Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
gplazma/pnfsmanager: update namespace so scitoken 'scope' takes priority
Motivation: The SciToken and WLCG-AuthZ specifications allow a token to contain authorisation statements. These are recorded in the `scope` claim. In dCache, these authorisation statements are translated into restrictions which limit the user, preventing that user from doing anything the token says the bearer is not entitled to do. However, the namespace permissions are still enforced. If the token says the user IS allowed to do something and the namespace states that this user IS NOT allowed to do that thing then the operation will fail: the namespace "wins". This is doesn't really make sense, as one of the main goals of such tokens is for services (such as dCache) to delegate authorisation decisions from the service to some central service. In other words, if there is a conflict the token should "win". Modification: Add a new principal, `ExemptFromNamespaceChecks`, that shows the user should be exempt from the normal namespace-based authorisation policies. Any restrictions accompanying a namespace request should still be enforced. Update the `Subjects` utility class to include the `isExemptFromNamespaceChecks` static method. This new method checks whether the user is exempt from namespace authorisation checks. It returns `true` for the root user or if the user has the `ExemptFromNamespaceChecks` principal. The new method is meant as a drop-in replacement for `isRoot`, making updating dCache easier. Update the `ChimeraNameSpaceProvider` class to use the new `Subjects` method instead of `isRoot`. The `PnfsManagerV3` class is also updated, but only in those places where `isRoot` is currently by-passing a namespace check (the mask) --- those places that enforce restrictions are deliberately left as `isRoot`. The `scitoken` plugin is updated to set the `ExemptFromNamespaceChecks` principal. Note that the plugin is only successful if the token contains a `scope` claim that authorises access. Unit tests are updated to verify correct behaviour of `isExemptFromNamespaceChecks`. Result: In the SciToken plugin, the 'scope' based authorisation is now honoured, irrespective of the authorisation decisions in the namespace. The mapped user it used to determine the ownership (uid & gid) of new content (directories, files, etc) but otherwise has no other purpose. Target: master Requires-notes: yes Requres-book: likely Patch: https://rb.dcache.org/r/13138/ Acked-by: Tigran Mkrtchyan
- Loading branch information
1 parent
9115df4
commit 14f2019
Showing
7 changed files
with
143 additions
and
25 deletions.
There are no files selected for viewing
46 changes: 46 additions & 0 deletions
46
modules/common/src/main/java/org/dcache/auth/ExemptFromNamespaceChecks.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
/* | ||
* dCache - http://www.dcache.org/ | ||
* | ||
* Copyright (C) 2021 Deutsches Elektronen-Synchrotron | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU Affero General Public License as | ||
* published by the Free Software Foundation, either version 3 of the | ||
* License, or (at your option) any later version. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU Affero General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Affero General Public License | ||
* along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
package org.dcache.auth; | ||
|
||
import java.io.Serializable; | ||
import java.security.Principal; | ||
|
||
/** | ||
* The presence of this principal indicates that the user is exempt from the | ||
* normal namespace permission rules. The | ||
* {@link org.dcache.auth.attributes.Restriction} accompanying a namespace | ||
* request is still enforced. Code that inserts this principal should (very | ||
* likely) also add restrictions, otherwise the user will have root-like | ||
* authority. | ||
*/ | ||
@AuthenticationOutput | ||
public class ExemptFromNamespaceChecks implements Principal, Serializable | ||
{ | ||
@Override | ||
public String getName() | ||
{ | ||
return "full"; // all namespace checks are by-passed. | ||
} | ||
|
||
@Override | ||
public String toString() | ||
{ | ||
return "ExemptFromNamespaceChecks"; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters