Replace X509 with scitokens

gwpy · Jan 30, 2025 · e8b0142 · e8b0142
1 parent 41c4049
commit e8b0142
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 48 deletions.
diff --git a/gwsumm/batch.py b/gwsumm/batch.py
@@ -30,17 +30,17 @@
 
 from glue import pipeline
 
-from gwdatafind.utils import find_credential
-
-from gwpy.io import kerberos as gwkerberos
-
 from gwdetchar import cli
 
 from . import __version__
 from .utils import mkdir
 
 __author__ = 'Duncan Macleod <duncan.macleod@ligo.org>'
-__credits__ = 'Alex Urban <alexander.urban@ligo.org>'
+__credits__ = ('Alex Urban <alexander.urban@ligo.org>, '
+               'Evan Goetz <evan.goetz@ligo.org>, '
+               'Iara Ota <iara.ota@ligo.org>'
+               )
+
 
 PROG = ('python -m gwsumm.batch' if sys.argv[0].endswith('.py')
         else os.path.basename(sys.argv[0]))
@@ -474,23 +474,9 @@ def main(args=None):
         args.config_file[i] = ','.join(inicopy)
     logger.debug("Copied all INI configuration files to %s" % etcdir)
 
-    # -- configure X509 and kerberos for condor -----
-
-    if args.universe != 'local':
-        # copy X509 grid certificate into local location
-        (x509cert, _) = find_credential()
-        x509copy = os.path.join(etcdir, os.path.basename(x509cert))
-        shutil.copyfile(x509cert, x509copy)
-
-        # rerun kerberos with new path
-        krb5cc = os.path.abspath(os.path.join(etcdir, 'krb5cc.krb5'))
-        gwkerberos.kinit(krb5ccname=krb5cc)
-        logger.debug("Configured Condor and Kerberos "
-                     "for NFS-shared credentials")
-
     # -- build DAG ----------------------------------
 
-    dag = pipeline.CondorDAG(os.path.join(htclogdir, '%s.log' % args.file_tag))
+    dag = pipeline.CondorDAG(os.path.join(htclogdir, f'{args.file_tag}.log'))
     dag.set_dag_file(os.path.join(outdir, args.file_tag))
 
     universe = args.universe
@@ -501,23 +487,26 @@ def main(args=None):
     condorcmds = {}
     if args.condor_timeout:
         condorcmds['periodic_remove'] = (
-            'CurrentTime-EnteredCurrentStatus > %d' %
-            (3600 * args.condor_timeout)
+            'CurrentTime-EnteredCurrentStatus > {3600 * args.condor_timeout}'
         )
     for cmd_ in args.condor_command:
         (key, value) = cmd_.split('=', 1)
         condorcmds[key.rstrip().lower()] = value.strip()
 
     if args.universe != 'local':
-        # add X509 to environment
-        for (env_, val_) in zip(['X509_USER_PROXY', 'KRB5CCNAME'],
-                                [os.path.abspath(x509copy), krb5cc]):
-            condorenv = '%s=%s' % (env_, val_)
-            if ('environment' in condorcmds and
-                    env_ not in condorcmds['environment']):
-                condorcmds['environment'] += ';%s' % condorenv
-            elif 'environment' not in condorcmds:
-                condorcmds['environment'] = condorenv
+        # Use scitokens
+        condorcmds['use_oauth_services'] = 'scitokens'
+        if ('environment' in condorcmds and
+                'BEARER_TOKEN_FILE' not in condorcmds['environment']):
+            condorcmds['environment'] += (
+                ';BEARER_TOKEN_FILE='
+                '$$(CondorScratchDir)/.condor_creds/scitokens.use'
+                )
+        elif 'environment' not in condorcmds:
+            condorcmds['environment'] = (
+                'BEARER_TOKEN_FILE='
+                '$$(CondorScratchDir)/.condor_creds/scitokens.use'
+                )
 
     # -- build individual gw_summary jobs -----------
 
@@ -527,7 +516,7 @@ def main(args=None):
     if not args.skip_html_wrapper:
         htmljob = GWSummaryJob(
             'local', subdir=outdir, logdir=logdir,
-            tag='%s_local' % args.file_tag, **condorcmds)
+            tag=f'{args.file_tag}_local', **condorcmds)
         jobs.append(htmljob)
     if not args.html_wrapper_only:
         datajob = GWSummaryJob(

diff --git a/gwsumm/tests/test_batch.py b/gwsumm/tests/test_batch.py
@@ -23,8 +23,6 @@
 import pytest
 import shutil
 
-from unittest import mock
-
 from .. import batch
 
 __author__ = 'Alex Urban <alexander.urban@ligo.org>'
@@ -39,7 +37,6 @@ def _get_inputs():
     inputs = (
         os.path.join(indir, "global.ini"),
         os.path.join(indir, "k1-test.ini"),
-        os.path.join(indir, "x509.cert"),
     )
     # write empty input files
     for filename in inputs:
@@ -50,17 +47,9 @@ def _get_inputs():
 
 # -- cli tests ----------------------------------------------------------------
 
-@mock.patch(
-    'gwsumm.batch.find_credential',
-)
-@mock.patch(
-    'gwpy.io.kerberos.kinit',
-    return_value=None,
-)
-def test_main(krb, x509, tmpdir, caplog):
+def test_main(tmpdir, caplog):
     outdir = str(tmpdir)
-    (global_, k1test, x509cert) = _get_inputs()
-    x509.return_value = (x509cert, x509cert)
+    (global_, k1test,) = _get_inputs()
     args = [
         '--verbose',
         '--ifo', 'K1',
@@ -97,12 +86,11 @@ def test_main(krb, x509, tmpdir, caplog):
     }
     assert set(os.listdir(os.path.join(outdir, "etc"))) == {
         os.path.basename(k1test),
-        os.path.basename(x509cert),
         os.path.basename(global_),
     }
     assert set(os.listdir(os.path.join(outdir, "logs"))) == set()
     # clean up
-    for filename in (global_, k1test, x509cert):
+    for filename in (global_, k1test,):
         os.remove(filename)
     shutil.rmtree(outdir, ignore_errors=True)
 
@@ -136,7 +124,7 @@ def test_main_loop_over_modes(tmpdir, caplog, mode):
     assert "Setup complete, DAG written to: {}".format(
         os.path.join(outdir, "gw_summary_pipe.dag")) in caplog.text
     # clean up
-    for filename in (global_, k1test, x509cert):
+    for filename in (global_, k1test,):
         os.remove(filename)
     shutil.rmtree(outdir, ignore_errors=True)