-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
f-stream monitoring does not work with tokens #1987
Comments
Yes, this is another unfortunate side-effect of tokens. We need to keep architectural integrity here otherwise the whole scheme falls into chaos. So, the solution is not very straightforward. Fortunately, we have a couple of years to figure this out and I am sure we will. |
What's wrong with this:
I'm not sure why there's a couple of years here. Most of the authenticated data in OSDF uses tokens. Isn't ~99% of the LHC WAN data moved using macaroons (and hence missing f-stream data) as well? |
Before we get much further let's do some basic stuff. First, what is the actual contents of authinfo when a token is used to populate that field. We already know what it is for non-token scenarios but we need to document what it is for token scenarios. Second, how is this field populated? That is, what should be called with what API or should one get some other structure and populate the filed from that? It's all pretty much a black box right now. |
Of course, currently there is nothing. Here's how the fields are populated from a XrdSecEntity object (from https://github.com/xrootd/xrootd/blob/master/src/XrdXrootd/XrdXrootdXeq.cc#L4037-L4048):
For the XrdSciTokens plugin (https://github.com/xrootd/xrootd/blob/master/src/XrdSciTokens/XrdSciTokensAccess.cc#L453), here's what's in those fields:
Here's what I'd propose for an authinfo for a request:
This is to be taken from the
About 80 characters total. |
@abh3 - thoughts on the above? |
We pretty much have the scheme drawn out but the issue here is that the SciTokens library has to issue a new ident event. ow we provide the hook to do that is still undecided. That should happened after the new re-falgamized secEntity has been used for authorization. So, I assume you are OK with that, |
OK, I am ready to test this. I need some instructions on how to setup the token scheme and send off an open request for a file with an actual valid token. Can you supply the info @bbockelm ? |
@bbockelm If you tell me in the next 24 hours we may be able to get this into 5.6.0 this week. Otherwise, it will have to wait for the next release, likely a month or two from from now. |
Hi Andy, Sorry - yesterday was a holiday here. The easiest way to test out a token is to use the https://demo.scitokens.org/ service. It allows you to put whatever you want into the token and generates a valid signature (which, obviously, means you shouldn't enable such an insecure service beyond demos or tests). If you click on the "SET PAYLOAD TO ACCESS TO PROTECTED AREA", it'll generate a reasonable-looking token. The two things you probably want to change are:
Here's an example
Brian |
This ticket has been addressed by commit d7f4b61 with documentation to come in the next few days. |
(This is probably true for the other monitoring packet types but I happened to stumble across this with the f-stream parsing in #1985)
When a file-open record is sent in the f-stream, the record references the login session.
However, for token-based access, the access control is done at the file-level, not at the session level. Typically the session is for some anonymous user (HTTP) or, when using ZTN, potentially a different token.
I can see two obvious options:
Honestly? I'd prefer simplicity won the day and go with (1). That'd have the side-effect of making the f-stream easier to use as one wouldn't even need to capture user login packets anymore - they'd be embedded in the f-stream.
The text was updated successfully, but these errors were encountered: