Skip to content

arcctl test-jwt

Andrii Salnikov requested to merge andrii/arc:test-jwt into next

Implementation of "Test JWT" functionality in arcctl for development and testing. Functionality is relying on changes made in BUGZ-4121.

Usage instructions

Quick start

[root@arc.local]# arcctl test-jwt init
Issuer URL: https://arc.local/arc/testjwt/c9745b43
JWKS:
{
  "keys": [
    {
      "e": "AQAB",
      "kid": "testjwt",
      "kty": "RSA",
      "n": "08ldDw1nDgAg0PplUt4gHm66i_EWhtFkmjepYn06dnXNsRfIJZ1fBfloEXQMZQNt-I1TujK6r02SE3CR3ixsCdwFupAYfE7GnVbn4JUmY6z_kZx6OGq-AFtPfc5w14a38GNHgE6kScS7sAyveThaYVGFlWW5nlxob57L9M2PAXWU3gh2VTZdO_g0BjJYV_n019Je_cX7-AGMjY9qA0pyeLewAf-e8Ce1zhflazlr-Yc74WWmv-DLWC5laJYxaqC_CDBRsKjjxCbhrOlkA8vpHw2s4kUAr2Bx8aJetbNK3gs-if2YAzI996xG67qvG0fiOznNSPUfjDofg8whTCU_Kw",
      "use": "sig"
    }
  ]
}

If run by root on A-REX host, the files necessary for controldir to trust the Test JWT issuer are added.

The export/import feature to establish trust with test-jwt run on another host is not yet implemented in this MR.

However the arc.conf needs proper [authgroup] configuration anyway to authorize and map tokens.

Use Isseur URL return by init (or run arcctl test-jwt info --arc-conf) to define authgroup:

[authgroup:testjwt]
authtokens = * https://arc.local/arc/testjwt/c9745b43 arc * *

[arex/ws/jobs]
allowaceess = testjwt

Issue token

To generate token signed by TestJWT instance run (just print to stdout):

arcctl test-jwt token

Or on the arc-client machine (to set env variable read by arcsub):

export BEARER_TOKEN=$( arcctl test-jwt token )

Fine-tune token claims

Token claims can be modified via command line arguments, see help:

# arcctl test-jwt token -h
usage: arcctl test-jwt token [-h] [-p PROFILE] [-n USERNAME] [-v VALIDITY]
                             [-s SCOPES] [-c CLAIMS]

optional arguments:
  -h, --help            show this help message and exit
  -p PROFILE, --profile PROFILE
                        Generate using token named profile (default is default
  -n USERNAME, --username USERNAME
                        Use specified username instead of automatically
                        generated
  -v VALIDITY, --validity VALIDITY
                        Validity of the token in hours (default is 12)
  -s SCOPES, --scopes SCOPES
                        Additional scopes to include into the token
  -c CLAIMS, --claims CLAIMS
                        Additional claims (JSON) to include into the token

E.g. arcctl test-jwt token -n 'Andrii Salnikov' -s "storage.read storage.write" -v 72 will generate a token with a subject matching my name, adds stuff to list of scopes and increase validity from default 12 to 72 hours.

Use token profiles

Create profile with customized claims for re-use in tokens generation instead of using command line arguments:

arcctl test-jwt config-set -p wlcg username "Atlas User"
arcctl test-jwt config-set -p wlcg scopes "compute.create:/"
arcctl test-jwt config-set -p wlcg claims '{"wlcg.ver": "1.0", "wlcg.groups": ["/atlas", "/atlas/production"]}'
arcctl test-jwt config-set -p wlcg validity 24

Than issue tokens with:

arcctl test-jwt token -p wlcg
Edited by Andrii Salnikov

Merge request reports