Currently Declad is coded assuming you're going to have an X509 service certificate,
which then has to be registered with:
Rucio
Metacat/DataDispatcher
DCache
SAM (if double-declaring)
and mapped to suitable account/permissions; and of course this has to be redone whenever our service certificate DN's change, and of course the service cert has to be redone annually.
We could configure it (once the newer Rucio versions are out) to use SciTokens to authenticate all these places, assuming we have our Managed Token service push a token to the host with the Declad, but there are several places in the current code that assume x509 authentication that would need to be changed to grab the SciToken and set the Authentication: Bearer ... header.
marcmengel
commented
3 months ago
Currently Declad is coded assuming you're going to have an X509 service certificate, which then has to be registered with:
and mapped to suitable account/permissions; and of course this has to be redone whenever our service certificate DN's change, and of course the service cert has to be redone annually.
We could configure it (once the newer Rucio versions are out) to use SciTokens to authenticate all these places, assuming we have our Managed Token service push a token to the host with the Declad, but there are several places in the current code that assume x509 authentication that would need to be changed to grab the SciToken and set the
Authentication: Bearer ...header.