Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dcache-xroot: store most recent login subject in door
Motivation: In the xrootd4j library, the authentication handling API entails the return of the subject via an implementation-specific login. The authorization API, however, is based upon the check of permissions on a specific path, and does not provide for side-effects to the subject. This has been complicated, however, by the SciTokens authorization protocol, at least in its dCache manifestation, because the bearer token may actually contain new information about the subject that was not present at login, as well as the specific restrictions now granted overriding the preceding restrictions established at login. The original solution was to stack login information in the door such that a request accesses the most recent restrictions. What was not done, however, was to update in a similar manner the actual login subject. This needs to happen because the xrootd specific session info, which contains the original login Subject, is not updated during authorization. Using the xrootd4j session Subject in the case of GSI, for instance, works fine, but using it with SciTokens will not work unless the ZTN protocol is active at login AND the ZTN token is identical to the one used on the path URL, which very likely may not be the case. One could try to fix this in the xrootd4j library by adjusting the authorization handler API to be able to update the session subject, but since dCache will continue to require the login info stack in the door to get the correct, dCache-specific Restriction object, it makes more sense simply not to use the xrootd4j session Subject at all, and instead store the most recent Subject with the Restriction in the door. Modification: Rename SessionInfo to LoginSessionInfo for clarity, and add the Subject to it. Always access this Subject in the door, and ignore the one contained in the request object's xrootd Session. Result: Correct subject is used to access the path for both GSI and SciToken protocols (and hopefully any future ones). Target: master Request: 7.0 Request: 6.2 Patch: https://rb.dcache.org/r/12988/ Acked-by: Tigran
- Loading branch information
Showing
1 changed file
with
84 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters