Motivation

On February 6 the authentication behavior for some CZ and RZ LC web services – Confluence, Jira, and GitLab - will be changing. This is one step of a multi-step effort to modernize and extend the LC web authentication capabilities. One major goal is to allow users from LANL and SNL to use OneID authentication rather than requiring use of LLNL RSA tokens. Another benefit of the changes is that Confluence, Jira, and GitLab will share an authentication session within the same zone (CZ or RZ), allowing you to use multiple of these services with a single authentication.

What’s Next?

The OneID authentication option will eventually extend to LLNL users, allowing them to either use RSA tokens or other forms of LLNL MFA when authenticating to LC web services. We also expect to extend this option in the coming months to other LC web services, such as MyLC and JupyterHub. These changes will migrate to the SCF at a later date.

Details of Changes

Authentication behavior for some LC web applications will be changing on February 6. This affects Confluence, Jira, and GitLab. The changes are summarized here:

Application / Service

Change

Notes
CZ Confluence, Jira, GitLab

LLNL users: New login page will use OUN rather than LC username, along with the appropriate CZ RSA OTP.
LANL & SNL users: New login page will have a OneID button which leads to local site's OneID page allowing authentication with site MFA.

Screenshot of CZ login panel

CZ Confluence, Jira, and GitLab will all share an authentication session - i.e., signing in to one will get you into the others without any additional authentication.

For users with multiple LC identities, such as service user accounts, the login process will now include a separate step to select the LC identity you wish to login with:

Screenshot of username submission panel
RZ Confluence, Jira, GitLab

LLNL & SNL users: New login page which uses OUN rather than LC username, along with the appropriate RZ RSA OTP.
LANL users: New login page will have button pointing to LANL's OneID page, allowing authentication with LANL MFA.
 

Screenshot of RZ login panel

RZ Confluence, Jira, and GitLab will all share an authentication session - i.e., signing in to one will get you into the others without any additional authentication.

SNL use of OneID for RZ web services is pending configuration changes at SNL.

For users with multiple LC identities, such as service user accounts, the login process will now include a separate step to select the LC identity you wish to login with:

Screenshot of RZ username panel
CZ / RZ MyLC, Custom Content Directories, JupyterHub No change from today - the login page and process will remain the same. At a later stage we expect to incorporate the new login options to these services.
CZ / RZ git-over-https No longer will allow conventional username + password authentication when performing git-over-https operations on LC GitLab instances (CZ, RZ). Must use Personal Access Token in lieu of password. Details below. Preferred mitigation is to switch to git-over-ssh; setting up keys is described here.

 

Using a Personal Access Token (PAT) for Git-over-HTTPS

The biggest change with the new authentication will be with how git-over-https works. Rather than supplying a one-time password, you instead will need to use a Personal Access Token (PAT) which is generated by GitLab.

To generate a PAT, go to:

   CZ: https://lc.llnl.gov/gitlab/-/profile/personal_access_tokens
   RZ: https://rzlc.llnl.gov/gitlab/-/profile/personal_access_tokens
   SCF: https://lc.llnl.gov/gitlab/-/profile/personal_access_tokens (on iSRD network)

  1. Fill out the request with a name and the 'api' scope:
Screenshot of PAT screen 1 with you name highlighted and api clicked
2. Next click the button to create the token:
Create Personal access token button screenshot
3. And to copy the contents of the token, click the clipboard button:
Screenshot of warning to save PAT

 

Then when you do your git clone  or similar operation, supply your LC username as the username, and the contents of your PAT as the password. On the PAT page you can copy the contents of your PAT by clicking the clipboard button.
git clone https://lc.llnl.gov/gitlab/MY-PROJECT/my-repo.git       
Cloning into 'my-repo'...
Username for 'https://lc.llnl.gov': <your-LC-username>
Password for 'https://your-LC-username@izlc.llnl.gov': <your-PAT-value>

Notes

  • PATs have a maximum lifetime of 30 days, despite what you might see in the web UI. You should receive automated emails when your token is about to expire, and when it has expired.
  • If your terminal pops up a dialog for entering the username and PAT, this can cause problems with copy/paste. To prevent the dialog, set the SSH_ASK_PASS environment variable to an empty string - this will cause the prompting to be done at the command line. Setting the variable can be done in your .cshrc, .bashrc, etc files, or on the command line with:
env SSH_ASK_PASS=""  your-git-command-here

  • PATs are cached automatically, so unlike today's behavior with git-over-https, within a session you should not have to re-authenticate for each operation involving the remote server. If you find you are needing to re-authenticate in a given session, add these lines to the ~/.gitconfig file on the system where you run "git":

[credential]
 helper = cache --timeout=43200