-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZTN and Scitokens auth #1584
Comments
That wasn't the intention and the ZTN should avoid doing any caching of
ACLs because, if fact, ACLs are meaningless for ZTN. Why this happens
would appear to be some kind of regression or oversight. For ZTN all we
care about is that token was issued by a trusted token issuer. As for the
authz key, that should be the case for http and xroot (assuming the token
case in on a file url as "authz=....").
Andy
…On Mon, 10 Jan 2022, jthiltges wrote:
When using ZTN to pass the scitoken, the token reaches `XrdAccSciTokens::Validate()` as expected. However, a later call to `XrdAccSciTokens::Access()` fails.
https://github.com/xrootd/xrootd/blob/10d27966ce0a6637e988df5a7c43bdaad7d09b24/src/XrdSciTokens/XrdSciTokensAccess.cc#L312-L314
`Access()` expects to find the token with `env->Get("authz")` which I believe is only true for HTTPS.
With the current flow, it seems `Validate()` does a `scitoken_deserialize()` to process the token, and leaves ACLs to `Access()`. Then `Access()` generates ACLs, and puts them into a cache (keyed by the JWT).
As for possible solutions, the token could be stored in `Validate()` (which seems like something to avoid). Or we could refactor to instead generate the ACLs in `Validate()`.
--
Reply to this email directly or view it on GitHub:
#1584
You are receiving this because you are subscribed to this thread.
Message ID: ***@***.***>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|
Hi all, Took a quick look at the setup this morning. I think it's behaving correctly but, unfortunately, the correct behavior isn't all that useful. @abh3 - when we discussed ZTN with the dCache folks, one item discussed is what the ZTN token should do beyond authorizing a session creation (which is all it does today). Particularly, my recollection was that if the user didn't present a token in a subsequent operation, we wanted to utilize the token from the session to determine whether the operation was authorized. Implementing the "session token" behavior is fairly straightforward (preserve the session token in a XrdSecEntity attribute, utilize the token later in the authorization later) -- any objections to doing that? Otherwise, we probably need an XrdCl update to always send a token with operations in addition to the session token. Thoughts? Brian |
I don't have a problem with recording the session token in the attributes. However, we already have a field in the secentity structure for this (i.e. creds and credslen). So, I can do that which is what all other protocols do that are credentials based. When do you want it? |
Ah, an existing mechanism is even better! The code change is relatively simple, just wanted input on how to approach it. @alrossi -- does the above proposal match what dCache does? |
No, it is precisely what I thought we were not supposed to do. Perhaps I misunderstood the discussion I had with @abh3 but the ZTN token is considered a "throw away" ... that the authorization token which appears as the opaque 'authz=' value needs to be there. I remember this because I originally implemented authorization to fallback on the ZTN token if there is no authz= and then changed it. Obviously, if the fallback is what we want, I can reimplement. |
Agreed that storing the full token seems risky. If a vulnerability exposes memory, or core dumps are shared, valid tokens could be exposed. An option would be storing tokens in a "de-fanged" state. Validate the token, remove the signature, and store the token into |
:) @alrossi - Well I'm really happy I brought it up then! I think it comes down to whether-or-not the client should be changed to append the token to the CGI for all requests. This seems ... well, complex to be honest. The CGI should be inserted at all call points if and only if the user didn't override the authz setting and ZTN module was used for authentication - and the logic would need to be duplicated for token discovery (or a new API between the client and the ZTN module added). I can talk myself into saying @alrossi was right the first time and this should be used as a session token and allow the client to override it if desired. |
Then the original ZTN needs things like the subject attribute which was not required to be there originally. One of the other issues about the current way it works is that of redirect to dCache pools. We are compelled to force TLS on the pools to protect the token sent with the opaque data, even though dCache does not reauthorize/re-authenticate on the pool. It would be great if the client had a way not to send the token if it does not receive an authentication data request on login. (Of course, if we ever do implement TPC with tokens in xroot, then all bets are off because the TPC channel would need TLS to protect the token needed by the client on the destination side to authenticate with the source server ...) |
(Of course, a way around that issue is to implement control vs data channel kXR_bind, which I have considered and is on the back burner ... ) |
I'm not quite following. There's a subject in the token (among many other things, some of which may or may not be useful for authorization). I assume the semantics should be, if the token was not presented with a request, then the token from the session can be used as if it was presented with the request.
I think TLS should be forced on the pools regardless, token or no token, unless you differentiate between trusted LAN and WAN transfers. Redirection is another case where using the session token is probably useful - the client doesn't have to keep track as to whether the |
Yes that is what I was implying (fallback would have that advantage).
ZTN does not check for the user. It only checks issuer and audience. A ZTN token does not require authorization data, only enough to demonstrate it is from a trusted issuer. At least that is how I understood our original discussion. |
Right, that much I was following -- the piece I missed is why reusing the token layer implies a subject attribute is now required (or whether there's a protocol issue). That's all up to what the later authorization framework wants to see to evaluate the authorization of a request. Maybe it decides to allow read requests if and only if the first letter of the token is |
OK, I get you. But in practical terms ... Anyway, restoring the old behavior should not be an issue. As for @jthiltges concerns, dcache does not write out the token to disk, so only a memory dump of the JVM would expose the token, though that would be true for any of the token processing. |
OK, there is a lot of stuff going on here. So, let's go through what zrn was supposed to be for and what it seems people want it to do. If you go back to the original discussion, we wanted to know that a client connecting to a server was capable of getting valid tokens. That's all. We didn't care who that was, what they were going to do, or anything else. All we cared about is showing proof of capability. This is why it was implemented the way it was. The token only needs to be validated. We don't need any generated acls. All we need is that the token is for the acceptable audience issued by a known token issuer. Period, nothing more. That's why we never saved that token. Now, it seems people want feature creep and want access to the token "just in case". We can do that by using the standard mechanism of placing the token in the creds field of the SecEntity structure and I would strongly resist any other approach as this is the standard way X509, Krb5 and other credential protocols do. As for exposure due to a core file, the token has an expiration date and hopefully these tokens are issued with a reasonably short lifetime so by the time the core file is exposed to unauthorized people (which would have a lot of other security implications outside of SciTokens), the token would have expired. So, I don't see this as very serious concern beyond exposing a core file no matter what. So, my understanding that all that is wanted is to be able to access the ztn token in the case that a request does not have a url token. This, of course, runs in the face of narrow tokens and we might get stuck with fat tokens which is counter to what everyone wants. So, I don't see how this will play well in the future. Have I missed something here? |
I think the question is "how does one use token authorization using XrdCl or xrdcp?" With the various issues around redirection @alrossi pointed out above, it's not clear that there's a great way to do this as a user. The proposal above, to utilize the ZTN token as a session token, rather neatly addresses things with neither client nor protocol changes. Let's say that a user has a single token and would like to download a single file with |
The way you would do it is to place the token on the url in the standard way: xroot;//host//my/path?authz=[brearer%20] Yes, this is very inconvenient but no worse than what you have to do for AWS. The nit here is "bearer%20" you may need to add that if the token you got doesn't have it. I've seen tokens both ways and I wish we could standardize that because it will confuse people to no end. Generally, the idea was that a url provider would give you a fully formed url so you don't think twice about it. Of course, for the one-off copies or whatever there is no url provider and, in fact, I have no idea how a person would get a token for a one-off copy (probably harder than we think; enough to make a user want x509 back). Now, to other stuff. Whatever cgi a user specified should be carried across redirection. If that is not being done then it is a bug. I think we corrected that problem for certain edge cases some time ago. I don't know if that is also true for dCache but it should be as it's part of the protocol specification. As for @alrossi getting confused, he should be confused because the "backup token" idea came out of the blue. So, Al you are right, the original plan was exactly what you thought it was. That said, I don't mind extending things. I just want to make sure it doesn't create new problems. I think @alrossi is on board with that and can make the appropriate changes. I can place the token in the creds field as it's a no-brainer. Then you can use it as you see fit in the SciTokens plug-in. Anyway, let me know whether or not you want access to the ztn token. Please @bbockelm finish off the review comments in the voms mapfile pull request. We are almost there. |
Just a quick reply to @***@***.***>. Andy is correct that fallback or fall-through from the ZTN token or whatever we wish to call it can be (re-)implemented in dCache if so desired. As for carrying tokens across redirects, that is largely the client's responsibility, so dCache just uses what it receives. The only moment in which we would have to make sure this is happening inside of dCache is when we all agree upon native xroot TPC using tokens. I have not heard anything specific about whether we are moving forward with that or not, so if I am behind the times, please let me know!
Thanks, Al
…________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Andrew Hanushevsky ***@***.***>
Sent: Saturday, February 19, 2022 1:56 AM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
The way you would do it is to place the token on the url in the standard way:
xroot;//host//my/path?authz=[brearer%20]
Yes, this is very inconvenient but no worse than what you have to do for AWS. The nit here is "bearer%20" you may need to add that if the token you got doesn't have it. I've seen tokens both ways and I wish we could standardize that because it will confuse people to no end. Generally, the idea was that a url provider would give you a fully formed url so you don't think twice about it. Of course, for the one-off copies or whatever there is no url provider and, in fact, I have no idea how a person would get a token for a one-off copy (probably harder than we think ; enough to and make a user want x509 back).
Now, to other stuff. Whatever cgi a user specified should be carried across redirection. If that is not being done then it is a bug. I think we corrected that problem for certain edge cases some time ago. I don't know if that is also true for dCache but it should be as it's part of the protocol specification.
As for @alrossi<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_alrossi&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=ucA4Tp8POP88xObT6UOerb4nKUJKEg0CcfTBGnhAa3V1vyyoHuKAgI6wx4LJ1-Zt&s=BLT43EYvVoc9bByrRpUl50LmO_QQdOo5BpHDeVWn-xo&e=> getting confused, he should be confused because the "backup token" idea came out of the blue. So, Al you are right, the original plan was exactly what you thought it was. That said, I don't mind extending things. I just want to make sure it doesn't create new problems. I think @alrossi<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_alrossi&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=ucA4Tp8POP88xObT6UOerb4nKUJKEg0CcfTBGnhAa3V1vyyoHuKAgI6wx4LJ1-Zt&s=BLT43EYvVoc9bByrRpUl50LmO_QQdOo5BpHDeVWn-xo&e=> is on board with that and can make the appropriate changes. I can place the token in the creds field as it's a no-brainer. Then you can use it as you see fit in the SciTokens plug-in.
Anyway, let me know whether or not you want access to the ztn token. Please @bbockelm<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bbockelm&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=ucA4Tp8POP88xObT6UOerb4nKUJKEg0CcfTBGnhAa3V1vyyoHuKAgI6wx4LJ1-Zt&s=pD-KT2Pmmm_w-WOpdB8xhwqyCxgu4_CCiFc5U2ZBiiE&e=> finish off the review comments in the voms mapfile pull request. We are almost there.
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1045961770&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=ucA4Tp8POP88xObT6UOerb4nKUJKEg0CcfTBGnhAa3V1vyyoHuKAgI6wx4LJ1-Zt&s=KAgj2z-aM7tXp3ymoOoHCmr4UXEtWg1M98s57dn8LOU&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHBY2CQLSMZPGPKDZ4DU35EMJANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=ucA4Tp8POP88xObT6UOerb4nKUJKEg0CcfTBGnhAa3V1vyyoHuKAgI6wx4LJ1-Zt&s=iUQo-ncH9A7ggZs81ZxpzUuBHlUVBqG9K3JScDctPZA&e=>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=ucA4Tp8POP88xObT6UOerb4nKUJKEg0CcfTBGnhAa3V1vyyoHuKAgI6wx4LJ1-Zt&s=VOYV1YEJncp6tY1vB29MPWvA5AXEqEa7gwhzsSE0QQY&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=ucA4Tp8POP88xObT6UOerb4nKUJKEg0CcfTBGnhAa3V1vyyoHuKAgI6wx4LJ1-Zt&s=7zvb7gyZe6Eyt1zYmrE2Ug_ckuGNLV0Kjx5pLajKhIs&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
But this doesn't really work, does it? You can't put secrets into the command line because they are visible across the system. One would need to re-implement the token discovery logic external to the ZTN library and put it in Secondly, this doesn't work because the above invocation is only safe when TLS is used on the transport layer. Again, this is only known at the XrdCl level and not a priori by the individual invoking the client. |
Well, i believe it does because that's what the code allows. Indeed, you are correct that the user should use TLS to transmit the token via the URL. Unfortunately, nothing stops the user from not using TLS. I suppose we could test for the presence of 'authz' cgi in the client and force using TLS if it's there. I think the basic problem is that there is no defined way of how a user gets a one-off token, is there? ATLAS (and likely CMS) plans on having Rucio add the authz to the UR before handing back to the user who asked for it. Well, that's the idea anyway. Like I said, I have no issues of pointing to the ztn token from the SecEntity object. My question is whether the ztn token is valid for all file accesses the user wants to make; and if so, doesn't it make it a fat token? |
OK, so now ztn will point to the initial token via the Entity.creds field. Can I close this? |
After a 2.5 hour discussion on this topic, I do see the benefit of extending what ztn does as it's very much the same what a user would do in many circumstances. There is one caveat, if we allow the ztn token to be used as the default token(which is now possible to do in he SciToken authorization plug-in) then it either we do it always or we never do it. There is nothing in between if we want to provide reliable and consistent SciToken authorization. That mean a bit of work for @alrossi but I don't think he minds as long as the result leads to a better user experience. So, what is the verdict here? |
In is currently way, I have to put a token in both $BEARER_TOKEN, etc. and in CGI. Perhaps there is good reason behind it but this is not what users are expected. In fact, what appear in the CGI doesn't have to be a SciToken. It can be a macaroon token (passing a macaroon token is independent from Sec). I wonder whether there is a value to explore this - I view a macaroon token as something similar to the function of a signed URL. Maybe this one belongs to a different topic. |
I agree that the policy should be standard and expected. I don't think it will take much for the dCache door to hang on to the ZTN token and "override" it with anything sent as CGI ... as I said, my original approach when I was first implementing this was precisely to do that.
I won't go ahead and make this change, however, until I get the green light from you all.
Also, I am curious: aside from proprietary uses like ALICE, when GSI/x509 goes by the wayside, is native xroot third-party copy basically dead, or do we at some point plan to have a discussion about token support there? I know last year Andy and I had this discussion and the conclusion was basically wait and see what other people want. Any sense of this?
Thanks, Al
…________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Andrew Hanushevsky ***@***.***>
Sent: Tuesday, March 8, 2022 10:36 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
After a 2.5 hour discussion on this topic, I do see the benefit of extending what ztn does as it's very much the same what a user would do in many circumstances. There is one caveat, if we allow the ztn token to be used as the default token(which is now possible to do in he SciToken authorization plug-in) then it either we do it always or we never do it. There is nothing in between if we want to provide reliable and consistent SciToken authorization. That mean a bit of work for @alrossi<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_alrossi&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=CmfiDLGETrl831IeWt_t3PG1gIwf-CzI2wKPedb03ESFABR_M_ME4tYXvs5fT4MD&s=uEGZLWlfkuGmOp-50E1GiPUiH2CA8-OAHMK1g0r89tE&e=> but I don't think he minds as long as the result leads to a better user experience. So, what is the verdict here?
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1062546234&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=CmfiDLGETrl831IeWt_t3PG1gIwf-CzI2wKPedb03ESFABR_M_ME4tYXvs5fT4MD&s=oju7Svkhs_tzTp_0H0azS6nyHiNLgbP8GSIC_aSeHyI&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHGOBWIIPX52GXMCX63U7ATGFANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=CmfiDLGETrl831IeWt_t3PG1gIwf-CzI2wKPedb03ESFABR_M_ME4tYXvs5fT4MD&s=td_2XK-a0AK88OH8aHcxvZzvirJwm_Pn7Fjp9imvymE&e=>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=CmfiDLGETrl831IeWt_t3PG1gIwf-CzI2wKPedb03ESFABR_M_ME4tYXvs5fT4MD&s=R03x_5wtq4HMQry0FSP1HUDx_Rbe5yhP60TrFMkXKoY&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=CmfiDLGETrl831IeWt_t3PG1gIwf-CzI2wKPedb03ESFABR_M_ME4tYXvs5fT4MD&s=lAUN-9VFhh2umzNkGSki7AcVHWDgM1hNhU8_DnuoINU&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
I expect the native xrootd TPC will not dead. xrootd TPC operations in two modes: X509 delegation and rendezvous key. The latter is used in cases where X509 is not used. |
robocert is not rendezvous key. It is something prior to x509 delegation so we no longer need robocert. rendezvous key is a time limited shared secret sent by the client to both endpoints, to facilitate TPC. It needs TLS. |
Well yes, then, we need to discuss this. I will need to know how to pass the secret key through from the destination server to the client on the destination side initiating the TPC with the source server.
