Adopt generic token in the MSUnmerged service

[amaltaro]

Impact of the new feature MSUnmerged

Is your feature request related to a problem? Please describe. As discussed in the Token meeting today, we are considering to start the token adoption effort with one of the microservices. MSUnmerged is a good candidate because it has to access most of the CMS storage endpoints.

MSUnmerged relies on the GFAL2 utils for interacting with the storage. It has both read and write API calls, once a GFAL2 context object is created.

Describe the solution you'd like We would like to have MSUnmerged running in a hybrid mode, where the GFAL read calls (like stat and listdir) are performed with a generic token that would grant read access to the CMS storage. While GFAL write operations would remain being performed with x509 authentication, for the time being.

Describe alternatives you've considered None

Additional context None

[amaltaro]

As there was a high interest from the FNAL people (Stephan et al) to get going with the Vault token solution for WMAgent, I started working on this ticket: https://github.com/dmwm/WMCore/issues/11199

and we might consider demoting this ticket, given that higher priority was given to #11199.

[amaltaro]

As discussed in today's WMCore team meeting, we decided to demote this issue to Medium priority this quarter (originally planned for the quarter), while https://github.com/dmwm/WMCore/issues/11199 is getting promoted to High priority.

[amaltaro]

From another discussion with Stephan L last week (~13/Jun/2024) during the USCMS All-Hands meeting, the idea is to test a token that can either read and write to the storage. In other words, we would be using a single token for any kind of operations in MSUnmerged and against any RSE, at least to start with.