Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PnfsManager: check restrictions before resolving path to PNFS-ID
Motivation: An agent may have authenticated with dCache such that the login session includes restrictions on what that agent may do. The two main examples of such authentication are macaroons and AuthZ tokens (e.g., SciTokens). The method `populatePnfsId` discovers a file's PNFS-ID if the value was not provided by the door. This method is typically called as one of the first activities when processing a message. This is because it updates the message with the PNFS-ID as a side-effect, making that information available for all subsequent activity. Note that `populatePnfsId` will throw FileNotFoundCacheException if it detects that the path does not exist. The problem here is that `populatePnfsId` is called before the restrictions are checked. This means dCache will "leak" information about the namespace, as a different error is returned depending on whether the target is missing (FileNotFoundCacheException) or the restriction prevents access (PermissionDeniedCacheException). As a concrete example, if I have a home directory `/home/paul` in which the directory `private` contains information I do not wish to share. If I then create a macaroon that I share with an agent that allows (or "should allow") that agent only to interact with the `/home/paul/shared` folder then that agent can still learn whether files exist in the `/home/paul/private` directory by making HTTP HEAD requests: if the file does not exist then dCache replies with a "404 No Found" response, while existing files trigger a "403 Forbidden" response. EGI SVG-RAT have evaluated this problem as LOW risk. Modification: Be sure to check the restrictions before resolving the path to a PNFS-ID. Result: dCache no longer leaks information about whether or not files exist when using macaroons or Scitokens / WLCG AuthZ JWT profile tokens. Target: master Requires-notes: yes Requires-book: no Request: 7.2 Request: 7.1 Request: 7.0 Request: 6.2 Patch: https://rb.dcache.org/r/13354/ Acked-by: Tigran Mkrtchyan
- Loading branch information