New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scitoken bug with scope including basepath or / #2132
Comments
Hi @Jo-stfc! Happy to help but there's not a lot to chew on from the report. The two components aren't typically interconnected so I don't have an immediate guess as to what's happening. As a starting point, can you share the logs from when the |
Hi @bbockelm |
@Jo-stfc - can you post your From this line:
You'll see the authorization generated is for |
Hi Brian, [Issuer CMS_IAM] |
this is a summary of the user token testing: base path | restricted_path | cms file | non-cms file/store | cms:/store | yes | no |
from that check, restricted_path doesn't seem to work as intended - it either allows the token to access all data (when the pfn is specified) or none (when the lfn is specified) when the base_path is set to /. |
@bbockelm we found the issue - restricted_path is acting as a check on the scope of the token, not the filepath. |
So, I a trying to understand this as the title of this issue mentioning lfn2pfn doesn't seem relevant here, especially considering the pull request. The question is why would the incoming file path sometimes have the base path and sometimes not? Only one of them should be valid not both it would seem. The pull request makes both valid which is sort of odd. @bbockelm could you review the pull request and sign off on it if it's correct? |
Hi Andy,
This is a change of scope, not requested filepath. i.e, if a filepath is outside the scope the request will be rejected, nor will it introduced unplanned changes on the location of the file. |
I'm not sure the PR is in the right direction. After all, if the problem was as described, then the dozen or so sites that are working wouldn't be working. The base_path operates on LFN paths and restricted_path operates on paths in scopes. So, for CMS, the only possible solution is base_path=/ and restricted_path=/store. I double checked this on a site that is passing the SAM tests. In the table above, that case is listed as not working. However, it doesn't match the log file excerpts. Can you share the logging lines in that case? |
Hi @bbockelm;
We currently can't see a way to simultaneously satisfy both requirements. There seems to be no way to allow a token scoped with storage.read:/ but only allow it access to LFNs with "/store", |
Two thoughts:
|
The first I guess is for CMS/you (? :) ) to discuss. The second is probably more preferable in the longer term. I.e. the implementation details should be hidden from the user, and if they want to specify "storage.read:/" across all SE's that should be OK. On the storage side, there is then the need to restrict them appropriately. James |
@bbockelm the following are the log excerpt: 231211 14:36:30 3196764 scitokens_Access: Token not found in recent cache; parsing. this is when the scope is set to /store on the token 231212 11:36:26 3281371 scitokens_Access: Trying token-based access control this is with the patch in place and base_path set to /store, without restricted_path: token scope / 231215 10:56:41 3587219 scitokens_Access: Trying token-based access control token scope /store 231215 10:57:27 3587219 scitokens_Access: Trying token-based access control we don't see any change in the lfn requested |
@snafus or @Jo-stfc - would you have time to test #2152 for me in this setup? I had enough time this morning to write down the idea but not do a full reproduction of the issue you're facing. The patch allows the scopes in the token to be more generic than the restricted paths. Internally, in that case instead of ignoring the scope it generates ACLs based on the restricted paths. So, if you have this case:
You'd end up with permission granted (previously, it was a denied). |
Are we getting any closer to getting this resolved? |
Hi,
I found a weird interaction with CMS tokens.
RAL uses lfn2pfn mapping to map cms's /store root folder to the pfn cms:/store.
Testing with a user token, I've confirmed the correct permissions are given (can only access files in the cms pool)
This follows the usual flow of request comes in, lfn2pfn maps /store to cms:/store and permission is granted.
This however caused CMS SAM token tests (external site functional tests) to fail, and from server logs the flow seems to be: request comes in, there is no lfn2pfn mapping and then the request gets denied.
Turning on scitokens.trace all fixed this behaviour and made the SAM tests pass again
The text was updated successfully, but these errors were encountered: