Skip to content

Instantly share code, notes, and snippets.

View andreaceccanti's full-sized avatar

Andrea Ceccanti andreaceccanti

View GitHub Profile

VOMS REST API documentation

VOMS implements a REST API that can be used to get a VOMS attribute certificate.

API endpoint

https://<voms.host>:<voms.port>/generate-ac

Authentication requirements

@andreaceccanti
andreaceccanti / token-based-authn-wlcg-doma-proposal.md
Last active October 2, 2019 07:03
Tokeb based authn/z for WLCG RUCIO/FTS/SEs

RUCIO/FTS TPC scenario (service identity, capability-based authz)

In this scenario, RUCIO and FTS managed transfers using their service identity.

The chain of services is

RUCIO -> FTS -> SE1, SE2

RUCIO wants to trigger transfer of file /cms/example from SE1 to SE2.

oidc:
providers:
- name: google
issuer: https://accounts.google.com
client:
clientId: ${IAM_GOOGLE_CLIENT_ID}
clientSecret: ${IAM_GOOGLE_CLIENT_SECRET}
redirectUris: ${iam.baseUrl}/openid_connect_login
scope: openid,profile,email,address,phone
loginButton:
@andreaceccanti
andreaceccanti / dc-get-access-token.sh
Last active February 20, 2020 14:42
A get-access-token script that uses the OAuth device code flow
#!/bin/bash
set -e
exit_msg() {
echo "Giving up as requested by user..."
exit 1
}
if [[ -z "${IAM_DEVICE_CODE_CLIENT_ID}" ]]; then
echo "Please set the IAM_DEVICE_CODE_CLIENT_ID env variable"

Keybase proof

I hereby claim:

  • I am andreaceccanti on github.
  • I am andreaceccanti (https://keybase.io/andreaceccanti) on keybase.
  • I have a public key ASAjMuawZd0I9FLqw0FuWSmyFPLMsBrooAodO7p7kT_PJgo

To claim this, I am signing this object:

@andreaceccanti
andreaceccanti / storm-ptp-cleanup.sql
Last active September 29, 2017 15:49
StoRM PtP cleanup scripts
-- Selects and displays PtP requests that are stuck in progress for one month
SELECT rq.ID, rq.timeStamp, rp.targetSURL, sp.statusCode, sp.explanation
FROM storm_db.request_queue rq, storm_db.request_Put rp, storm_db.status_Put sp
WHERE rq.ID = rp.request_queueID and rp.ID = sp.request_PutID
and rq.status = 18 and rq.timeStamp <= DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL 1 MONTH);
-- Marks PtP requests stuck in progress for one month as expired, so that the StoRM
-- request garbage collector will remove them from the database
UPDATE storm_db.request_queue rq, storm_db.request_Put rp, storm_db.status_Put sp
SET sp.statusCode = 1, sp.explanation = "Request expired.", rq.status = 1
#!/bin/bash
IAM_CLIENT_ID=${IAM_CLIENT_ID:-iam-client}
IAM_CLIENT_SECRET=${IAM_CLIENT_SECRET}
IAM_TOKEN_ENDPOINT=${IAM_TOKEN_ENDPOINT:-https://iam-test.indigo-datacloud.eu/token}
if [[ -z "${IAM_CLIENT_SECRET}" ]]; then
echo "Please provide a client secret setting the IAM_CLIENT_SECRET env variable."
exit 1;
@andreaceccanti
andreaceccanti / README-unauthenticated-client-voms.md
Last active October 14, 2016 17:40
Check that a VOMS database has the unauthenticated client internal administrator correctly setup

Problem description

As reported in this ggus-ticket, in certain circumstances VOMS Admin accepts membership requests from users without a valid X.509 certificate.

This has no security impact on the server, but can lead to VO admins receiving membership request with strange user certificate subject, like the following:

![Strange request

@andreaceccanti
andreaceccanti / README.md
Last active August 29, 2015 14:16
cleanup StoRM stuck PtP requests

Summary

This bug:

https://issues.infn.it/jira/browse/STOR-779

prevents the proper cleanup of ongoing PtPs on a surl when srmRm is called on that surl on all StoRM versions >= 1.11.5.

This bug will be fixed in StoRM 1.11.8, scheduled for release on Friday, March 13th 2015.

@andreaceccanti
andreaceccanti / run-voms-deployment-test.sh
Created October 10, 2014 15:04
run voms deployment test
SCRIPT_URL="https://raw.github.com/italiangrid/voms-deployment-test/master/voms-deployment-test.sh"
wget --no-check-certificate $SCRIPT_URL -O voms-deployment-test.sh
chmod +x voms-deployment-test.sh
DB_UPGRADE="no"
if [ "$PERFORM_DATABASE_UPGRADE" = "true" ]; then
DB_UPGRADE="yes"
fi