Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the FTS instance domain as audience #6590

Closed
dchristidis opened this issue Mar 22, 2024 · 0 comments · Fixed by #6619
Closed

Use the FTS instance domain as audience #6590

dchristidis opened this issue Mar 22, 2024 · 0 comments · Fixed by #6619
Assignees
@dchristidis
Labels
Authentication & Authorisation enhancement
Milestone
34.1.0

Comments

@dchristidis
Copy link
Contributor

Description

The use of the WLCG wildcard audience for the FTS authentication tokens was used for the Data Challenge. Now it can be made so that the token targets a particular FTS instance.

rucio/lib/rucio/transfertool/fts3.py

Lines 833 to 837 in bed3f05

if oidc_support:
fts_hostname = urlparse(external_host).hostname
# FIXME: At the time of writing, it is not yet finalised what
# audience and/or scope is required by FTS.
token = request_token(audience='https://wlcg.cern.ch/jwt/v1/any', scope='fts')

Motivation

The FTS development team explicitly requested to stop supporting the WLCG wildcard audience.

Change

Replace 'https://wlcg.cern.ch/jwt/v1/any' with fts_hostname.
@dchristidis dchristidis self-assigned this Mar 22, 2024
dchristidis added a commit to dchristidis/rucio that referenced this issue Mar 29, 2024
@dchristidis
Auth: Use the FTS instance domain as audience rucio#6590
64037ef 
The discussion on how the Audience claim should be handled is still
on-going.  However, the FTS team has expressed their wish to stop
supporting the WLCG wildcard audience.  For the time being, it was
agreed to use the domain of the targeted FTS instance, mimicking how
it’s done for tokens destined at storages.
@dchristidis dchristidis linked a pull request Mar 29, 2024 that will close this issue
Auth: Use the FTS instance domain as audience #6590 #6619
Merged
dchristidis added a commit to dchristidis/rucio that referenced this issue Mar 29, 2024
@dchristidis
Auth: Use the FTS instance domain as audience rucio#6590
f4dc9b8 
The discussion on how the Audience claim should be handled is still
on-going.  However, the FTS team has expressed their wish to stop
supporting the WLCG wildcard audience.  For the time being, it was
agreed to use the domain of the targeted FTS instance, mimicking how
it’s done for tokens destined at storages.
rdimaio pushed a commit that referenced this issue Mar 29, 2024
@dchristidis @rdimaio
Auth: Use the FTS instance domain as audience #6590
1f6fd5b 
The discussion on how the Audience claim should be handled is still
on-going.  However, the FTS team has expressed their wish to stop
supporting the WLCG wildcard audience.  For the time being, it was
agreed to use the domain of the targeted FTS instance, mimicking how
it’s done for tokens destined at storages.
@dchristidis dchristidis added this to the 34.1.0 milestone Mar 30, 2024
bari12 pushed a commit that referenced this issue Apr 2, 2024
@dchristidis @bari12
Auth: Use the FTS instance domain as audience #6590
ee20f32 
The discussion on how the Audience claim should be handled is still
on-going.  However, the FTS team has expressed their wish to stop
supporting the WLCG wildcard audience.  For the time being, it was
agreed to use the domain of the targeted FTS instance, mimicking how
it’s done for tokens destined at storages.
@ericvaandering ericvaandering mentioned this issue Apr 4, 2024
Open
voetberg pushed a commit to voetberg/rucio that referenced this issue Apr 15, 2024
@dchristidis @voetberg
Auth: Use the FTS instance domain as audience rucio#6590
6bab7a3 
The discussion on how the Audience claim should be handled is still
on-going.  However, the FTS team has expressed their wish to stop
supporting the WLCG wildcard audience.  For the time being, it was
agreed to use the domain of the targeted FTS instance, mimicking how
it’s done for tokens destined at storages.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dchristidis dchristidis

Labels
Authentication & Authorisation enhancement
Projects
None yet
Milestone
34.1.0
Development

Successfully merging a pull request may close this issue.

Auth: Use the FTS instance domain as audience #6590 dchristidis/rucio
1 participant
@dchristidis