Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Origin requires multiple scitokens #1989

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Origin requires multiple scitokens #1989

wants to merge 5 commits into from

Conversation

turetske
Copy link
Collaborator

@turetske turetske commented Feb 5, 2025

This PR updates the origin scitokens and authfiles to reflect the cache auth changes.

If an origin's namespace has direct-read capabilities, the authfile still remains the same. However, if it doesn't, but has PublicRead capabilities, then that path is moved into the origin's scitoken file behind a federation Issuer. Private capabilities now also require that federation issuer.

This is still a draft PR because full testing can't be done until all the other cache auth pieces are complete.

Emma Turetsky added 4 commits February 4, 2025 18:24
Adjusted origin xrootd auth to only allow direct reads without a token
041c9ee 
	-- Not only origins with direct reads capabilites have an entry
with u * <namespace> lr
	-- Adjusted the current tests to account for this
Added a federation issuer to origin scitokens generation
2c418e3 
	-- Added a function to get the publicReads prefixes
	-- Added a function to generate the FederationIssuer in the
origin's scitoken
	-- Adjusted the issuer structure to include a boolean for if
it's a a federation issuer
Ajusted the scitokens.cfg to write the correct authorization variables
5881ed9 
	-- If the issuer is a federation issuer, the scitokens file will
now generate the needed authorization for multi-issue checking
Added unit tests for the updated origin auth/scitokens files
55428ff 
	-- Added more tests for the origin authfile based on namespace
capabilities
	-- Adjusted current tests for scitokens to get the new expected
output with a federation issue for both public and private namespaces
@turetske turetske requested a review from bbockelm February 5, 2025 19:51
@turetske turetske added origin Issue relating to the origin component enhancement New feature or request labels Feb 5, 2025
@turetske turetske added this to the v7.14 milestone Feb 5, 2025
@turetske turetske linked an issue Feb 5, 2025 that may be closed by this pull request
Update Origin Authfile and Scitokens file to only accept Authorized Caches #1719
Open
@turetske turetske force-pushed the origin-requires-multiple-scitokens branch from e5286fe to 6167abc Compare February 5, 2025 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bbockelm bbockelm Awaiting requested review from bbockelm

At least 1 approving review is required to merge this pull request.

Assignees

@bbockelm bbockelm

Labels
enhancement New feature or request origin Issue relating to the origin component
Projects
None yet
Milestone
v7.14
Development

Successfully merging this pull request may close these issues.

Update Origin Authfile and Scitokens file to only accept Authorized Caches
2 participants
@turetske @bbockelm