Details
-
Feature
-
Won't have (this time)
-
None
-
None
-
SRCnet
-
-
-
-
17.6
Description
Context: The datalake-as-a-service (DLaaS) is a prototype which integrates storage that forms part of a Rucio datalake prototype with JupyterHub, providing a user interface to schedule the staging of data within a user's Jupyter Notebook environment. It was initially developed at CERN within the ESCAPE project, but has since been replicated as part of the SRC prototyping activities (https://confluence.skatelescope.org/display/SRCSC/SKAO+Data+Lake+as+a+Service+Deployment+-+Setup+Guide).
Summary: Currently, there is a limitation with session persistence that would require some consideration and development to address, which is the scope of this feature.
At the moment refresh tokens cannot be issued to the DLaaS prototype, so the user must re-login every hour. This is because the token exchange (to obtain a valid Rucio token) is prohibited by IAM if the offline_access scope is requested. Addressing may require a change to the custom authenticator class used by DLaaS.
Detail: Refresh tokens can be requested from ESCAPE IAM instance. Since the latest version of Indigo IAM was deployed at INAF for the ESCAPE project, the scope offline_access is prohibited for tokens that are exchanged with the same IAM client as the originally issued token. Since this is how DLaaS originally worked, the offline_access scope must be disabled for these tokens at a Rucio level; this means the session only lasts for 1 hour. One way of doing this would be modifying the oidc-authenticator in JHub points to the Rucio instance that it is using a fixed Rucio instance.
AC: Refresh token can be requested for Rucio client in DLaaS environment.