Uploaded image for project: 'SAFe Program'
  1. SAFe Program
  2. SP-2832

Integrate Rucio with SRC IAM for auth provision

Change Owns to Parent OfsSet start and due date...
    XporterXMLWordPrintable

Details

    • SRCnet
    • Hide

      The Rucio instance has been integrated with the ESCAPE IAM service historically. Since the SRC IAM service is now up and running and ESCAPE is drawing to a close, it would be good to migrate to using the SRC IAM in order to prevent accruing of further technical debt. If more storage sites are added to the datalake before this migration is done, we would be adding to the collective technical debt across the ART.

      Update: This is becoming especially critical now we're working on APIs. At the moment the data-management IAM client is managed by the ESCAPE IAM instance as some endpoints require token exchanges against the Rucio "auth" client (which has always lived on the ESCAPE IAM instance) to do work within the Rucio ecosystem. As such, the data-management API cannot be integrated with any other API (e.g. permissions) with clients utilising the SKA IAM.

      Show
      The Rucio instance has been integrated with the ESCAPE IAM service historically. Since the SRC IAM service is now up and running and ESCAPE is drawing to a close, it would be good to migrate to using the SRC IAM in order to prevent accruing of further technical debt. If more storage sites are added to the datalake before this migration is done, we would be adding to the collective technical debt across the ART. Update: This is becoming especially critical now we're working on APIs. At the moment the data-management IAM client is managed by the ESCAPE IAM instance as some endpoints require token exchanges against the Rucio "auth" client (which has always lived on the ESCAPE IAM instance) to do work within the Rucio ecosystem. As such, the data-management API cannot be integrated with any other API (e.g. permissions) with clients utilising the SKA IAM.
    • Hide

      AC: Rucio functional tests running (at all deployed sites) with an SRC IAM use, verified via the Grafana dashboard, and token based CLI flow verified for a user registered with SRC IAM

       

      Show
      AC: Rucio functional tests running (at all deployed sites) with an SRC IAM use, verified via the Grafana dashboard, and token based CLI flow verified for a user registered with SRC IAM  
    • 0.5
    • 1
    • 0
    • Team_MAGENTA

    • PI23 - UNCOVERED

    • SRC-AAI SRC-DM SRC-Multi-Team SRC23-PB SRCNet0.1 operations-and-infrastructure

    Description

      This will require:

      • Liaising with FTS pilot instance to trust the SRC IAM auth provider (1SP)
        • Note: If we can get the timing of this right, and have our own SRC FTS ready to be integrated in the Rucio ecosystem, we would do away with this external dependency - update 30-05-24: understand that SKA FTS is not ready, so will press ahead on CERN Pilot.
      • Creating new auth/admin clients on the SKA IAM & adjust idpsecrets.json in Rucio secret (0.5SP)
      • Adjusting the sync script in Rucio task manager, remove all existing accounts and resync (2SP)
      • Having all existing sites switch any token provider fields in configuration from ESCAPE to IAM (1SP to communicate; small one line change and service restart required by each site - should only take ~10 mins but needs RSE operator to be available)

       

      Attachments

        Issue Links

          depends on

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-3775 Complete finalisation and testing of SRCNet FTS instance

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Releasing

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-3502 Finalise and test deployment of SRCNet FTS instance

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Discarded
          relates to

          Spike - A time limited investigation to get some knowledge SP-4271 Investigate RSE use in Canadian context

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Implementing

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-3671 Testing FTS and configuring XrootD

          • Not Assigned - Priority is not assigned yet.
          • Implementing
          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Structure

            Activity

              People

                J.Walder Walder, James
                M.Parra Parra, Manuel
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Feature Progress

                  Story Point Burn-up: (22.22%)

                  Feature Estimate: 0.5

                  IssuesStory Points
                  To Do11.0
                  In Progress   22.5
                  Complete11.0
                  Total44.5

                  Dates

                    Created:
                    Updated:

                    Structure Helper Panel