WLCG JWTs specify storage.create
and storage.modify
claims, which are currently both interpreted as the same set of "write permissions" in the existing code:
https://github.com/xrootd/xrootd/blob/5babd8c81c6ec201a265cb8f1d66064d2128dd68/src/XrdSciTokens/XrdSciTokensAccess.cc#L705-L713
This relies on the translation done here:
https://github.com/scitokens/scitokens-cpp/blob/3b36ea8c38539b1ed8dcfcf63494829852034b93/src/scitokens_internal.cpp#L611-L616
This violates the WLCG JWT specification, which differentiates between create
(which must not allow to replace, delete or overwrite data) and modify
(which is a superset allowing that). Renaming a file (without overwriting an existing one) is allowed by storage.create
. The driving use case is stage-out of data from jobs on a worker node (which should only have storage.create
but not storage.modify
).
This currently breaks JWT Compliance tests as outlined in:
indigo-iam/wlcg-jwt-compliance-tests#34 (comment)
(i.e. the test storage.create does not allow overwriting files
fails).
@bbockelm already mentioned this requirement in the commit message here:
xrootd/xrootd-scitokens@e3fe219
I'm not sure about the best way to implement this without breaking the use case for SciTokens— while scitokens-cpp
exposes create
, modify
and write
, in case the token was a SciToken and not a WLCG token, I believe only write
will arrive in the ACL list, while for a WLCG token, both will arrive. So a simple change of the if
/ else
ladder is not sufficient, and I wonder whether a new config parameter to decide whether the SciToken interpretation or the WLCG interpretation should be used is needed — or whether there is a better way.
@bbockelm Any proposal (or maybe even solution / code) already in mind?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1