Hi, slightly OT, may I know what are the actual desiderata for a macaroon-based system ? As I was mentioning, DPM has the macaroons code in the frontend (disabled by default), yet we consider it experimental. Which authentication/authorization criteria may have to be applied to generate a macaroon? What does dCache do for example? Thanks Fabrizio On 17.06.18 06:01, Brian Bockelman wrote: > Hi, > > The package has moved to testing: > - Fedora 28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-9e2640da1e > - EPEL > 7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-3b68fe0e41 > > If folks could please take some time to review and test it, it'll help > reduce the 2 week waiting period. > > Regardless, on the timescale of the next Xrootd release, libmacaroons > should be present on at least a subset of the production platforms. > > Brian > >> On Jun 14, 2018, at 9:23 PM, Brian Bockelman <[log in to unmask] >> <mailto:[log in to unmask]>> wrote: >> >> Hi, >> >> I posted the proposed sources here: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1591556 >> >> If there's anyone who can pickup the review and push it forward, it >> would be greatly appreciated. >> >> Brian >> >>> On Jun 14, 2018, at 10:15 AM, Andrew Hanushevsky >>> <[log in to unmask] <mailto:[log in to unmask]>> wrote: >>> >>> Yes, I think that Michal is blessed as of now (as long as he doesn't >>> make any mistakes :-). I suppose another reason to host it in the >>> xroot github repo under, say, xrootd-macaroons. >>> >>> Andy >>> >>> On Thu, 14 Jun 2018, Fabrizio Furano wrote: >>> >>>> Are you a blessed EPEL packager ? >>>> You need one to bless your package. Should not be difficult,as it's a >>>> plain library. >>>> >>>> I think Michal may have this kind of power. >>>> >>>> About Debian I don't know personally. So far we got the key components >>>> into it by courtesy (someone told me it was Mattias). I'd say that EPEL >>>> comes first. >>>> >>>> f >>>> >>>> On 14.06.18 16:57, Brian Bockelman wrote: >>>>> Hi, >>>>> >>>>> I can probably take care of this for EPEL, but I really have no >>>>> background in Debian. >>>>> >>>>> Assuming we could get at least that far, could we get things into >>>>> the main repo? >>>>> >>>>> Andy, your mention of "stock repos" was a bit ambiguous. Do you >>>>> consider EPEL a stock repo for RHEL-like platforms? >>>>> >>>>> Brian >>>>> >>>>>> On Jun 14, 2018, at 7:15 AM, Andrew Hanushevsky >>>>>> <[log in to unmask] <mailto:[log in to unmask]>> wrote: >>>>>> >>>>>> Hi Fabrizio, >>>>>> >>>>>> I totally agree. We will not enbed libmacroons source into the >>>>>> xroot repo simply to avoid this kind of mess (for us and everyone >>>>>> else :-). So, I urge that you or whomever you lean on, repackge >>>>>> libmacaroons into an EPEL-style package that we can use without >>>>>> ever looking at the source. >>>>>> >>>>>> Andy >>>>>> >>>>>> >>>>>> On Thu, 14 Jun 2018, Fabrizio Furano wrote: >>>>>> >>>>>>> Hi Andy, >>>>>>> >>>>>>> yes, development style is one thing, and so far the xrootd project >>>>>>> has been very clear on that. >>>>>>> >>>>>>> In this case I had DPM in mind, and its WebDAV frontend >>>>>>> already embedded the source of libmacaroons quite some time ago. >>>>>>> Now we are talking about embedding the code of libmacaroons also >>>>>>> in xrootd. >>>>>>> >>>>>>> The result would be to have potentially two different versions of >>>>>>> the same code in the same DPM system, coming from two different >>>>>>> frontends. >>>>>>> >>>>>>> It will work (I believe), yet the clean solution IMO is to properly >>>>>>> package libmacaroons