LISTSERV 16.5 - XROOTD-DEV Archives

Hi Fabrizio,

If we want to use macaroons for TPC, I think we need to allow any authenticated user to generate a macaroon.  No?

As far as I can tell, this is what dCache does when its macaroons are enabled.

Brian

> On Jun 20, 2018, at 3:34 AM, Fabrizio Furano <[log in to unmask]> wrote:
> 
> Hi,
> 
> slightly OT, may I know what are the actual desiderata for
> a macaroon-based system ?
> 
> As I was mentioning, DPM has the macaroons code in the
> frontend (disabled by default), yet we consider it experimental.
> 
> Which authentication/authorization criteria may have to
> be applied to generate a macaroon? What does dCache do for example?
> 
> Thanks
> Fabrizio
> 
> 
> 
> On 17.06.18 06:01, Brian Bockelman wrote:
>> Hi,
>> 
>> The package has moved to testing:
>> - Fedora 28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-9e2640da1e
>> - EPEL
>> 7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-3b68fe0e41
>> 
>> If folks could please take some time to review and test it, it'll help
>> reduce the 2 week waiting period.
>> 
>> Regardless, on the timescale of the next Xrootd release, libmacaroons
>> should be present on at least a subset of the production platforms.
>> 
>> Brian
>> 
>>> On Jun 14, 2018, at 9:23 PM, Brian Bockelman <[log in to unmask]
>>> <mailto:[log in to unmask]>> wrote:
>>> 
>>> Hi,
>>> 
>>> I posted the proposed sources here:
>>> 
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1591556
>>> 
>>> If there's anyone who can pickup the review and push it forward, it
>>> would be greatly appreciated.
>>> 
>>> Brian
>>> 
>>>> On Jun 14, 2018, at 10:15 AM, Andrew Hanushevsky
>>>> <[log in to unmask] <mailto:[log in to unmask]>> wrote:
>>>> 
>>>> Yes, I think that Michal is blessed as of now (as long as he doesn't
>>>> make any mistakes :-). I suppose another reason to host it in the
>>>> xroot github repo under, say, xrootd-macaroons.
>>>> 
>>>> Andy
>>>> 
>>>> On Thu, 14 Jun 2018, Fabrizio Furano wrote:
>>>> 
>>>>> Are you a blessed EPEL packager ?
>>>>> You need one to bless your package. Should not be difficult,as it's a
>>>>> plain library.
>>>>> 
>>>>> I think Michal may have this kind of power.
>>>>> 
>>>>> About Debian I don't know personally. So far we got the key components
>>>>> into it by courtesy (someone told me it was Mattias). I'd say that EPEL
>>>>> comes first.
>>>>> 
>>>>> f
>>>>> 
>>>>> On 14.06.18 16:57, Brian Bockelman wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> I can probably take care of this for EPEL, but I really have no
>>>>>> background in Debian.
>>>>>> 
>>>>>> Assuming we could get at least that far, could we get things into
>>>>>> the main repo?
>>>>>> 
>>>>>> Andy, your mention of "stock repos" was a bit ambiguous.  Do you
>>>>>> consider EPEL a stock repo for RHEL-like platforms?
>>>>>> 
>>>>>> Brian
>>>>>> 
>>>>>>> On Jun 14, 2018, at 7:15 AM, Andrew Hanushevsky
>>>>>>> <[log in to unmask] <mailto:[log in to unmask]>> wrote:
>>>>>>> 
>>>>>>> Hi Fabrizio,
>>>>>>> 
>>>>>>> I totally agree. We will not enbed libmacroons source into the
>>>>>>> xroot repo simply to avoid this kind of mess (for us and everyone
>>>>>>> else :-). So, I urge that you or whomever you lean on, repackge
>>>>>>> libmacaroons into an EPEL-style package that we can use without
>>>>>>> ever looking at the source.
>>>>>>> 
>>>>>>> Andy
>>>>>>> 
>>>>>>> 
>>>>>>> On Thu, 14 Jun 2018, Fabrizio Furano wrote:
>>>>>>> 
>>>>>>>> Hi Andy,
>>>>>>>> 
>>>>>>>> yes, development style is one thing, and so far the xrootd project
>>>>>>>> has been very clear on that.
>>>>>>>> 
>>>>>>>> In this case I had DPM in mind, and its WebDAV frontend
>>>>>>>> already embedded the source of libmacaroons quite some time ago.
>>>>>>>> Now we are talking about embedding the code of libmacaroons also
>>>>>>>> in xrootd.
>>>>>>>> 
>>>>>>>> The result would be to have potentially two different versions of
>>>>>>>> the same code in the same DPM system, coming from two different
>>>>>>>> frontends.
>>>>>>>> 
>>>>>>>> It will work (I believe), yet the clean solution IMO is to properly
>>>>>>>> package libmacaroons into EPEL+debian, so that noone needs to
>>>>>>>> embed the code anymore.
>>>>>>>> 
>>>>>>>> f
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 06/14/2018 12:01 PM, Andrew Hanushevsky wrote:
>>>>>>>>> Hi Fabrizio,
>>>>>>>>> 
>>>>>>>>> I totally agree that having two source builds are a pain and
>>>>>>>>> should be avoided. I'm almost tempted to say should be prohibited.
>>>>>>>>> In the xroot case, it should be possible to develop a plugin by
>>>>>>>>> installing the rpms you are dependent on and restricting
>>>>>>>>> yourself to whatever public headers come with it. That's how
>>>>>>>>> it's done with all commonly used third party
>>>>>>>>> packages. If can't develop that way then something is
>>>>>>>>> fundamentally wrong and should be corrected. Doing it that way,
>>>>>>>>> avoids the
>>>>>>>>> exact problem you mention. So, I guess it comes down to how we
>>>>>>>>> enforce that kind of development style. Do you agree?
>>>>>>>>> 
>>>>>>>>> Andy
>>>>>>>>> 
>>>>>>>>> On Thu, 14 Jun 2018, Fabrizio Furano wrote:
>>>>>>>>> 
>>>>>>>>>> Hi Andy,
>>>>>>>>>> 
>>>>>>>>>> yes, that would be clean, and personally I would prefer to
>>>>>>>>>> have libmacaroons in the stock repos.
>>>>>>>>>> 
>>>>>>>>>> The annoyance I'd like to avoid is that so far DPM builds
>>>>>>>>>> libmacaroons inside the source tree as an internal dep,
>>>>>>>>>> exactly as you describe, for using it inside Apache. It's there
>>>>>>>>>> since one year and a half...
>>>>>>>>>> 
>>>>>>>>>> It would be quite annoying to have two versions of the same lib
>>>>>>>>>> built inside the source tree of two different frontends:
>>>>>>>>>> mod_lcgdm_dav
>>>>>>>>>> and xrootd
>>>>>>>>>> 
>>>>>>>>>> This is why I'd prefer to investigate if we can organize an
>>>>>>>>>> "official"
>>>>>>>>>> publishing of libmacaroons, at least to epel and debian. This thing
>>>>>>>>>> has already been done in the past, and would represent to me the
>>>>>>>>>> cleanest scenario possible, or at least it would give the
>>>>>>>>>> possibility
>>>>>>>>>> of having a clean situation.
>>>>>>>>>> 
>>>>>>>>>> ... thoughts?
>>>>>>>>>> 
>>>>>>>>>> Cheers
>>>>>>>>>> Fabrizio
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On 14.06.18 09:55, Andrew Hanushevsky wrote:
>>>>>>>>>>> In general, we do not add components to the main repo that
>>>>>>>>>>> depend on
>>>>>>>>>>> third party libraries that are not available in a stock
>>>>>>>>>>> system. The
>>>>>>>>>>> reasons for this should be obvious. The Macroon component is
>>>>>>>>>>> only one of
>>>>>>>>>>> several components that people are developing with third party
>>>>>>>>>>> dependencies. So we know we need to solve this problem. Our
>>>>>>>>>>> current
>>>>>>>>>>> thinking is to setup additional projects in the main xroot
>>>>>>>>>>> repo to host
>>>>>>>>>>> such developments and include them into our standard build
>>>>>>>>>>> pipeline.
>>>>>>>>>>> Doing this should solve the dependency issue as well as making it
>>>>>>>>>>> trivial to assign proper ownership so we aren't in the loop in
>>>>>>>>>>> terms of
>>>>>>>>>>> updates and whatever. However, we would package them and sites
>>>>>>>>>>> could
>>>>>>>>>>> install whatever they want via rpm. That way, those who wish
>>>>>>>>>>> to use a
>>>>>>>>>>> feature know ahead of time that there will be additional
>>>>>>>>>>> libraries that
>>>>>>>>>>> will be installed that we have no control over and may
>>>>>>>>>>> conflict with
>>>>>>>>>>> whatever they already have installed.
>>>>>>>>>>> 
>>>>>>>>>>> This seems the like the cleanest approach to this issue and avoids
>>>>>>>>>>> leaving dead code in the main repo as these components come
>>>>>>>>>>> into and
>>>>>>>>>>> fall out of favor. Michal and I have to work on this as we
>>>>>>>>>>> don't it in
>>>>>>>>>>> place but should have a workable solution relatively soon.
>>>>>>>>>>> 
>>>>>>>>>>> Andy
>>>>>>>>>>> 
>>>>>>>>>>> On Wed, 13 Jun 2018, Fabrizio Furano wrote:
>>>>>>>>>>> 
>>>>>>>>>>>> Hi Brian,
>>>>>>>>>>>> 
>>>>>>>>>>>> true, macaroons are implemented by DPM and dcache. Having
>>>>>>>>>>>> them also in
>>>>>>>>>>>> xrootd
>>>>>>>>>>>> would be great.
>>>>>>>>>>>> 
>>>>>>>>>>>> About the distribution, my personal preference is to have
>>>>>>>>>>>> these things
>>>>>>>>>>>> handy to
>>>>>>>>>>>> install and clean on the source tree, so I'd love to see
>>>>>>>>>>>> macaroons and
>>>>>>>>>>>> scitokens
>>>>>>>>>>>> in the Xrd codebase, respecting all the strict project rules
>>>>>>>>>>>> about
>>>>>>>>>>>> makefiles (e.g. turning off the component) and deps.
>>>>>>>>>>>> 
>>>>>>>>>>>> What did you do for libmacaroons? Since it's not distributed,
>>>>>>>>>>>> we build
>>>>>>>>>>>> it with DPM so far.
>>>>>>>>>>>> Are you doing the same?
>>>>>>>>>>>> Maybe we want to find a volunteer packager that submits it to
>>>>>>>>>>>> epel/debian, etc.
>>>>>>>>>>>> and only then refine the details of a build with Xrd ?
>>>>>>>>>>>> 
>>>>>>>>>>>> Fabrizio
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> On 06/13/2018 04:08 PM, Brian Bockelman wrote:
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I have an initial (but functioning) support for Macaroons in
>>>>>>>>>>>>> Xrootd:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> https://github.com/bbockelm/xrootd-macaroons
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Macaroons are a symmetric-key-based token format.  It allows an
>>>>>>>>>>>>> entity with access to the secret key generate a bearer token
>>>>>>>>>>>>> embedding one more "caveats" (rules for usage, such as
>>>>>>>>>>>>> restrictions
>>>>>>>>>>>>> on path, expiration time, or valid operations).  The bearer
>>>>>>>>>>>>> of the token can add additional caveats (reducing
>>>>>>>>>>>>> permission) but
>>>>>>>>>>>>> doesn't have the ability to remove them.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Anyone else with the secret key (such as the same host or
>>>>>>>>>>>>> another
>>>>>>>>>>>>> host in the cluster) can then verify the token as apply the
>>>>>>>>>>>>> authorization rules in the caveats.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Why is this useful?  A few cases:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 1.  Delegating fine-grained access: Rucio generates a token
>>>>>>>>>>>>> to access
>>>>>>>>>>>>> a single file at a site (using its X509 client cert to
>>>>>>>>>>>>> authenticate), then sends the token to an end-user.  Hence, the
>>>>>>>>>>>>> end-user doesn't need to authenticate with the site (no user
>>>>>>>>>>>>> X509 necessary) in order to download files.  The VO (ATLAS, via
>>>>>>>>>>>>> Rucio) can manage the fine-grained rights they delegate to the
>>>>>>>>>>>>> user -- even if the storage is run by the site.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 2.  Enabling third-party-copy: If client C wants server A to
>>>>>>>>>>>>> download
>>>>>>>>>>>>> from server B, the client can contact server B for a
>>>>>>>>>>>>> fine-grained access token and provide it to server A as part
>>>>>>>>>>>>> of the
>>>>>>>>>>>>> HTTP COPY request.
>>>>>>>>>>>>>  - I suspect I'll get the first FTS3-based transfers working
>>>>>>>>>>>>> today.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> IIUC, Macaroons are implemented by dCache and DPM.  I
>>>>>>>>>>>>> utilized the
>>>>>>>>>>>>> same caveat formats and API for requesting new tokens, but
>>>>>>>>>>>>> generally one would not expect tokens to be reusable across
>>>>>>>>>>>>> different
>>>>>>>>>>>>> implementations or site installations.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Currently, the token is generated via a XrdHttp plugin but
>>>>>>>>>>>>> should be
>>>>>>>>>>>>> usable throughout the authorization framework; however, you
>>>>>>>>>>>>> need an encrypted channel between client and server to use
>>>>>>>>>>>>> it safely.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> The obvious question is "how does this differ from SciTokens"?
>>>>>>>>>>>>> - SciTokens are based on asymmetric (public key)
>>>>>>>>>>>>> cryptography whereas
>>>>>>>>>>>>> Macaroons are symmetric key.  This means anyone can verify
>>>>>>>>>>>>> a SciToken but only the issuing entity can verify a Macaroon.
>>>>>>>>>>>>> - In the SciTokens model, the VO issues the authorization,
>>>>>>>>>>>>> which may
>>>>>>>>>>>>> be valid across many sites.  The macaroon is specific to
>>>>>>>>>>>>> the site and requires an interaction with the site to generate.
>>>>>>>>>>>>> - Macaroons can be attenuated (made weaker) by the end-user.
>>>>>>>>>>>>>  I can
>>>>>>>>>>>>> take a powerful macaroon and add additional limitations
>>>>>>>>>>>>> without contacting a third-party, then safely give the limited
>>>>>>>>>>>>> macaroon to another person if I desire.  SciTokens can only be
>>>>>>>>>>>>> attenuated by contacting the VO to exchange the powerful one
>>>>>>>>>>>>> for a
>>>>>>>>>>>>> new one (hence, the VO always generates the token).
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Just as one uses a mix of asymmetric and symmetric cryptography
>>>>>>>>>>>>> throughout the course of the day, I see SciTokens and Macaroons
>>>>>>>>>>>>> as complementary approaches, each enabling some distinct and
>>>>>>>>>>>>> some
>>>>>>>>>>>>> common use cases.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> So - one natural question for me is whether this better
>>>>>>>>>>>>> lives inside
>>>>>>>>>>>>> the xrootd repository or standalone.  Unlike SciTokens, the
>>>>>>>>>>>>> dependency stack for Macaroons is more manageable (a direct
>>>>>>>>>>>>> dependency on libmacaroons -
>>>>>>>>>>>>> https://github.com/rescrv/libmacaroons
>>>>>>>>>>>>> - and an indirect dependency on libbsd).  This means
>>>>>>>>>>>>> upstreaming of
>>>>>>>>>>>>> the macaroons code is more approachable than the SciTokens
>>>>>>>>>>>>> code.  Additionally, since the code includes both an issuer
>>>>>>>>>>>>> and a
>>>>>>>>>>>>> verifier, Macaroons are more immediately usable - no
>>>>>>>>>>>>> non-Xrootd services setup.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Accordingly, I'm leaning to converting this into a module
>>>>>>>>>>>>> inside the
>>>>>>>>>>>>> xrootd repository.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Thoughts?
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Brian
>>>>>>>>>>>>> 
>>>>>>>>>>>>> --------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Use REPLY-ALL to reply to list
>>>>>>>>>>>>> 
>>>>>>>>>>>>> To unsubscribe from the XROOTD-DEV list, click the following
>>>>>>>>>>>>> link:
>>>>>>>>>>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> ########################################################################
>>>>>>>>>>>> Use REPLY-ALL to reply to list
>>>>>>>>>>>> 
>>>>>>>>>>>> To unsubscribe from the XROOTD-DEV list, click the following
>>>>>>>>>>>> link:
>>>>>>>>>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> ########################################################################
>>>>>>>>>>> Use REPLY-ALL to reply to list
>>>>>>>>>>> 
>>>>>>>>>>> To unsubscribe from the XROOTD-DEV list, click the following link:
>>>>>>>>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------
>>> 
>>> Use REPLY-ALL to reply to list
>>> 
>>> To unsubscribe from the XROOTD-DEV list, click the following link:
>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>> 
>> 
>> 
>> ------------------------------------------------------------------------
>> 
>> Use REPLY-ALL to reply to list
>> 
>> To unsubscribe from the XROOTD-DEV list, click the following link:
>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>> 
> 
> 


########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1