- Feb 22, 2022
-
-
Reiner Hauser authored
-
- Oct 25, 2021
-
-
Reiner Hauser authored
-
Reiner Hauser authored
-
- Oct 23, 2021
-
-
Reiner Hauser authored
-
Reiner Hauser authored
-
Reiner Hauser authored
Since we do this only once every 10min or so, and we have no state to keep (e.g. a refresh token), we only gain complexity by implementing the gssapi communication again in C++.
-
Reiner Hauser authored
-
Reiner Hauser authored
-
Reiner Hauser authored
-
Reiner Hauser authored
-
- Oct 22, 2021
-
-
root authored
-
Reiner Hauser authored
The 'gssapi' mechanism to acquire a daq token uses an existing kerberos ticket to authenticate to a server process, and gets a JWT token in return. The 'sub' attribute is the kerberos principal name without the realm. token_meister_gssapi is a supposed to run as a systemd service. It expects a keytab entry of the form atdaqjwt@host.cern.ch where 'host' is the machines official host name. The default port number is 8990 (can be changed in the systemd socket file). On the client side one can override the hardcoded host name and port number via two environment variables: TDAQ_TOKEN_GSSAPI_HOST TDAQ_TOKEN_GSSAPI_PORT
-
- May 02, 2021
-
-
Reiner Hauser authored
-
Reiner Hauser authored
-
Reiner Hauser authored
E.g. if TDAQ_TOKEN_PATH is set to invalid location, or server is not running, try next method.
-
- Apr 29, 2021
-
-
Reiner Hauser authored
Due to the loop over all URLs we may have exceptions in both code paths, for JWS and standard public key.
-
- Apr 27, 2021
-
-
Reiner Hauser authored
-
Reiner Hauser authored
-
Reiner Hauser authored
This makes more sense as the function by now handles all the necessary refreshing etc. The explicit use of requesting a fresh token should be the exception.
-
- Apr 11, 2021
-
-
Reiner Hauser authored
-
- Apr 09, 2021
-
-
Reiner Hauser authored
-
Reiner Hauser authored
This follows the WLCG proposal, using BEARER_TOKEN or BEARER_TOKEN_FILE environment variables. If neither is set ${XDG_RUNTIME_DIR}/bt_u$(id -n)-atlas-tdaq is used. If XDG_RUNTIME_DIR is not set /tmp/bt_u$(id -n)-atlas-tdaq is used.
-
Reiner Hauser authored
This might cause nfs mounts if the key is on a shared file system. Instead the systemd service should be stopped when a private key has changed.
-
- Mar 21, 2021
-
-
Reiner Hauser authored
This script contains the final decision on which release is setup. The systemd service and socket files are independent from any release or if they are in testbed or P1.
-
- Mar 09, 2021
-
-
Reiner Hauser authored
-
Reiner Hauser authored
-
- Mar 07, 2021
-
-
Reiner Hauser authored
-
Reiner Hauser authored
-
Reiner Hauser authored
Otherwise system() will wait until the process is finished, which leads to a deadlock if the browser was started by xdg-open for the first time.
-
- Mar 06, 2021
-
-
Reiner Hauser authored
This hides the codes that are passed around in the URL.
-
- Mar 05, 2021
-
-
Reiner Hauser authored
-
- Mar 04, 2021
-
-
Reiner Hauser authored
First verson with certain assumptions, e.g. private key is in /etc/daq_tokens/private.key
-
- Mar 03, 2021
-
-
Reiner Hauser authored
-
Reiner Hauser authored
-
Reiner Hauser authored
We cannot use the %h specifier since it will always be /root, so we have to hard-code it.
-
Reiner Hauser authored
-
Reiner Hauser authored
Browser authentication is not finished, not clear why it fails under certain circumstances, e.g. if no browser running yet, or not yet authenticated to CERN.
-
Reiner Hauser authored
-
Reiner Hauser authored
Older one returns bytes while new version returns string which has to be encoded before sending via Unix socket.
-
Reiner Hauser authored
-