Map to local user with token

In the WLCG it is common to map to a system user, for instance a pool of users for a certain VO membership. In non-WLCG use-cases it may be appropriate to instead map to the actual username of the ARC submitter on that particular compute site.

This can be achieved using tokens, when the condition is met that the site has an associated IAM and the user can fetch a token that includes the username claim, or some other claim that holds this username.

Here we will show an example of how such mapping can be achieved using the map_with_plugin option in the mapping block.

Step 1. Create auth group

In your arc.conf, create an authblock for tokens submitted by the token-issuer, in this example for the University of Oslo (uio).

[authgroup:uio-hpc-users]
authtokens = * https://uio-hpc-iam.uio.no/ * * *

Step 2. Map the authgroup

In your arc.conf, map the authgroup with your custom plugin

[mapping]
map_with_plugin = uio-hpc-users 10 /opt/arc/scripts/token-map.sh

Step 3. Create an executable script that returns the username

The map_with_plugin option has the BEARER_TOKEN env vars available as documented in the map_with_plugin option. In this example our token contains the claim user which holds the real username on the ARC compute site, which is what we are after. As usual, the username must already exist on the ARC-CE and on the compute nodes.

For our example we create a script /opt/arc/scripts/token-map.sh as configured in arc.conf that contains:

#!/bin/bash
# map by userid from token
echo  "${BEARER_TOKEN_0_CLAIM_user_0}"

The script with output the username in this case, which is then used in the mapping as instructed in the arc.conf in Step 2.