into EPEL+debian, so that noone needs to >>>>>>> embed the code anymore. >>>>>>> >>>>>>> f >>>>>>> >>>>>>> >>>>>>> On 06/14/2018 12:01 PM, Andrew Hanushevsky wrote: >>>>>>>> Hi Fabrizio, >>>>>>>> >>>>>>>> I totally agree that having two source builds are a pain and >>>>>>>> should be avoided. I'm almost tempted to say should be prohibited. >>>>>>>> In the xroot case, it should be possible to develop a plugin by >>>>>>>> installing the rpms you are dependent on and restricting >>>>>>>> yourself to whatever public headers come with it. That's how >>>>>>>> it's done with all commonly used third party >>>>>>>> packages. If can't develop that way then something is >>>>>>>> fundamentally wrong and should be corrected. Doing it that way, >>>>>>>> avoids the >>>>>>>> exact problem you mention. So, I guess it comes down to how we >>>>>>>> enforce that kind of development style. Do you agree? >>>>>>>> >>>>>>>> Andy >>>>>>>> >>>>>>>> On Thu, 14 Jun 2018, Fabrizio Furano wrote: >>>>>>>> >>>>>>>>> Hi Andy, >>>>>>>>> >>>>>>>>> yes, that would be clean, and personally I would prefer to >>>>>>>>> have libmacaroons in the stock repos. >>>>>>>>> >>>>>>>>> The annoyance I'd like to avoid is that so far DPM builds >>>>>>>>> libmacaroons inside the source tree as an internal dep, >>>>>>>>> exactly as you describe, for using it inside Apache. It's there >>>>>>>>> since one year and a half... >>>>>>>>> >>>>>>>>> It would be quite annoying to have two versions of the same lib >>>>>>>>> built inside the source tree of two different frontends: >>>>>>>>> mod_lcgdm_dav >>>>>>>>> and xrootd >>>>>>>>> >>>>>>>>> This is why I'd prefer to investigate if we can organize an >>>>>>>>> "official" >>>>>>>>> publishing of libmacaroons, at least to epel and debian. This thing >>>>>>>>> has already been done in the past, and would represent to me the >>>>>>>>> cleanest scenario possible, or at least it would give the >>>>>>>>> possibility >>>>>>>>> of having a clean situation. >>>>>>>>> >>>>>>>>> ... thoughts? >>>>>>>>> >>>>>>>>> Cheers >>>>>>>>> Fabrizio >>>>>>>>> >>>>>>>>> >>>>>>>>> On 14.06.18 09:55, Andrew Hanushevsky wrote: >>>>>>>>>> In general, we do not add components to the main repo that >>>>>>>>>> depend on >>>>>>>>>> third party libraries that are not available in a stock >>>>>>>>>> system. The >>>>>>>>>> reasons for this should be obvious. The Macroon component is >>>>>>>>>> only one of >>>>>>>>>> several components that people are developing with third party >>>>>>>>>> dependencies. So we know we need to solve this problem. Our >>>>>>>>>> current >>>>>>>>>> thinking is to setup additional projects in the main xroot >>>>>>>>>> repo to host >>>>>>>>>> such developments and include them into our standard build >>>>>>>>>> pipeline. >>>>>>>>>> Doing this should solve the dependency issue as well as making it >>>>>>>>>> trivial to assign proper ownership so we aren't in the loop in >>>>>>>>>> terms of >>>>>>>>>> updates and whatever. However, we would package them and sites >>>>>>>>>> could >>>>>>>>>> install whatever they want via rpm. That way, those who wish >>>>>>>>>> to use a >>>>>>>>>> feature know ahead of time that there will be additional >>>>>>>>>> libraries that >>>>>>>>>> will be installed that we have no control over and may >>>>>>>>>> conflict with >>>>>>>>>> whatever they already have installed. >>>>>>>>>> >>>>>>>>>> This seems the like the cleanest approach to this issue and avoids >>>>>>>>>> leaving dead code in the main repo as these components come >>>>>>>>>> into and >>>>>>>>>> fall out of favor. Michal and I have to work on this as we >>>>>>>>>> don't it in >>>>>>>>>> place but should have a workable solution relatively soon. >>>>>>>>>> >>>>>>>>>> Andy >>>>>>>>>> >>>>>>>>>> On Wed, 13 Jun 2018, Fabrizio Furano wrote: >>>>>>>>>> >>>>>>>>>>> Hi Brian, >>>>>>>>>>> >>>>>>>>>>> true, macaroons are implemented by DPM and dcache. Having >>>>>>>>>>> them also in >>>>>>>>>>> xrootd >>>>>>>>>>> would be great. >>>>>>>>>>> >>>>>>>>>>> About the distribution, my personal preference is to have >>>>>>>>>>> these things >>>>>>>>>>> handy to >>>>>>>>>>> install and clean on the source tree, so I'd love to see >>>>>>>>>>> macaroons and >>>>>>>>>>> scitokens >>>>>>>>>>> in the Xrd codebase, respecting all the strict project rules >>>>>>>>>>> about >>>>>>>>>>> makefiles (e.g. turning off the component) and deps. >>>>>>>>>>> >>>>>>>>>>> What did you do for libmacaroons? Since it's not distributed, >>>>>>>>>>> we build >>>>>>>>>>> it with DPM so far. >>>>>>>>>>> Are you doing the same? >>>>>>>>>>> Maybe we want to find a volunteer packager that submits it to >>>>>>>>>>> epel/debian, etc. >>>>>>>>>>> and only then refine the details of a build with Xrd ? >>>>>>>>>>> >>>>>>>>>>> Fabrizio >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 06/13/2018 04:08 PM, Brian Bockelman wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> I have an initial (but functioning) support for Macaroons in >>>>>>>>>>>> Xrootd: >>>>>>>>>>>> >>>>>>>>>>>> https://github.com/bbockelm/xrootd-macaroons >>>>>>>>>>>> >>>>>>>>>>>> Macaroons are a symmetric-key-based token format. It allows an >>>>>>>>>>>> entity with access to the secret key generate a bearer token >>>>>>>>>>>> embedding one more "caveats" (rules for usage, such as >>>>>>>>>>>> restrictions >>>>>>>>>>>> on path, expiration time, or valid operations). The bearer >>>>>>>>>>>> of the token can add additional caveats (reducing >>>>>>>>>>>> permission) but >>>>>>>>>>>> doesn't have the ability to remove them. >>>>>>>>>>>> >>>>>>>>>>>> Anyone else with the secret key (such as the same host or >>>>>>>>>>>> another >>>>>>>>>>>> host in the cluster) can then verify the token as apply the >>>>>>>>>>>> authorization rules in the caveats. >>>>>>>>>>>> >>>>>>>>>>>> Why is this useful? A few cases: >>>>>>>>>>>> >>>>>>>>>>>> 1. Delegating fine-grained access: Rucio generates a token >>>>>>>>>>>> to access >>>>>>>>>>>> a single file at a site (using its X509 client cert to >>>>>>>>>>>> authenticate), then sends the token to an end-user. Hence, the >>>>>>>>>>>> end-user doesn't need to authenticate with the site (no user >>>>>>>>>>>> X509 necessary) in order to download files. The VO (ATLAS, via >>>>>>>>>>>> Rucio) can manage the fine-grained rights they delegate to the >>>>>>>>>>>> user -- even if the storage is run by the site. >>>>>>>>>>>> >>>>>>>>>>>> 2. Enabling third-party-copy: If client C wants server A to >>>>>>>>>>>> download >>>>>>>>>>>> from server B, the client can contact server B for a >>>>>>>>>>>> fine-grained access token and provide it to server A as part >>>>>>>>>>>> of the >>>>>>>>>>>> HTTP COPY request. >>>>>>>>>>>> - I suspect I'll get the first FTS3-based transfers working >>>>>>>>>>>> today. >>>>>>>>>>>> >>>>>>>>>>>> IIUC, Macaroons are implemented by dCache and DPM. I >>>>>>>>>>>> utilized the >>>>>>>>>>>> same caveat formats and API for requesting new tokens, but >>>>>>>>>>>> generally one would not expect tokens to be reusable across >>>>>>>>>>>> different >>>>>>>>>>>> implementations or site installations. >>>>>>>>>>>> >>>>>>>>>>>> Currently, the token is generated via a XrdHttp plugin but >>>>>>>>>>>> should be >>>>>>>>>>>> usable throughout the