The ESCAPE IAM instance is now available.
Registration is active. Users can authenticate via Google, IAM and using their EduGAIN IdP (if necessary attributes are provided by the IdP).
IAM documentation is available here.
Client applications can be registered following these instructions.
VOMS support is enabled. To link an X.509 certificate to an existing IAM escape account, follow these instructions. As in VOMS, multiple certificates can be linked to an account.
To have a working VOMS configuration for the ESCAPE VO:
/etc/grid-security/vomsdir/escape directory/etc/vomses directory (only needed if you need to do voms-proxy-init)The latest supported VOMS clients are required (i.e., voms-proxy-init v. >=3 ). Also note that this VO is supported by IAM, i.e. there are no VOMS Admin endpoints that can be used to generate Gridmap files.
Token-based authorization in the ESCAPE data lake will be realized extending the work done in the context of the WLCG Authorization Working group, in particular on the WLCG JWT profile.
We will work in incremental steps towards support for group-based fine-grained authorization, according to the requirements defined in the ESCAPE namespace authorization proposal.
The objective of this first step is to enable coarse-grained access to the ESCAPE namespace to the ESCAPE VO members.
The authentication and authorization requirements are:
/escape group have read/write/delete access to the /escape
namespaceThese requirements will be honoured for VOMS and token-based authz.
A testsuite has been developed to assess compliance of the ESCAPE datalake with the requirements above.
In order to support token-based authn/z as described above, tokens should be requested to include, at least, the following scopes:
openidwlcg.groupsWith oidc-agent this would be done with a command like:
> oidc-token -s openid -s wlcg.groups escape
For more information on how to use oidc-agent to get tokens out of IAM, see the relevant IAM documentation.