Authentication issues for online PE

Online PE is failing on test and playground due to authentication issues. As I understand, the main issue is that the condor_submit task needs to use a HTTOKENGETOPTS environment variable to read the credentials for setting up the scitoken. I think have a solution that will work for gwcelery (based on this ticket @geoffrey.mo linked elsewhere). I've managed to run this successfully on the shared pe.o4 account.

Add this to the .bashrc

KERBEROS_KEYTAB="${HOME}/.globus/krb5.keytab"
KERBEROS_PRINCIPAL="$(klist -k "${KERBEROS_KEYTAB}" | tail -n 1 | sed 's/.*\s//')"
export HTGETTOKENOPTS="--audience vault.ligo.org --issuer igwn --role read-cvmfs-${USER} --credkey=${KERBEROS_PRINCIPAL} --nooidc"

Update this line to specify -include_env HTTOKENGETOPTS so that it is passed to condor_vault_storer

I'm happy to open an MR with these changes if you are happy with them. It would also be possible to put this all into inference.py, but I suspect having the HTGETOKENOPTS may be useful for other authentication, e.g., #685 (closed).

@soichiro.morisaki @geoffrey.mo

Edited Nov 01, 2023 by Colm Talbot

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information