LISTSERV 16.5 - XROOTD-DEV Archives

WLCG JWTs specify `storage.create` and `storage.modify` claims, which are currently both interpreted as the same set of "write permissions" in the existing code:
https://github.com/xrootd/xrootd/blob/5babd8c81c6ec201a265cb8f1d66064d2128dd68/src/XrdSciTokens/XrdSciTokensAccess.cc#L705-L713
This relies on the translation done here:
https://github.com/scitokens/scitokens-cpp/blob/3b36ea8c38539b1ed8dcfcf63494829852034b93/src/scitokens_internal.cpp#L611-L616

This violates the WLCG JWT specification, which differentiates between `create` (which must not allow to replace, delete or overwrite data) and `modify` (which is a superset allowing that). Renaming a file (without overwriting an existing one) is allowed by `storage.create`. The driving use case is stage-out of data from jobs on a worker node (which should only have `storage.create` but not `storage.modify`). 

This currently breaks JWT Compliance tests as outlined in:
https://github.com/indigo-iam/wlcg-jwt-compliance-tests/issues/34#issuecomment-1069437945
(i.e. the test `storage.create does not allow overwriting files` fails). 

@bbockelm already mentioned this requirement in the commit message here:
https://github.com/xrootd/xrootd-scitokens/commit/e3fe21991058dc74e2922f3f48919db8515a494e

I'm not sure about the best way to implement this without breaking the use case for SciTokens— while `scitokens-cpp` exposes `create`, `modify` and `write`, in case the token was a SciToken and not a WLCG token, I believe only `write` will arrive in the ACL list, while for a WLCG token, both will arrive. So a simple change of the `if` / `else` ladder is not sufficient, and I wonder whether a new config parameter to decide whether the SciToken interpretation or the WLCG interpretation should be used is needed — or whether there is a better way. 

@bbockelm Any proposal (or maybe even solution / code) already in mind? 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1655
You are receiving this because you are subscribed to this thread.

Message ID: <[log in to unmask]>
########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1