• context: since December 2024, trying to setup a DarkSide k8s panda instance
  • based on the successful Panda-DOMA demonstrator
• status: not working yet
  • IAM-based authentication with experiment IAM
  • token-based authentication (although CNAF can also successfully handle VOMS-AA from experiment IAM)
• few main differences in use case w.r.t. for example ATLAS
  • we were proposed by CNAF to map automatically each IAM user to a different "darksideNNN" local user, based on wlcg.groups token field
    • this is different from the client id/secret workflow
    • temporary solution: CNAF allowed us to map our IAM client to a single, "service" account
  • we must pass the token scope to rucio, as that's how we deal with keeping data blind (and data and mc storage areas read-only to non-production users)
    • for example, IAM releases the storage.read:/blind scope only to users in a given IAM group (implemented with https://indigo-iam.github.io/v/v1.7.2/docs/reference/api/scope-policy-api/)
    • and the storage is configured to request that scope to be present
    • in this way rucio policies cannot circumvent the "blind data must be blind" requirement
    • that's why we cannot map all IAM users to a single service rucio account
    • the question is if this is possible when using rucio with panda
• many issues observed in the k8s deployment
  • beyond documentation/some level of hardcodedness, some instability in the setup seems to be making us lose time
  • having an example system which works out-of-the-box would be quite useful for newcomers
    • devil is in the details...
    • in any case, we are trying to document continuously what we do, so that this might be possible in the future 
• effort ongoing - many thanks to the continuing support from Edward, Wen, Paul, Fa Hui and other panda developers
  • main question is whether we should perhaps stop deployment attempts until under-the-hood panda fixes are implemented?