-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Doina Cristina Aiftimiei
committed
Mar 16, 2020
1 parent
fa65073
commit 064ffea
Showing
2 changed files
with
99 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
v1.22.0 | ||
------------ | ||
|
||
What’s new | ||
~~~~~~~~~~ | ||
|
||
Rucio authentication and authorization mechanism was extended to support (JWT) tokens | ||
using Open ID Connect protocol (following `the OAuth 2.0 specifications <https://oauth.net/2/>`_). | ||
The `implementation <https://github.com/gumond/rucio/tree/feature-2612-OIDC-AuthZN-base-next>`_)is based | ||
on `pyoidc <https://github.com/OpenIDC/pyoidc>`_ (OIDC `certified <https://openid.net/developers/certified/>`_) library and it follows the WLCG | ||
specifications documented `here <https://docs.google.com/document/d/1hnsPWf9C7ODVXZ7JehsSEiEsQwf5UmqLfTwVDhuqHzk/edit#>`_ (subject to certain changes as these specifications | ||
are currently still being developed). | ||
|
||
To perform operations with Rucio a user can now newly log in via | ||
an `authorization code grant <https://oauth.net/2/grant-types/authorization-code/>`_ mechanism. | ||
This has been made possible via Rucio WebUI, and Rucio command line interface (CLI). 3 CLI login strategies were | ||
implemented to serve various use cases. | ||
|
||
Rucio REST API can also accept JWT tokens issued by Identity Providers out of the Rucio | ||
authorization code grant flow. Such JWT tokens can serve as means of authentication | ||
and authorization if they contain the required minimal scope and audience in their | ||
claims, are valid and their identity is known to Rucio. In order to allow permission | ||
control downstream (Rucio → FTS3) Rucio implemented also an internal mechanism using | ||
token exchange and token refresh grants. | ||
|
||
Rucio user pre-provisioning (via new Rucio SCIM client) was | ||
`implemented <https://github.com/rucio/probes/pull/11>`_ as a ‘Rucio probe’ script. | ||
In order to manage token life-cycle, a new Rucio daemon was implemented taking care of | ||
token deletion, token refresh and clean-up of expired authentication OIDC sessions. | ||
Rucio DB schema was extended to contain: necessary new columns in the ‘tokens’ table | ||
and a new table ‘oauth_requests’ to handle OIDC authentication sessions. | ||
|
||
First functional tests of a third party copy were performed (Rucio → FTS3 → dCache) | ||
and a new `Rucio testbed instance <https://90.147.102.221/ui/>`_ is being setup. | ||
|
||
List of RfCs | ||
~~~~~~~~~~~~ | ||
|
||
* Features | ||
|
||
* `#2612 <https://github.com/rucio/rucio/issues/2612>`_ - Authentication & Authorisation: Rucio user authentication via OIDC protocol (XDC IAM), getting user info and JWT tokens | ||
* `#2412 <https://github.com/rucio/rucio/issues/2412>`_ - Deletion: Reaper 2.0 #2412 | ||
* `#3348 <https://github.com/rucio/rucio/issues/3348>`_ - Release management: Add oidc auth templates to setup.py #3348 | ||
* `#533 <https://github.com/rucio/rucio/issues/533>`_ - Release management: Better way to deal with configuration / permissions / policy #533 | ||
|
||
* Enhancements | ||
|
||
* `#1637 <https://github.com/rucio/rucio/issues/1637>`_ - Deletion: Protection of sources too strict in the reaper #1637 | ||
|
||
* Bugs fixes | ||
|
||
* `#3337 <https://github.com/rucio/rucio/issues/3337>`_ -Authentication & Authorisation: Fixes to OIDC AuthN/Z after first deployment on a testbed #3337 | ||
|
||
Installation methods | ||
~~~~~~~~~~~~~~~~~~~~ | ||
|
||
* for Rucio-server follow `Installing Rucio server guide <https://rucio.readthedocs.io/en/latest/installing_server.html>`_ | ||
|
||
* via pip | ||
pip install rucio | ||
|
||
* via docker | ||
docker run --name=rucio-server -p 80:80 -d indigodatacloud/rucio-server:XDC-2 | ||
|
||
* for more options see above documentation | ||
|
||
* for Rucio-daemons follow `Installing Rucio daemons guide <https://rucio.readthedocs.io/en/latest/installing_daemons.html>`_ | ||
|
||
* via pip | ||
pip install rucio | ||
|
||
* via docker | ||
docker run --name=rucio-server -p 80:80 -d indigodatacloud/rucio-server:XDC-2 | ||
|
||
* for more options see above documentation. | ||
|
||
Known Issues | ||
~~~~~~~~~~~~ | ||
|
||
* N/A | ||
|
||
List of Artifacts | ||
~~~~~~~~~~~~~~~~~ | ||
|
||
* Source tarballs | ||
* `rucio-1.22.0.dev3.tar.gz <https://repo.indigo-datacloud.eu/repository/xdc/production/2/centos7/x86_64/tgz/rucio-1.22.0.dev3.tar.gz>`_ | ||
|
||
|
||
* Docker Container: | ||
* `indigodatacloud/rucio-server:XDC-2 <https://hub.docker.com/r/indigodatacloud/rucio/tags/>`__ (signed) | ||
* `indigodatacloud/rucio-daemon:XDC-2 <https://hub.docker.com/r/indigodatacloud/rucio/tags/>`__ (signed) | ||
* `indigodatacloud/rucio-server:release-1.22.0.dev3 <https://hub.docker.com/layers/rucio/rucio-server/release-1.22.0.dev3/images/sha256-3b290c69f8db5241406974e74a08696e9114e2e490f6c899c2837527259976af?context=explore>`__ | ||
* `indigodatacloud/rucio-daemons:release-1.22.0.dev3 <https://hub.docker.com/layers/rucio/rucio-daemons/release-1.22.0.dev3/images/sha256-faec2dec3f83c4db21319c3c219c00f40dbd290ae3e8af6bf69d13a95f5816c9?context=explore>`__ | ||
|
||
|
||
|
||
|