search

OSC / ondemand

Supercomputing. Seamlessly. Open, Interactive HPC Via the Web
https://openondemand.org/
MIT License
264 stars 99 forks source link

Remove `ood_auth_map` From Ondemand #2303

Open Oglopf opened 1 year ago

Oglopf commented 1 year ago

This is to capture a conversation that began in PR #2299.

As mentioned in the PR, the gridmap looks to not even be supported in the Globus toolbox anymore and this is what ood_auth_map is using.

┆Issue is synchronized with this Asana task by Unito

johrstrom commented 1 year ago

Here's a more modern (hopefully!) grid map utility. We'll probably migrate to this format.

https://software.xsede.org/production/access-oauth-mapfile/INSTALL

***
# Installing the access-oauth-mapfile tool
***

This package generates a file called **access-oauth-mapfile** containing entries like:

    {access_username}@access-ci.org {local_username}

Each entry maps an ACCESS OAuth identity in the form {access_username}@access-ci.org to the
corresponding local username on a specific ACCESS resource. An ACCESS OAuth identity
may have multiple lines mapping it to multiple local usernames. These mappings come
from the ACCESS Central Database (XCDB) and are accessed by this tool through an API.

ACCESS's Globus Connect Server (GCS) v5.4+ and other tools use these mappings to
access local resources as the authenticated user.

That said, we need to consider

treydock commented 1 year ago

The gridmap usage in OnDemand was only ever used by OSC, and it requires tools that we have archived on Github for years. There is nothing to update I would think, I think we just drop it and let people use commands via the hooks we provide and they can choose to use gridmap commands if they want. Supporting Gridmap without the archived tools is pointless in my opinion. It was only used to support CILogon without Keycloak and the tools we used to do it have all been archived and some may not even be public (like how to generate the gridmap database).

johrstrom commented 1 year ago

access-oauth-mapfile I believe will be supported for some time. I need confirmation, but I'm like 80% sure it is. Indeed they just updated it to use ACCESS URLs instead of XSEDE (even the comments). When you browse the yum repo you can see dates that are pretty up to date.

And for sure, this is basically all I'm suggesting we start distributing. Some small bash helper (with nice error handling and so on)

# helpers/access_oauth_lookup.sh

grep $1 /etc/grid-security/access-oauth-mapfile