authorization framework; however, you >>>>>>>>>>>> need an encrypted channel between client and server to use >>>>>>>>>>>> it safely. >>>>>>>>>>>> >>>>>>>>>>>> The obvious question is "how does this differ from SciTokens"? >>>>>>>>>>>> - SciTokens are based on asymmetric (public key) >>>>>>>>>>>> cryptography whereas >>>>>>>>>>>> Macaroons are symmetric key. This means anyone can verify >>>>>>>>>>>> a SciToken but only the issuing entity can verify a Macaroon. >>>>>>>>>>>> - In the SciTokens model, the VO issues the authorization, >>>>>>>>>>>> which may >>>>>>>>>>>> be valid across many sites. The macaroon is specific to >>>>>>>>>>>> the site and requires an interaction with the site to generate. >>>>>>>>>>>> - Macaroons can be attenuated (made weaker) by the end-user. >>>>>>>>>>>> I can >>>>>>>>>>>> take a powerful macaroon and add additional limitations >>>>>>>>>>>> without contacting a third-party, then safely give the limited >>>>>>>>>>>> macaroon to another person if I desire. SciTokens can only be >>>>>>>>>>>> attenuated by contacting the VO to exchange the powerful one >>>>>>>>>>>> for a >>>>>>>>>>>> new one (hence, the VO always generates the token). >>>>>>>>>>>> >>>>>>>>>>>> Just as one uses a mix of asymmetric and symmetric cryptography >>>>>>>>>>>> throughout the course of the day, I see SciTokens and Macaroons >>>>>>>>>>>> as complementary approaches, each enabling some distinct and >>>>>>>>>>>> some >>>>>>>>>>>> common use cases. >>>>>>>>>>>> >>>>>>>>>>>> So - one natural question for me is whether this better >>>>>>>>>>>> lives inside >>>>>>>>>>>> the xrootd repository or standalone. Unlike SciTokens, the >>>>>>>>>>>> dependency stack for Macaroons is more manageable (a direct >>>>>>>>>>>> dependency on libmacaroons - >>>>>>>>>>>> https://github.com/rescrv/libmacaroons >>>>>>>>>>>> - and an indirect dependency on libbsd). This means >>>>>>>>>>>> upstreaming of >>>>>>>>>>>> the macaroons code is more approachable than the SciTokens >>>>>>>>>>>> code. Additionally, since the code includes both an issuer >>>>>>>>>>>> and a >>>>>>>>>>>> verifier, Macaroons are more immediately usable - no >>>>>>>>>>>> non-Xrootd services setup. >>>>>>>>>>>> >>>>>>>>>>>> Accordingly, I'm leaning to converting this into a module >>>>>>>>>>>> inside the >>>>>>>>>>>> xrootd repository. >>>>>>>>>>>> >>>>>>>>>>>> Thoughts? >>>>>>>>>>>> >>>>>>>>>>>> Brian >>>>>>>>>>>> >>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------- >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Use REPLY-ALL to reply to list >>>>>>>>>>>> >>>>>>>>>>>> To unsubscribe from the XROOTD-DEV list, click the following >>>>>>>>>>>> link: >>>>>>>>>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ######################################################################## >>>>>>>>>>> Use REPLY-ALL to reply to list >>>>>>>>>>> >>>>>>>>>>> To unsubscribe from the XROOTD-DEV list, click the following >>>>>>>>>>> link: >>>>>>>>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ######################################################################## >>>>>>>>>> Use REPLY-ALL to reply to list >>>>>>>>>> >>>>>>>>>> To unsubscribe from the XROOTD-DEV list, click the following link: >>>>>>>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>>> >>>> >>>> >> >> >> ------------------------------------------------------------------------ >> >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-DEV list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 >> > > > ------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-DEV list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1