Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[XrdSciTokens] Add global option 'validation = none' to disable token… #1910

Closed
wants to merge 1 commit into from
Closed

[XrdSciTokens] Add global option 'validation = none' to disable token… #1910

wants to merge 1 commit into from

Conversation

apeters1971
Copy link
Contributor

… validation during ZTN handshakes

@apeters1971 apeters1971 mentioned this pull request Feb 15, 2023
Closed
abh3
abh3 requested changes Feb 16, 2023
View reviewed changes
src/XrdSciTokens/README.md
- `validation` (optional): when the library is used for ZTN authentication the Validate() function is called as part of the
ZTN handshake. To disable validating tokens during the ZTN handshake this variable can be set to the following value:
- `none`: Don't validate a token during the ZTN handshake. This is useful when the passed token is not handled by the SciToken library!

Copy link
Member

@abh3 abh3 Feb 16, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you will need to fix the indentation here as markdown is not formatting this correctly and it really is not well readable.

However, you will not need to do this if you accept my observation that the changes should be done in XrdSecProtocolztn.cc (see last comment).

@abh3
Copy link
Member

abh3 commented Feb 16, 2023

I asked for a change in the markdown but I do also want to bring to your attention that the approach taken is is likely not the best, Turning off validation is specific to ztn usage not to SciToken usage in any sense of the word. This is as much as you said. So, this change does not belong in the SciToken libraries which likely would not have been needed at all if validation is not desired. Additionally, it prevents coming up with say a ytn protocol that does validation and have a ztn protocol without it. Once validation is turned off it is turned off for everyone; which limits future options.

I strongly suggest that the ztn parameter "-tokenlib" which accepts a parameter also accept "-tokenlib=none" which automatically says you do not wish to use the tokenlib and this would turnoff validation. The changes are slightly more complicated but not enough to avoid this approach.

So, I guess what I am saying I would prefer the choice to validate or not to be done in XrdSecProtocolztn.cc as that is the logical place to do it; unless there is another reason that I don't know about.

@apeters1971
Copy link
Contributor Author

Ah yes, you are absolutely right. If only ZTN is calling the Validate function, it is much better to do it in ZTN, I was not sure if that is the case. Thanks, will do another one!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abh3 abh3 abh3 requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@apeters1971 @abh3