- Rucio:
- Reminder: at the time of writing, Rucio officially supports only single-VO instances, INDIGO IAM, the WLCG token profile, TPC and deletions, only disk RSEs, only the WebDAV protocol using the GFAL implementation.
- We’re currently restricting ourselves to refining what’s already implemented.
- The development of new features will resume after DC24.
- We’ve identified a regression affecting deletions.
- Tokens are not used, even in cases where they’re supposed to.
- Will be addressed in the next release.
- The interaction between Rucio and IAM is non-standard.
- Rucio uses the client credentials flow to request a token with a specific scope and audience. The audience part is not described in the OAuth specifications.
- A different interaction that was tried was to use the client credentials flow to acquire a scope- and audience-less token, then use the token exchange flow to acquire a scope- and audience-specific token (and the former can be cached and reused many times). This seems to be standard and mostly worked, except IAM disallows this if the requested scope contains offline_access (needed by FTS).
- It would seem prudent to not deviate from the standards.
- Rucio will need to support more token providers (e.g. CILogon).
- ATLAS:
- We’re steadily increasing the number of RSEs with token support.
- 10 sites, but only SCRATCHDISKs; the DATADISKs will be enabled next week.
- The ATLAS and Pilot FTS instances are upgraded and configured to use tokens.
- Sites in North America which are capable of using tokens will be reassigned from the BNL to the Pilot instance.
- CMS (from K. Ellis):
- Release 33 being tested in integration.
- Manual testing is unable to confirm that Rucio will be able to acquire the necessary tokens from IAM.
- Some restriction appears to prevent the acquisition of a token with the fts scope.