This page is a preview of the above content, for the full web page follow the link above.

Overview

The aim here is to demonstrate how a scitoken can be used to provide authentication and authorization to writeable storage via xrootd. See other Knowledge base articles (KBA) on getting enrolled for scitoken usage.

XRootD Example

Submission Script

The main thing to note is the addition of use_oauth_services. This gets set to the name of the token issuer, followed by the requested role. The role defines a specific set of policies and lifecycle specification.

Job Script

The payload of the job will have an environment variable pointing to the credential/token directory (this can vary site to site). This example shows what the contents and what they look like, but isn't necessary for production usage. The key line is setting BEARER_TOKEN_FILE to your access token for use with xrootd.

Job Submission

When submitting the first time or with an expired token, you will be prompted with a CILogon URL. Copy/paste that URL into any browser to authenticate (it does NOT have to be on submit node). Select Thomas Jefferson National Accelerator Facility as your identity provider.

Submit the job and monitor its progress. NOTE there is a 2min timeout for the provided URL. If that expires, you will get a clearly stated error message. Just resubmit the job and proceed to the new URL.

Monitoring Job and Output

Check job status. Once complete, you can check the xrootd output at ifarm:/work/test-xrootd/gluex/.

Screenshots for CILogon usage

Navigate to the URL you are provided and select your identity provider. Keep in mind, it's TJNAF and not Jefferson Lab.