diff --git a/README.md b/README.md index 2acb55a..ae6f681 100644 --- a/README.md +++ b/README.md @@ -53,11 +53,15 @@ Launch a copy of forwarder outside of kubernetes, listening on port 8080: helm dependency update funcx ``` 3. Create your own `values.yaml` inside the Git ignored directory `deployed_values/` -4. Obtain Globus Client ID and Secret. Paste them into your values.yaml as +4. Obtain Globus Client ID and Secret. This can either be a client id and + secret for the production service, or for local development see section + below on creating a client and scope for local development. Paste them + into your values.yaml as ```yaml webService: globusClient: <> globusKey: <> + funcxScope: <> # Not needed if using production client and keys ``` 5. Install the helm chart: ```shell script @@ -121,8 +125,60 @@ postgresql.postgresqlUsername: funcx | postgresql | [https://github.com/bitnami/charts/tree/master/bitnami/postgresql](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) | | redis | [https://github.com/bitnami/charts/tree/master/bitnami/redis](https://github.com/bitnami/charts/tree/master/bitnami/redis) | +## Creating client and scope +For local development of the web service, it can be convenient to have the +service consume tokens from a custom non-prod client. Additionally, using a +custom client and scope helps to reduce the risk of production credentials +leaking. + +To create a custom client, first create a Globus Auth project at +https://auth.globus.org/v2/web/developers. Then, within that project, click +"Add" and select "Add new app". Give the app a name, leave "Native App" +unchecked, and set the following two redirect uri's: + +* https://auth.globus.org/v2/web/auth-code +* http://localhost:5000 + +Then click "Create App". Once back at the projects page you will see your +"Client ID" and a button to generate a new "Client Secret". Create the client +secret and note both it and your client id to put in to the `values.yaml`. + +The final step will be to set up the required scope for your client. You can +do this with the globus sdk and the following example code: + +``` python +from globus_sdk import ConfidentialAppAuthClient + +globusClient = "<< client id from above >>" +globusKey = "<< client secret from above >>" +c = ConfidentialAppAuthClient(globusClient, globusKey) + +scope = { + "scope": { + "advertised": True, + "name": "funcx.org", + "dependent_scopes": [ + # Allow access to globus groups + { + "optional": False, + "scope": "73320ffe-4cb4-4b25-a0a3-83d53d59ce4f", + "requires_refresh_token": True, + } + ], + "allows_refresh_token": True, + "description": "A scope for local FuncX.org development", + "scope_suffix": "all", + } +} + +c.post(f"/v2/api/clients/{globusClient}/scopes", json_body=scope) +``` +The response object will include a `scope_string` field that will look something like: +``` +'scope_string': 'https://auth.globus.org/scopes/<< client id >>/all' +``` - +Use that scope string as the value for `funcxScope` in your `values.yaml`. diff --git a/funcx/templates/web-service-config.yaml b/funcx/templates/web-service-config.yaml index 823fc48..e655622 100644 --- a/funcx/templates/web-service-config.yaml +++ b/funcx/templates/web-service-config.yaml @@ -17,6 +17,7 @@ data: HOSTNAME = "Not Used" GLOBUS_CLIENT = "{{ .Values.webService.globusClient }}" GLOBUS_KEY = "{{ .Values.webService.globusKey }}" + FUNCX_SCOPE = "{{ .Values.webService.funcxScope }}" {{ if .Values.postgres.enabled }} SQLALCHEMY_DATABASE_URI = 'postgresql://{{ .Values.postgresql.postgresqlUsername }}:{{ .Values.postgresql.postgresqlPassword }}@{{ .Release.Name }}-postgresql:5432/{{ .Values.postgresql.postgresqlDatabase }}' diff --git a/funcx/values.yaml b/funcx/values.yaml index 2f6752c..3b501e6 100644 --- a/funcx/values.yaml +++ b/funcx/values.yaml @@ -19,6 +19,7 @@ webService: replicas: 1 globusClient: <> globusKey: <> + funcxScope: https://auth.globus.org/scopes/facd7ccc-c5f4-42aa-916b-a0e270e2c2a9/all endpoint: enabled: true