Adopt token for WMAgent stage-in/stage-out #12144
Comments
|
I think we want to make the stage-out token safe now, i.e. in case a token is in the environment and transfer with token doesn't work, the stage-out doesn't fails. (Right now, if HTCondor makes a token available but token-based transfer doesn't work stage-out may fail.) print date/time gfal-copy ... if ( X509_USER_PROXY is set ) sleep 15 min (token information may change underneath us, so we should print it just before the debug gfal-copy).
|
|
Right! We will add the necessary safety mechanism once we integrate tokens in the grid jobs. Thanks Stephan. |
Impact of the new feature
WMAgent
Is your feature request related to a problem? Please describe.
Similarly to this ticket #11199 , we need to adopt token for the WMAgent payload. In other words, instead of using X509-based stage-in and stage-out auth/authz, we should adopt a token solution for this storage communication.
Describe the solution you'd like
Support token in WMAgent for stage-in / stage-out.
Tokens in the grid jobs will only be available once we configure
a) access to token in the agent node;
b) management of the token in the agent node;
c) propagation of the token by htcondor and WMAgent job description;
d) use of token by the grid job (stage-in / stage-out).
Unless we have all this setup in place, we shouldn't have production jobs accessing tokens during the job runtime.
As a result, that requires at least the following developments:
Describe alternatives you've considered
If token-based auth/authz fails, do we want to fallback to x509 ?
Additional context
None
The text was updated successfully, but these errors were encountered: