Hi, On 20.06.18 12:56, Paul Millar wrote: > Hi Fabrizio, > > On 20/06/18 11:48, Fabrizio Furano wrote: >> Paul, surely it's available in DPM 1.10 (latest in epel) > > Excellent. > > Could you say which option needs tweaking in order to enable the support? > > The DPM v1.10 release notes don't seem to mention macaroons much. indeed, we don't consider them a released feature ready for prime time. Eventually they will. To enable then, one needs to make sure that the Apache config contains: - (in the Location match for /dpm) NSMacaroonSecret <secret> - SSLVerifyClient must be "optional" Cheers Fabrizio > >> It may be available on slightly older DPMs if the sysadmin has >> upgraded the HTTP frontend alone (lcgdm-dav 0.20). Needless to say, >> I don't encourage package alchemies in prod setups. > > :-D > >> About the authentication, I take the statement "every authenticated >> client", >> which in our world may mean X509, X509/VOMS > > Yes, it includes X.509. For dCache, this is also true for > OpenID-Connect, Kerberos, username+password and macaroons. > > (You can even use a macaroon when requesting a fresh macaroon.) > > I'm working on adding SciToken support now. > >> That was for generating. I am a bit puzzled about authorization. Really >> you don't apply any kind of authorization to generate a macaroon? Do you >> check everything only when a macaroon is received? > > Yes, beyond a global enable/disable switch. > > The CPU cost of generating a macaroon is rather trivial. > > In the Birgisson et al paper, they measured the crypo overhead of > minting a macaroon (in Python) at 20 µs, plus 55 µs per caveat. For > comparison they measured RSA keygen (as used by SciToken) as taking 54 > ms (54000 µs) in OpenSSL. So a typical macaroon is about two orders of > magnitude faster to generate than an RSA key-pair. > > There's no problem with multiple requests filling up any storage: > typically macaroons share the same secret. > > It doesn't authorise users to do anything they can't already do, > especially with X.509 proxies. > > For example, consider a user that generates and emails a friend a > macaroon that grants the bearer the ability to read some data. > > That user could email their friend an X.509 proxy. > > Failing that, they could even download the data and simply email it to > their friend. > > At least with macaroons, the user can limit activity to reading data (no > deletion) and only a specific portion of the namespace. > >> For the records, the DPM implementation is considered experimental >> because it may miss something... however it's good to gain experience. > > Agreed. > > Cheers, > > Paul. ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1