Skip to content

indigo-iam/escape-docs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
voms-config
voms-config
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

ESCAPE AAI documentation

The ESCAPE IAM instance is now available.

Registration is active. Users can authenticate via Google, IAM and using their EduGAIN IdP (if necessary attributes are provided by the IdP).

IAM documentation is available here.

Client applications can be registered following these instructions.

VOMS support is enabled. To link an X.509 certificate to an existing IAM escape account, follow these instructions. As in VOMS, multiple certificates can be linked to an account.

ESCAPE VO configuration

To have a working VOMS configuration for the ESCAPE VO:

  • place the lsc file in the /etc/grid-security/vomsdir/escape directory
  • place the vomses file in the /etc/vomses directory (only needed if you need to do voms-proxy-init)

The latest supported VOMS clients are required (i.e., voms-proxy-init v. >=3 ). Also note that this VO is supported by IAM, i.e. there are no VOMS Admin endpoints that can be used to generate Gridmap files.

Token based AuthN/Z

Token-based authorization in the ESCAPE data lake will be realized extending the work done in the context of the WLCG Authorization Working group, in particular on the WLCG JWT profile.

We will work in incremental steps towards support for group-based fine-grained authorization, according to the requirements defined in the ESCAPE namespace authorization proposal.

Step 0: coarse-grained VOMS and token-based authorization

The objective of this first step is to enable coarse-grained access to the ESCAPE namespace to the ESCAPE VO members.

The authentication and authorization requirements are:

  • members of the /escape group have read/write/delete access to the /escape namespace
  • access to anonymous users is forbidden

These requirements will be honoured for VOMS and token-based authz.

A testsuite has been developed to assess compliance of the ESCAPE datalake with the requirements above.

Token request instructions

In order to support token-based authn/z as described above, tokens should be requested to include, at least, the following scopes:

  • openid
  • wlcg.groups

With oidc-agent this would be done with a command like:

> oidc-token -s openid -s wlcg.groups escape

For more information on how to use oidc-agent to get tokens out of IAM, see the relevant IAM documentation.

Presentations

About

IAM documentation for the ESCAPE project

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

10 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •