontend/plugin.d/. Here is an + example of the credential configuration: +

    +
    +
    <security>
    +
    + <credentials>
    +
    + <credential type="token" trust_domain="OSG" + generator="mygenerator" security_class="cmsprio"/>
    +
    + </credentials>
    +
    + </security>
    +

    + The generator module must contain a get_credential() function + with the same signature as the example below. A full example is in the + + scitokens_callout.py + file in the GlideinWMS code repository. +

    + 
    +# Example of credential generator function in the mygenerator.py file
+def get_credential(log: logger, group: str, entry: dict, trust_domain: str):
+    """Dynamically generates a credential given the parameters
+
+    Args:
+        log (logSupport): Python logger module passed by the caller
+        group (str): Frontend group
+        entry (dict): Factory entry information dictionary, containing at least:
+            name (str): the entry name, and
+            gatekeeper (str): the gatekeeper string
+        trust_domain (str): Credential trust domain
+        tkn_dir (str, optional): Directory where the tokens are stored. Defaults to "/var/lib/gwms-frontend/tokens.d".
+    Returns:
+        (str, int): tuple with:
+            credential, a string containing the token or whichever credential is returned
+            lifetime, seconds of remaining lifetime
+    Raises:
+        KeyError: missing some information to generate the credential
+        ValueError: could not generate the credential
+    """
+    # Invoke a shell script or internally generate the credential
+    credential = "credential content"
+    return credential, 3600
+
    @@ -2169,9 +2242,9 @@

    The Factory setting and the actual availability of singularity and an image will also affect the actual use of Singularity. See the - Factory configuration document + + Factory configuration document + for a table of how Singularity is negotiated with the entries using GLIDEIN_Singularity_Use and GLIDEIN_SINGULARITY_REQUIRE (the entry variable) to decide wether the Glidein can run there and should use @@ -2267,9 +2340,9 @@

    value="/vo_files,/src_path:/dst_path"/>. See the - custom variables file + + custom variables file + for more information about the bind mounts.

  • @@ -2279,9 +2352,9 @@

    The - custom variables file + + custom variables file + contains a reference of all the Singularity attributes used in the Frontend, Factory or Glidein. @@ -2315,9 +2388,9 @@

    XSLT Plugins to extend configuration

    This is explained in the -     Factory configuration documentation. + + Factory configuration documentation. +

    diff --git a/frontend/glideinFrontendElement.py b/frontend/glideinFrontendElement.py index f8244b8db..8240fe6b0 100755 --- a/frontend/glideinFrontendElement.py +++ b/frontend/glideinFrontendElement.py @@ -1024,7 +1024,7 @@ def generate_credential(self, elementDescript, glidein_el, group_name, trust_dom """ ### The credential generator plugin should define the following function: - # def get_credential(log:logger, group:str, dentry:dict{name:str, gatekeeper:str}, trust_domain:str): + # def get_credential(log:logger, group:str, entry:dict{name:str, gatekeeper:str}, trust_domain:str): # Generates a credential given the parameter # Args: diff --git a/plugins/scitokens_callout.py b/plugins/scitokens_callout.py index fdf523663..ec23e6dfe 100644 --- a/plugins/scitokens_callout.py +++ b/plugins/scitokens_callout.py @@ -29,17 +29,21 @@ def get_credential(logger, group, entry, trust_domain, tkn_dir="/var/lib/gwms-fr caching here so that new tokens are only generated when required. Args: - logger (logSupport): Logger module + logger (logSupport): Python logger module passed by the caller group (str): Frontend group - entry (str): Factory entry + entry (dict): Factory entry information dictionary, containing at least: + name (str): the entry name, and + gatekeeper (str): the gatekeeper string trust_domain (str): Credential trust domain tkn_dir (str, optional): Directory where the tokens are stored. Defaults to "/var/lib/gwms-frontend/tokens.d". - Raises: - err: If the token could not be generated. - Returns: - (str, int): The token string and the lifetime of the token. + (str, int): tuple with: + credential, a string containing the token or whichever credential is returned + lifetime, seconds of remaining lifetime + Raises: + KeyError: missing some information to generate the credential + ValueError: could not generate the credential """ key_file = "/etc/condor/scitokens.pem"