-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass Authorization header to the bridge via opaque info #581
Conversation
This allows any ACC plugins to utilize the contents of the authorization header, providing a mechanism for request-level authorization that is more common on the web.
@ffurano - any thoughts on this one? |
@ffurano ping! |
This fix adds the content of the authorization header (the standard one) to the opaque information string that is consumed only internally by the Xrd plugins, and hence Acc plugins. Wouldn't it be possible to append this opaque string to the "Protocol specific endorsements" field instead ? The Acc plugins do have access to this. My fear is that we may not be able to exclude any present or future interaction with other existing Ofs/Oss plugin implementations that happen to use the "authz=" info, or interactions with clients that already provide an "authz=" opaque token. |
Hi @ffurano - I picked opaque information instead of wedging it into the
I think it's good to standardize on a consistent key name of the opaque information (similar to how HTTP utilizes the |
I see the issue, which is linked to too little information being passed through the authorization, i.e. one has to choose among the SecEntity and the URL where to put this kind of info. I would welcome improvements to this (maybe xrootd5?) This PR silently appends an authz keyvalue to the internal opaque info, and I think that this is delicate business. What if the opaque info already had such a token? Since I'd like to avoid philosophy, would you mind adding a log line to the code that prints (at DEBUG level) something like "I am silently adding authz= to the opaque info" ? |
It should be possible to parse out the opaque info and then decide whether we want to override So, I see three approaches:
There are, of course, CPU-time and memory-allocation costs to (1) and (2). I'm fine with any option. Which would you prefer? |
Hi Brian, |
Ok - @ffurano, this is done! |
It would seem to me that a more systematic change would be better here to avoid future conflicts. Since autz= is already in use then the authorization header shouldn't reuse that cgi element. It would seem that a better implementation would be to use a different cgi element (say 'auth-') to pass the header via cgi and then the XrdAcc plugin developed to handle it. If the idea is that the ALICE plugin would be used, then that plugin should have been changed to handle the new element in addition to the original authz element. Yes, that would mean changing the ALICE plugn but at least it would be consistent and understandable. Before we merge this request I'd like to get additional comments as this is a potentially conflicting future sore point. |
As a followup to the chat we just had, I'd like to implement something more general that is able to copy arbitrary headers into arbitrary CGI entries in the URL, defined in the config file. |
Hi - To me, the important point is the opaque key is reused. I.e., it's the same key whether the authorization comes from the That said, given this is mostly internal details, I can make a change just to keep this project moving forward. I'm not sure a Brian |
I think that Fabrizio and I came up with a reasonable solution here. He will implement a generalized directive that will allow you to promote any header to CGI. It would be something like That way you can have your cake and we can eat it too! |
This PR has been obsoleted by #597. Thank you Brian for providing a working example of what was needed! |
This translates the
Authorization
HTTP header into theauthz
opaque info.It allows for the ACC layer to do things like authorize requests based on tokens, analogously to how ALICE token-based auth has always worked.