This is new to me.
Al
…________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Wei Yang ***@***.***>
Sent: Wednesday, March 9, 2022 1:59 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
robocert is not rendezvous key. It is something prior to x509 delegation so we no longer need robocert. rendezvous key is a time limited shared secret sent by the client to both endpoints, to facilitate TPC. It needs TLS.
Whether dCache want to support rendezvous key is something to be discussed. The primary TPC in HEP is http though not exclusive. The rendezvous key in xrootd is used where x509 infrastructure is not available (and likely the token infrastructure is also not available, somewhere outside of HEP).
When x509 goes away, in principle, we can use token for authentication and then use rendezvous key for TPC (to avoid a more complexed token chain reaction), though someone will say that token is only for authorization :-)
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1063312302&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=79dpk7QdguWHXF7Uf7JIbMQP1_j937XmHhMzSX6m0rY&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHHPKMGMGN645IRDVD3U7D7KPANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=59RGVJA1GM6PYPjx7_1S8OHv3J05wt03Gy8LywWIktM&e=>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=G8ij4cqcygzzIj9YrbnpNy90wtxmM-s7pt-CceXXNPM&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=wiDsyodE6mxPHCjER1rxypxKLt51SNgeEjgBACvIRxI&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Hi Albert,
Here is where to start:
https://xrootd.slac.stanford.edu/doc/dev49/tpc_protocol.htm
Andy
…On Wed, 9 Mar 2022, Albert Rossi wrote:
Well yes, then, we need to discuss this. I will need to know how to pass the secret key through from the destination server to the client on the destination side initiating the TPC with the source server.
This is new to me.
Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Wei Yang ***@***.***>
Sent: Wednesday, March 9, 2022 1:59 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
robocert is not rendezvous key. It is something prior to x509 delegation so we no longer need robocert. rendezvous key is a time limited shared secret sent by the client to both endpoints, to facilitate TPC. It needs TLS.
Whether dCache want to support rendezvous key is something to be discussed. The primary TPC in HEP is http though not exclusive. The rendezvous key in xrootd is used where x509 infrastructure is not available (and likely the token infrastructure is also not available, somewhere outside of HEP).
When x509 goes away, in principle, we can use token for authentication and then use rendezvous key for TPC (to avoid a more complexed token chain reaction), though someone will say that token is only for authorization :-)
?
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1063312302&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=79dpk7QdguWHXF7Uf7JIbMQP1_j937XmHhMzSX6m0rY&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHHPKMGMGN645IRDVD3U7D7KPANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=59RGVJA1GM6PYPjx7_1S8OHv3J05wt03Gy8LywWIktM&e=>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=G8ij4cqcygzzIj9YrbnpNy90wtxmM-s7pt-CceXXNPM&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=wiDsyodE6mxPHCjER1rxypxKLt51SNgeEjgBACvIRxI&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
--
Reply to this email directly or view it on GitHub:
#1584 (comment)
You are receiving this because you were assigned.
Message ID: ***@***.***>
|
Yes, I think this is good enough to close! Will try to send a corresponding PR today / tomorrow. |
Hi Albert,
No, the upshot is as follows:
1) If the client specified a ScoToken in the CGI use it, otherwise
2) If ztn was used, use the ztn SciToken (if it is a SciToken), otherwise
3) Passthrough the authorization.
Brian's pull request will implement the above in the SciToken library as
xrootd aleady supplies access to the token obtained via ztn.
So, dCache should do the same.
Andy
…On Fri, 11 Mar 2022, Albert Rossi wrote:
Just so I understand the upshot of this: essentially nothing changes on the server end for dCache with this because the client puts the ztn token in the CGI?
Sorry if I am a bit out of the loop here, have been quite busy with other things, but I want to make sure dCache doesn't get out of sync ...
Thanks, Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Brian P Bockelman ***@***.***>
Sent: Friday, March 11, 2022 2:03 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
OK, so now ztn will point to the initial token via the Entity.creds field. Can I close this?
Yes, I think this is good enough to close! Will try to send a corresponding PR today / tomorrow.
?
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1065461921&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=VHF-kSw5kbR-VKKywcAmT2ixMFQm1UBviX5Iv6FCfjJ29oDU6xewWc-AR0hhJAfW&s=QNNb2Y-oXtWYxOKpZYLxNJeFUKi5vEv5rDTRZlzHpg8&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHEYOMYRATAUX5H3GNDU7ORH7ANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=VHF-kSw5kbR-VKKywcAmT2ixMFQm1UBviX5Iv6FCfjJ29oDU6xewWc-AR0hhJAfW&s=M7Ov5Eg9f4M68yZhXVeiid6DOGBTasEhzRWgF5qLYcg&e=>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=VHF-kSw5kbR-VKKywcAmT2ixMFQm1UBviX5Iv6FCfjJ29oDU6xewWc-AR0hhJAfW&s=_fsBXJh9kfuws0y6GB5vjzs-p9iQhSAQHV4JkxN3cwo&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=VHF-kSw5kbR-VKKywcAmT2ixMFQm1UBviX5Iv6FCfjJ29oDU6xewWc-AR0hhJAfW&s=47-h7UozRGvdqw7EWE8OtuLSBy42omuMmhmYBxfZmDw&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
--
Reply to this email directly or view it on GitHub:
#1584 (comment)
You are receiving this because you were assigned.
Message ID: ***@***.***>
|
OK, I misunderstood slightly from the last couple exchanges. What you describe below is what I thought originally.
Will do, Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Andrew Hanushevsky ***@***.***>
Sent: Friday, March 11, 2022 3:14 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
Hi Albert,
No, the upshot is as follows:
1) If the client specified a ScoToken in the CGI use it, otherwise
2) If ztn was used, use the ztn SciToken (if it is a SciToken), otherwise
3) Passthrough the authorization.
Brian's pull request will implement the above in the SciToken library as
xrootd aleady supplies access to the token obtained via ztn.
So, dCache should do the same.
Andy
On Fri, 11 Mar 2022, Albert Rossi wrote:
Just so I understand the upshot of this: essentially nothing changes on the server end for dCache with this because the client puts the ztn token in the CGI?
Sorry if I am a bit out of the loop here, have been quite busy with other things, but I want to make sure dCache doesn't get out of sync ...
Thanks, Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Brian P Bockelman ***@***.***>
Sent: Friday, March 11, 2022 2:03 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
OK, so now ztn will point to the initial token via the Entity.creds field. Can I close this?
Yes, I think this is good enough to close! Will try to send a corresponding PR today / tomorrow.
?
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1065461921&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=VHF-kSw5kbR-VKKywcAmT2ixMFQm1UBviX5Iv6FCfjJ29oDU6xewWc-AR0hhJAfW&s=QNNb2Y-oXtWYxOKpZYLxNJeFUKi5vEv5rDTRZlzHpg8&e=%3E, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHEYOMYRATAUX5H3GNDU7ORH7ANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=VHF-kSw5kbR-VKKywcAmT2ixMFQm1UBviX5Iv6FCfjJ29oDU6xewWc-AR0hhJAfW&s=M7Ov5Eg9f4M68yZhXVeiid6DOGBTasEhzRWgF5qLYcg&e=%3E.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=VHF-kSw5kbR-VKKywcAmT2ixMFQm1UBviX5Iv6FCfjJ29oDU6xewWc-AR0hhJAfW&s=_fsBXJh9kfuws0y6GB5vjzs-p9iQhSAQHV4JkxN3cwo&e=%3E or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=VHF-kSw5kbR-VKKywcAmT2ixMFQm1UBviX5Iv6FCfjJ29oDU6xewWc-AR0hhJAfW&s=47-h7UozRGvdqw7EWE8OtuLSBy42omuMmhmYBxfZmDw&e=%3E.
You are receiving this because you were mentioned.Message ID: ***@***.***>
--
Reply to this email directly or view it on GitHub:
#1584 (comment)<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1065472655&d=DwQCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=zrESHh0aIdZGT1jG-e9CgPHk9vuWqbjDeOXVUbEgc8rzcJxWCyb9CurXIMoIGWKt&s=BkRRwcd4GUKNZoxAOtirQ98duLB2_7-af7NyPsWoyas&e=>
You are receiving this because you were assigned.
Message ID: ***@***.***>
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1065533398&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=zrESHh0aIdZGT1jG-e9CgPHk9vuWqbjDeOXVUbEgc8rzcJxWCyb9CurXIMoIGWKt&s=88ZLpBOjf_b4JI1roH-Eanlbue82S1BlHE7bRQS0tOs&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHBC5EUB2VSOIY245YDU7OZSLANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=zrESHh0aIdZGT1jG-e9CgPHk9vuWqbjDeOXVUbEgc8rzcJxWCyb9CurXIMoIGWKt&s=d0ilE8iLP8qR5HzQb0jrhT3nn4PwiyALDRGhgPr-hDs&e=>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=zrESHh0aIdZGT1jG-e9CgPHk9vuWqbjDeOXVUbEgc8rzcJxWCyb9CurXIMoIGWKt&s=9Wf4CNriphqFaCyeiiYKhKDrrJYvmXvqnd6PcXZkqwI&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=zrESHh0aIdZGT1jG-e9CgPHk9vuWqbjDeOXVUbEgc8rzcJxWCyb9CurXIMoIGWKt&s=n4q5VHdO0pUjvCW7Mv_sAKzxkRGAcuoR5iTpv7fqwj4&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Hello again,
I'm reviewing the state of our code with respect to the rendezvous key.
We support it on open because it was what was needed before TPC Lite, although it is currently not protected by TLS, since this was with x509 originally.
The issue here is that before, the third-party client was being told to authenticate to the door (the source server). I am unsure whether dCache as it is right now would be able to allow an override of authentication in the case of a rendezvous key being present.
Would this be done, for example, by giving to the open by the third-party client the same permissions given to the initiating client when it authorizes via JWT to the source (on open)? Is that the idea?
Thanks, Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Andrew Hanushevsky ***@***.***>
Sent: Wednesday, March 9, 2022 4:15 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
Hi Albert,
Here is where to start:
https://xrootd.slac.stanford.edu/doc/dev49/tpc_protocol.htm<https://urldefense.proofpoint.com/v2/url?u=https-3A__xrootd.slac.stanford.edu_doc_dev49_tpc-5Fprotocol.htm&d=DwQCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=WEnct5h4K8P0HMVTvg5n4P15Vwuu3gmV9FY2KXhv7xQ&e=>
Andy
On Wed, 9 Mar 2022, Albert Rossi wrote:
Well yes, then, we need to discuss this. I will need to know how to pass the secret key through from the destination server to the client on the destination side initiating the TPC with the source server.
This is new to me.
Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Wei Yang ***@***.***>
Sent: Wednesday, March 9, 2022 1:59 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
robocert is not rendezvous key. It is something prior to x509 delegation so we no longer need robocert. rendezvous key is a time limited shared secret sent by the client to both endpoints, to facilitate TPC. It needs TLS.
Whether dCache want to support rendezvous key is something to be discussed. The primary TPC in HEP is http though not exclusive. The rendezvous key in xrootd is used where x509 infrastructure is not available (and likely the token infrastructure is also not available, somewhere outside of HEP).
When x509 goes away, in principle, we can use token for authentication and then use rendezvous key for TPC (to avoid a more complexed token chain reaction), though someone will say that token is only for authorization :-)
?
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1063312302&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=79dpk7QdguWHXF7Uf7JIbMQP1_j937XmHhMzSX6m0rY&e=%3E, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHHPKMGMGN645IRDVD3U7D7KPANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=59RGVJA1GM6PYPjx7_1S8OHv3J05wt03Gy8LywWIktM&e=%3E.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=G8ij4cqcygzzIj9YrbnpNy90wtxmM-s7pt-CceXXNPM&e=%3E or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=wiDsyodE6mxPHCjER1rxypxKLt51SNgeEjgBACvIRxI&e=%3E.
You are receiving this because you were mentioned.Message ID: ***@***.***>
--
Reply to this email directly or view it on GitHub:
#1584 (comment)<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1063346075&d=DwQCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=sNJjZ7J42vDdoqCAHfs2ytmON2PNXg81AYMV_SW2Abk&e=>
You are receiving this because you were assigned.
Message ID: ***@***.***>
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1063426347&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=Me9fOE6TM92ZmUHa0AjRWMBUn_ikXftt3D9WcbGLzh8&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHCVMMKIGHGZTHK6W4TU7EPGTANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=m9J1o6b_8klgv59mdXp9wfehT2utQL4PdZAvr3MJ2HQ&e=>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=3tyKgTdRhPXo53BkjGlmi1ne-0X6tOOnh33mYsJullw&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=C4et26N70WmdUI-SFT32zhc18CkfNJKYjiFUIj6oals&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Hi Albert, Correct, while TLS would have been preferable the additional safeguards put in place to protect the rendezvous token made it highly unlikely to be subverted (you would need to accomplish at least three other subversion before the token became vulnerable). Now that TLS is widely available nothing prevents the token being transmitted using TLS, though for backward compatibility, it's not required. As you state it, the door is not in a position to use the rendezvous token presented by the destination since it needs to authenticate the destination first. So, if that's how the code sits then, yes, without skipping authorization in the presence of a token, it would not work. Mind you rendezvous tokens are only meant to be used for pull requests so they are incapable of performing and destructive action. So, presumably you are wondering that one could get around the problem by having the destination use a JWT along with the rendezvous token. The issue here is how does one get the JWT? I was told that it can't be the requesting clients JWT as these are not delegable, though I still don't see what prevents them from being used by someone else, hence why they need TLS. The destination server is also not really in a position of getting a JWT. Seems like an issue here. Of course, that all hinges on whether the requesting client's JWT cannot be used by the destination server. If it can be (or at least if the client can get a delegable token) then, yes, we could handle the rendezvous in that way. That said, why bother with a rendezvous token at all since we could do the same thing with JWT's can't we? So, in the end we need to get all of this straightened out to figure out the positioning of a rendezvous TPC. Maybe @bbockelm will see this post and expand on how a requesting client's JWT can and cannot be used in a TPC context by the destination server. |
Hi Andy,
Thank you for this very good summary of the situation. It reflects perfectly what I remember discussing with you last year.
I am interested to know what Brian thinks of all of this.
It would be nice to keep dCache on the same page as everyone else in this regard.
Cheers, Al
…________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Andrew Hanushevsky ***@***.***>
Sent: Wednesday, March 23, 2022 8:16 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
Hi Albert,
Correct, while TLS would have been preferable the additional safeguards put in place to protect the rendezvous token made it highly unlikely to be subverted (you would need to accomplish at least three other subversion before the token became vulnerable). Now that TLS is widely available nothing prevents the token being transmitted using TLS, though for backward compatibility, it's not required.
As you state it, the door is not in a position to use the rendezvous token presented by the destination since it needs to authenticate the destination first. So, if that's how the code sits then, yes, without skipping authorization in the presence of a token, it would not work. Mind you rendezvous tokens are only meant to be used for pull requests so they are incapable of performing and destructive action.
So, presumably you are wondering that one could get around the problem by having the destination use a JWT along with the rendezvous token. The issue here is how does one get the JWT? I was told that it can't be the requesting clients JWT as these are not delegable, though I still don't see what prevents them from being used by someone else, hence why they need TLS. The destination server is also not really in a position of getting a JWT. Seems like an issue here.
Of course, that all hinges on whether the requesting client's JWT cannot be used by the destination server. If it can be (or at least if the client can get a delegable token) then, yes, we could handle the rendezvous in that way. That said, why bother with a rendezvous token at all since we could do the same thing with JWT's can't we?
So, in the end we need to get all of this straightened out to figure out the positioning of a rendezvous TPC. Maybe @bbockelm<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bbockelm&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=aPJycUjsDal5ouobRnOW-RIHzPPgfWgiSWaEQX9bqly0KTaVVNSqf2rh9RFPwBN8&s=XQ9LPm9jjB3Nc1AWnQVIzoJOOqlATM4CeXN4TWvFKIM&e=> will see this post and expand on how a requesting client's JWT can and cannot be used in a TPC context by the destination server.
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1076971468&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=aPJycUjsDal5ouobRnOW-RIHzPPgfWgiSWaEQX9bqly0KTaVVNSqf2rh9RFPwBN8&s=kwUKeUD7KFApYCw0rQ2DjTJvo5dbooGDeHSLNRZojhA&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHAAQLWSENTBDTXTOJDVBO65TANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=aPJycUjsDal5ouobRnOW-RIHzPPgfWgiSWaEQX9bqly0KTaVVNSqf2rh9RFPwBN8&s=DoVAXQRpM6K5_rzgHcu8DNgRSaVo7hdn_qFBeufS2hg&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Just as a follow, and perhaps to state the obvious here.
The way ALICE's authorization scheme for TPC works (with dCache) is:
1. the directive --tpc delegate only is used. This ensures that the tpc.scgi element is included in the opaque data given to the destination.
2. that tpc.scgi contains a separate authz= token.
3. The scgi becomes the cgi of the path used by the third-party client when communicating with the source server.
In this schema, it is then a matter of having the initiator/moderator of the TPC (in this case, xrdcp) pass two tokens, not one. The second token is the one in the tpc.scgi, which I suppose we could refer to as the 'delegated' token, though it is not so in the sense that it should be used and then reused, but simply a token destined for the TPC client.
Is such a strategy not generalizable?
Al
…________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Albert Rossi ***@***.***>
Sent: Thursday, March 24, 2022 7:00 AM
To: xrootd/xrootd ***@***.***>; xrootd/xrootd ***@***.***>
Cc: Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
Hi Andy,
Thank you for this very good summary of the situation. It reflects perfectly what I remember discussing with you last year.
I am interested to know what Brian thinks of all of this.
It would be nice to keep dCache on the same page as everyone else in this regard.
Cheers, Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Andrew Hanushevsky ***@***.***>
Sent: Wednesday, March 23, 2022 8:16 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
Hi Albert,
Correct, while TLS would have been preferable the additional safeguards put in place to protect the rendezvous token made it highly unlikely to be subverted (you would need to accomplish at least three other subversion before the token became vulnerable). Now that TLS is widely available nothing prevents the token being transmitted using TLS, though for backward compatibility, it's not required.
As you state it, the door is not in a position to use the rendezvous token presented by the destination since it needs to authenticate the destination first. So, if that's how the code sits then, yes, without skipping authorization in the presence of a token, it would not work. Mind you rendezvous tokens are only meant to be used for pull requests so they are incapable of performing and destructive action.
So, presumably you are wondering that one could get around the problem by having the destination use a JWT along with the rendezvous token. The issue here is how does one get the JWT? I was told that it can't be the requesting clients JWT as these are not delegable, though I still don't see what prevents them from being used by someone else, hence why they need TLS. The destination server is also not really in a position of getting a JWT. Seems like an issue here.
Of course, that all hinges on whether the requesting client's JWT cannot be used by the destination server. If it can be (or at least if the client can get a delegable token) then, yes, we could handle the rendezvous in that way. That said, why bother with a rendezvous token at all since we could do the same thing with JWT's can't we?
So, in the end we need to get all of this straightened out to figure out the positioning of a rendezvous TPC. Maybe @bbockelm<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bbockelm&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=aPJycUjsDal5ouobRnOW-RIHzPPgfWgiSWaEQX9bqly0KTaVVNSqf2rh9RFPwBN8&s=XQ9LPm9jjB3Nc1AWnQVIzoJOOqlATM4CeXN4TWvFKIM&e=> will see this post and expand on how a requesting client's JWT can and cannot be used in a TPC context by the destination server.
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1076971468&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=aPJycUjsDal5ouobRnOW-RIHzPPgfWgiSWaEQX9bqly0KTaVVNSqf2rh9RFPwBN8&s=kwUKeUD7KFApYCw0rQ2DjTJvo5dbooGDeHSLNRZojhA&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHAAQLWSENTBDTXTOJDVBO65TANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=aPJycUjsDal5ouobRnOW-RIHzPPgfWgiSWaEQX9bqly0KTaVVNSqf2rh9RFPwBN8&s=DoVAXQRpM6K5_rzgHcu8DNgRSaVo7hdn_qFBeufS2hg&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
With a couple of small tweaks, I have found a way to get dCache to support rendezvous TPC with bearer token primary authorization by the initiating client. Most of the mechanism was actually in place for this, it was just a case of allowing this when a bearer token was actually present (which I made short-circuit the rendezvous check).
I just have to allow ZTN authentication not to fail if the client does not present a ZTN (i.e., the third-party client). Otherwise, the bearer tokens must be expressed as the authz CGI ... unless xrdcp could optionally provide the authorization token from a file the way it does for ZTN.
Or maybe it does? BEARER_TOKEN_FILE doesn't see to work when I point it at a token. And if ZTN is not requested, the client doesn't seem to bother with XDG_RUNTIME_DIR either.
Anyway, we're close to conformity.
Al
…________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Albert Rossi ***@***.***>
Sent: Thursday, March 24, 2022 11:49 AM
To: xrootd/xrootd ***@***.***>; xrootd/xrootd ***@***.***>
Cc: Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
Just as a follow, and perhaps to state the obvious here.
The way ALICE's authorization scheme for TPC works (with dCache) is:
1. the directive --tpc delegate only is used. This ensures that the tpc.scgi element is included in the opaque data given to the destination.
2. that tpc.scgi contains a separate authz= token.
3. The scgi becomes the cgi of the path used by the third-party client when communicating with the source server.
In this schema, it is then a matter of having the initiator/moderator of the TPC (in this case, xrdcp) pass two tokens, not one. The second token is the one in the tpc.scgi, which I suppose we could refer to as the 'delegated' token, though it is not so in the sense that it should be used and then reused, but simply a token destined for the TPC client.
