diff --git a/doc/frontend/configuration.html b/doc/frontend/configuration.html index 496dd01d0..6fdd2123f 100644 --- a/doc/frontend/configuration.html +++ b/doc/frontend/configuration.html @@ -108,9 +108,14 @@
<credentials>- <proxies>
- <credential absfname="/etc/osg/tokens/my_token.scitoken" + + <credential absfname="/etc/osg/tokens/my_token.scitoken" security_class="frontend" trust_domain="OSG" type="scitoken" - comment="generated by osg-token-renewer" /></credentials>
- <credential Comment="deprecated, use scitoken if possible" + + <credential generator="token_generator" + security_class="frontend" trust_domain="OSG" type="scitoken" + comment="python module w/ credential generator function, see + the credential generator plug-in section" />
+ + <credential Comment="deprecated, use scitoken if possible" absfname="/tmp/x509up_u" security_class="frontend" trust_domain="OSG" type="grid_proxy" vm_id="123" vm_type="type1" pool_idx_len="5" pool_idx_list="2,4-6,10" - />
@@ -2140,11 +2151,73 @@absfname="/home/frontend/.globus/x509_pilot09_cms_prio.proxy" security_class="cmsprio"/>
+ Credential generators allow to generate credentials dynamically. + Instead of specifying a file, absfilename, you can specify a + generator, the name of a Python module somewhere in the + PYTHONPATH, e.g. in /etc/gwms-frontend/plugin.d/. Here is an + example of the credential configuration: +
+<security>
++ <credentials>+ </security>
++ <credential type="token" trust_domain="OSG" + generator="mygenerator" security_class="cmsprio"/>+ </credentials>
+
+
+ The generator module must contain a get_credential() function + with the same signature as the example below. A full example is in the + + scitokens_callout.py + file in the GlideinWMS code repository. +
++# Example of credential generator function in the mygenerator.py file +def get_credential(log: logger, group: str, entry: dict, trust_domain: str): + """Dynamically generates a credential given the parameters + + Args: + log (logSupport): Python logger module passed by the caller + group (str): Frontend group + entry (dict): Factory entry information dictionary, containing at least: + name (str): the entry name, and + gatekeeper (str): the gatekeeper string + trust_domain (str): Credential trust domain + tkn_dir (str, optional): Directory where the tokens are stored. Defaults to "/var/lib/gwms-frontend/tokens.d". + Returns: + (str, int): tuple with: + credential, a string containing the token or whichever credential is returned + lifetime, seconds of remaining lifetime + Raises: + KeyError: missing some information to generate the credential + ValueError: could not generate the credential + """ + # Invoke a shell script or internally generate the credential + credential = "credential content" + return credential, 3600 +
The Factory setting and the actual availability of singularity and an image will also affect the actual use of Singularity. See the - Factory configuration document + + Factory configuration document + for a table of how Singularity is negotiated with the entries using GLIDEIN_Singularity_Use and GLIDEIN_SINGULARITY_REQUIRE (the entry variable) to decide wether the Glidein can run there and should use @@ -2267,9 +2340,9 @@