Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
GraceDB Server
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Container Registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
IGWN Computing and Software
GraceDB
GraceDB Server
Commits
7666fe01
Commit
7666fe01
authored
8 years ago
by
Branson Craig Stephens
Browse files
Options
Downloads
Patches
Plain Diff
Added some notes about the shibbolized client.
parent
d0a282ab
No related branches found
Branches containing commit
No related tags found
Tags containing commit
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
admin_doc/source/shibbolized_client.rst
+55
-4
55 additions, 4 deletions
admin_doc/source/shibbolized_client.rst
with
55 additions
and
4 deletions
admin_doc/source/shibbolized_client.rst
+
55
−
4
View file @
7666fe01
...
@@ -4,8 +4,59 @@
...
@@ -4,8 +4,59 @@
The Shibbolized Client
The Shibbolized Client
================================
================================
Rationale
Goal
==========
====
Eventually, it would be nice to move towards not using any X509-based
authentication. If were able to use Shibboleth only, that would considerably
simplify the auth infrastructure of GraceDB. It's also nicer in the sense that
all of the necessary information comes through the Shibboleth session. That way
we could get rid of our dependence on the LIGO LDAP as well.
Installation and usage
======================
At present, there is an experimental Shibbolized client that lies on a separate
branch. I recommend installing it in a virtual environment::
virtualenv --system-site-packages test
source test/bin/activate
ecp-cookie-init LIGO.ORG https://versions.ligo.org/git albert.einstein
git clone https://versions.ligo.org/git/gracedb-client.git
cd gracedb-client
git checkout shibbolized_client
python setup.py install
In order to use the client you will need a Kerberos ticket cache::
kinit albert.einstein@LIGO.ORG
When you run the initialize method of the client, it uses this ticket cache to
authenticate against the LIGO IdP, and stores the resulting Shibboleth session
in a cookie jar::
from ligo.gracedb.rest import GraceDb
g = GraceDb()
g.initialize()
Now the client is ready to use.
Robots
======
It's possible to obtain LIGO robot keytabs by going to
`robots.ligo.org <https://robots.ligo.org/>`__ and clicking on "Apply for a
shibboleth automaton keytab." Once you have this keytab, you can obtain a
ticket cache by::
kinit myRobot/robot/my.ligo.host.edu -k -t myrobot.robot.my.ligo.host.edu
where ``myrobot.robot.my.ligo.host.edu`` is the name of the keytab file.
These ticket caches are only valid for 24 hours, so it is handy to put the
``kinit`` command into a cron job. When requesting the keytab, make sure to
specify that the robot should belong to the group ``Communities:LSCVirgoLIGOGroupMembers``.
If the robot is to create GraceDB events, then the robot user will need to be
authorized to do that as described in :ref:`new_pipeline`.
The idea here is to wean users off of using X509 certificates for
authenticating to services.
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