Is such a strategy not generalizable?
Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Albert Rossi ***@***.***>
Sent: Thursday, March 24, 2022 7:00 AM
To: xrootd/xrootd ***@***.***>; xrootd/xrootd ***@***.***>
Cc: Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
Hi Andy,
Thank you for this very good summary of the situation. It reflects perfectly what I remember discussing with you last year.
I am interested to know what Brian thinks of all of this.
It would be nice to keep dCache on the same page as everyone else in this regard.
Cheers, Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Andrew Hanushevsky ***@***.***>
Sent: Wednesday, March 23, 2022 8:16 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
Hi Albert,
Correct, while TLS would have been preferable the additional safeguards put in place to protect the rendezvous token made it highly unlikely to be subverted (you would need to accomplish at least three other subversion before the token became vulnerable). Now that TLS is widely available nothing prevents the token being transmitted using TLS, though for backward compatibility, it's not required.
As you state it, the door is not in a position to use the rendezvous token presented by the destination since it needs to authenticate the destination first. So, if that's how the code sits then, yes, without skipping authorization in the presence of a token, it would not work. Mind you rendezvous tokens are only meant to be used for pull requests so they are incapable of performing and destructive action.
So, presumably you are wondering that one could get around the problem by having the destination use a JWT along with the rendezvous token. The issue here is how does one get the JWT? I was told that it can't be the requesting clients JWT as these are not delegable, though I still don't see what prevents them from being used by someone else, hence why they need TLS. The destination server is also not really in a position of getting a JWT. Seems like an issue here.
Of course, that all hinges on whether the requesting client's JWT cannot be used by the destination server. If it can be (or at least if the client can get a delegable token) then, yes, we could handle the rendezvous in that way. That said, why bother with a rendezvous token at all since we could do the same thing with JWT's can't we?
So, in the end we need to get all of this straightened out to figure out the positioning of a rendezvous TPC. Maybe @bbockelm<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bbockelm&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=aPJycUjsDal5ouobRnOW-RIHzPPgfWgiSWaEQX9bqly0KTaVVNSqf2rh9RFPwBN8&s=XQ9LPm9jjB3Nc1AWnQVIzoJOOqlATM4CeXN4TWvFKIM&e=> will see this post and expand on how a requesting client's JWT can and cannot be used in a TPC context by the destination server.
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1076971468&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=aPJycUjsDal5ouobRnOW-RIHzPPgfWgiSWaEQX9bqly0KTaVVNSqf2rh9RFPwBN8&s=kwUKeUD7KFApYCw0rQ2DjTJvo5dbooGDeHSLNRZojhA&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHAAQLWSENTBDTXTOJDVBO65TANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=aPJycUjsDal5ouobRnOW-RIHzPPgfWgiSWaEQX9bqly0KTaVVNSqf2rh9RFPwBN8&s=DoVAXQRpM6K5_rzgHcu8DNgRSaVo7hdn_qFBeufS2hg&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Chatting with Al at the WLCG BDT meeting today -- we think this ticket can be closed. The xrootd-TPC discussion is alive and healthy on the mailing list but not exactly relevant to the original ticket item. Would be good to create a fresh issue if we want to bring it to GitHub. |
As requested. |
Not only that, we will need to be able to access it/check it in the dCache server on the source end.
…________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Albert Rossi ***@***.***>
Sent: Wednesday, March 9, 2022 2:34 PM
To: xrootd/xrootd ***@***.***>; xrootd/xrootd ***@***.***>
Cc: Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
Well yes, then, we need to discuss this. I will need to know how to pass the secret key through from the destination server to the client on the destination side initiating the TPC with the source server.
This is new to me.
Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023
________________________________
From: Wei Yang ***@***.***>
Sent: Wednesday, March 9, 2022 1:59 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
robocert is not rendezvous key. It is something prior to x509 delegation so we no longer need robocert. rendezvous key is a time limited shared secret sent by the client to both endpoints, to facilitate TPC. It needs TLS.
Whether dCache want to support rendezvous key is something to be discussed. The primary TPC in HEP is http though not exclusive. The rendezvous key in xrootd is used where x509 infrastructure is not available (and likely the token infrastructure is also not available, somewhere outside of HEP).
When x509 goes away, in principle, we can use token for authentication and then use rendezvous key for TPC (to avoid a more complexed token chain reaction), though someone will say that token is only for authorization :-)
—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1063312302&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=79dpk7QdguWHXF7Uf7JIbMQP1_j937XmHhMzSX6m0rY&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHHPKMGMGN645IRDVD3U7D7KPANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=59RGVJA1GM6PYPjx7_1S8OHv3J05wt03Gy8LywWIktM&e=>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=G8ij4cqcygzzIj9YrbnpNy90wtxmM-s7pt-CceXXNPM&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=wiDsyodE6mxPHCjER1rxypxKLt51SNgeEjgBACvIRxI&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
When using ZTN to pass the scitoken, the token reaches
XrdAccSciTokens::Validate()
as expected. However, a later call toXrdAccSciTokens::Access()
fails.xrootd/src/XrdSciTokens/XrdSciTokensAccess.cc
Lines 312 to 314 in 10d2796
Access()
expects to find the token withenv->Get("authz")
which I believe is only true for HTTPS.With the current flow, it seems
Validate()
does ascitoken_deserialize()
to process the token, and leaves ACLs toAccess()
. ThenAccess()
generates ACLs, and puts them into a cache (keyed by the JWT).As for possible solutions, the token could be stored in
Validate()
(which seems like something to avoid). Or we could refactor to instead generate the ACLs inValidate()
.The text was updated successfully, but these errors were encountered: