-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SciTokens authorization #75
Conversation
309c447
to
f5ef25a
Compare
if token_data: | ||
token_enforcer = scitokens.Enforcer(tok['iss'], audience=aud) | ||
if token_enforcer.test(token, authz, path) is False: | ||
raise ValueError('SciToken does not have read:/DQSegDB scope') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to generate error message based on passed scope
Codecov Report
@@ Coverage Diff @@
## master #75 +/- ##
==========================================
- Coverage 11.99% 11.70% -0.29%
==========================================
Files 5 5
Lines 1017 1059 +42
==========================================
+ Hits 122 124 +2
- Misses 895 935 +40
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
def __init__(self): | ||
self.admin = Admin.AdminHandle() | ||
self.constant = Constants.ConstantsHandle() | ||
os.environ['XDG_CACHE_HOME'] = self.constant.scitokens_cache_dir |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this needed?
r = [200] | ||
# Otherwise, using HTTPS. | ||
else: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this just return [200]
then we can drop the else
and deindent the rest of this (very long) function.
r = [200] | |
# Otherwise, using HTTPS. | |
else: | |
return [200] | |
# Otherwise, using HTTPS. |
r = self.admin.log_and_set_http_code(401, c, req_method, "SciToken signature has expired", full_uri) | ||
return r |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r = self.admin.log_and_set_http_code(401, c, req_method, "SciToken signature has expired", full_uri) | |
return r | |
return self.admin.log_and_set_http_code(401, c, req_method, "SciToken signature has expired", full_uri) |
r = self.admin.log_and_set_http_code(401, c, req_method, "Invalid audience for SciToken", full_uri) | ||
return r |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r = self.admin.log_and_set_http_code(401, c, req_method, "Invalid audience for SciToken", full_uri) | |
return r | |
return self.admin.log_and_set_http_code(401, c, req_method, "Invalid audience for SciToken", full_uri) |
res = ldbdwauth.check_authorization_gridmap(environ, environ['REQUEST_METHOD'], environ['REQUEST_URI'], False) | ||
try: | ||
res = ldbdsauth.check_authorization_scitoken(environ, environ['REQUEST_METHOD'], environ['REQUEST_URI'], False) | ||
except: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't use empty except
, I presume this should only protect against KeyError
which indicates that no token was given
except: | |
except KeyError: |
res = ldbdwauth.check_authorization_gridmap(environ, environ['REQUEST_METHOD'], environ['REQUEST_URI'], True) | ||
try: | ||
res = ldbdsauth.check_authorization_scitoken(environ, environ['REQUEST_METHOD'], environ['REQUEST_URI'], True) | ||
except: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as above
except: | |
except KeyError: |
@duncan-brown - For anyone who wasn't in this meeting and institutional memory, could you list the elements that need to be modified before we could deploy this? |
@robertbruntz I updated the main text in the pull request with the items that need to be configured. It might also be a good idea to make the scopes a configurable option in the ini file, rather than hard coded, so I noted that as well. |
This PR was split into 2 MRs on LIGO GitLab:
All additional work and comments should be in those repos. |
This pull requests adds authorization using SciTokens to the SegDB WSGI server. The SciToken should be passed in the https authorization header as
where
serialized_token_text
is a serialized SciToken generated by a the issuer specified inscitokens_issuer
inConstants.py
. The SegDB server and the SciToken issuer need to agree on the audience for tokens, which is specified inscitokens_audience
inConstants.py
.GET
access to obtain segments is given to SegDB if the token scope isread:/DQSegDB
andPUT
andPATCH
access to insert and update segments is given if the token scope iswrite:/DQSegDB
.If the request does not contain a valid SciToken, or the token cannot be deserialized for the right audience, the server will silently fail over to trying X509 authentication. If a SciToken is provided with the correct audience, the server will fail if the token does not contain the correct scope for the requested action and will not fall through to X509 authentication.
One this patch is merged, the SciTokens library must be installed on the server with
yum -y install python2-scitokens
. This has been added to the install scripts.WSGI must to be configured to pass the authorization headers to the python layer with
WSGIPassAuthorization On
inwsgi.conf
. See https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIPassAuthorization.html for details. I think I did this correctly in thecit_install_script.sh
andinstall_script.sh
files, but incit_install_script_sl7update.sh
the filewsgi.conf
seems to be coming from some cached location, so that file may need to be fixed separately.In addition, the following configuration values need to be set to their production settings before deployment:
The
scitokens_issuer
should be the URL of the scitokens issuer against which scitokens should be validated. Thescitokens_audience
should be the audience that is agreed for the SegDB server(s).This patch hard codes the scitoken scopes as
read:/DQSegSB
for GET access to the segment database andwrite:/DQSegSB
for PUT/PATCH access to the segment database. These scopes need to be agreed collaboration-wide. It might also make sense to make them configuration variables as well, rather than being hard coded.Scitokens caches keys in a cache directory which is set in the configuration file to
This directory should exist and have read/write by the DQSegDB server process, or should be changed to another suitable location.