Open DickyChant opened 5 months ago
DickyChant
commented
5 months ago @yihui-lai pointed out that McM supports OIDC, however as documented it needs human intervention.
It is for sure not the end of the world, but I just personally feel it would be ideal to have user token enabled... Any idea/suggestion for moving forward with that?
DickyChant
commented
5 months ago @yihui-lai pointed out that McM supports OIDC, however as documented it needs human intervention.
It is for sure not the end of the world, but I just personally feel it would be ideal to have user token enabled... Any idea/suggestion for moving forward with that?
They might affect the same but it would be nice to at least have a explanation somewhere?
lmoureaux
commented
5 months ago Hi @DickyChant,
McM uses the CERN-wide authentication mechanism and supports connecting with 2FA if OIDC is used, as explained on the page you mention. So what exactly is the problem?
We're not planning to implement a method to circumvent CERN security measures, especially for a tool like McM that enables code execution on CERN premises and the grid.
Best, Louis
DickyChant
commented
5 months ago Hi Louis,
Thanks for a prompt reply.
Yeah safety is indeed an important concern. I sometimes also find the previous method not quite secure.
However, from a user perspective, it would be useful for mc contacts to submit a bunch of requests from a script at a time
So, I am wondering if a solution based on auth-get-user-token could be realized.
Apologize in advance if you've already enabled this (I've noticed Device Authorization Grant in the description).
Also, would be nice to show somewhere how to use token with curl?
Let me tag @sihyunjeon here to share Run3 background production experience.
lmoureaux
commented
5 months ago it would be useful for mc contacts to submit a bunch of requests from a script at a time
What did your pre-2FA workflow look like? The McM Python tools do support performing multiple queries in a (Python) loop.
DickyChant
commented
5 months ago OK I think I got how it works...
We would update our workflows but it might be nice to be able to use generated token from auth-get-user-token...? According to the documentation it would be valid for 20 min so that we just have one time browser authentication and finish our business within that 20 min time window...
Does McM has a client-id that allows for request token?
DickyChant
commented
5 months ago it would be useful for mc contacts to submit a bunch of requests from a script at a time
What did your pre-2FA workflow look like? The McM Python tools do support performing multiple queries in a (Python) loop.
We usually parse inputs and then form McM requests and inject them with one execution. We indeed initialize a separate McM object for each request injection I believe?
This we could definitely improve but do want to check with you guys first.
DickyChant
commented
5 months ago And the bits for Run3 background central production. Do you think it might play well with OIDC? I am not sure...
If there is a service account it however should be fine for the background production? I indeed have my service account registered as McM user for query purpose lol...
lmoureaux
commented
5 months ago We indeed initialize a separate McM object for each request injection I believe?
Interesting repo, I didn't know about it! Should invite you for a presentation... The credentials are stored in the McM object so you'd get rid of repeated authentication requests by creating it only once.
Under the hood, the McM class just requests a Device Authorization Grant with the client ID cms-ppd-pdmv-device-flow. It would be trivial to modify it to support fetching the token from the environment or passing it in the constructor, you're welcome to submit a PR for that if needed.
I'm not sure about the gridpack machine, I suppose it's using a service account.
DickyChant
commented
5 months ago We indeed initialize a separate McM object for each request injection I believe?
Interesting repo, I didn't know about it! Should invite you for a presentation... The credentials are stored in the
McMobject so you'd get rid of repeated authentication requests by creating it only once.Under the hood, the
McMclass just requests a Device Authorization Grant with the client IDcms-ppd-pdmv-device-flow. It would be trivial to modify it to support fetching the token from the environment or passing it in the constructor, you're welcome to submit a PR for that if needed.I'm not sure about the gridpack machine, I suppose it's using a service account.
Very detailed explanation! Highly appreciated!
CERN is now promoting 2FA but it might not work fine with McM, do we have some ideas regarding this?
@yihui-lai, @tvami
Example error: [2024-02-16 23:18:23,834][INFO] Please remember that, if you have enabled 2FA, it is not possible to request
https://auth.docs.cern.ch/applications/command-line-tools/ Which clearly shows that SSO doesn't work well with 2FA (See the overview table)
Expected Behavior
Current Behavior
Possible Solution
Steps to Reproduce
1. 2. 3. 4.
Context (Environment)