SL7 Tokens
To get a token that allows you to access files interactively in SL7
htgettoken -i dune --vaultserver htvaultprod.fnal.gov -r interactive
export BEARER_TOKEN_FILE=/run/user/`id -u`/bt_u`id -u`
put this in a file called dune_token.sh
The first time you do this you will see:
Attempting kerberos auth with https://htvaultprod.fnal.gov:8200 ... succeeded
Attempting to get token from https://htvaultprod.fnal.gov:8200 ... failed
Attempting OIDC authentication with https://htvaultprod.fnal.gov:8200
Complete the authentication at:
https://cilogon.org/device/?user_code=XXXX
No web open command defined, please copy/paste the above to any web browser
Waiting for response in web browser
Go to that web site and authenticate
Storing vault token in /tmp/vt_uXXX
Saving credkey to /nashome/s/USER/.config/htgettoken/credkey-dune-interactive
Saving refresh token ... done
Attempting to get token from https://htvaultprod.fnal.gov:8200 ... succeeded
Storing bearer token in /run/user/XXXX/bt_XXXX
Accessing rucio and justin require a bit more
in SL7 - put this in a file called dune_data_sl7.sh so you can use it again.
setup metacat
setup rucio
export RUCIO_ACCOUNT=justinreadonly
setup justin
justin time # this just tells justin that you exist and want to authenticate
justin get-token # this actually gets a token and associated proxy for access to rucio and the batch system
The first time you do this you will get asked (after the justin time command)
To authorize this computer to run the justin command, visit this page with your
usual web browser and follow the instructions within the next 10 minutes:
https://dunejustin.fnal.gov/authorize/XXXXX
Check that the Session ID displayed on that page is BfhVBmQ
Once you've followed the instructions on that web page, please run the command
you tried again. You won't need to authorize this computer again for 7 days.
Once again go to the website that appears and authenticate. After the first authentication to justIn you need to do a second justin call
justin get-token
You will need to do this sequence weekly as your justin access expires.
Note:
Despite the name of this command it gets you both a token and a special X.509 proxy and it is the latter you are actually using to talk to rucio in these SL7 examples
AL9 Tokens
Note: The justin get-token method for authentication does not currently work on AL9
The justin get-token command is not distributed on AL9/Spack currently. Please use SL7 if you need to use rucio.
normal tokens (below) for
xrootaccess do work
getting a token for xroot access in AL9
Make certain you have al9 set up
Then use htgettoken to get a token so you can read the files you find.
htgettoken -i dune --vaultserver htvaultprod.fnal.gov -r interactive
export BEARER_TOKEN_FILE=/run/user/`id -u`/bt_u`id -u`
The first time you do it it will ask you to authenticate using a web browser.
You should be able to read files at remote sites now.
You may need to repeat the htgettoken as the interactive tokens are pretty short-lived. Batch jobs do their own tokens.
Check your token httogendecode