WLCG JWTs specify storage.create and storage.modify claims, which are currently both interpreted as the same set of "write permissions" in the existing code:
https://github.com/xrootd/xrootd/blob/5babd8c81c6ec201a265cb8f1d66064d2128dd68/src/XrdSciTokens/XrdSciTokensAccess.cc#L705-L713
This relies on the translation done here:
https://github.com/scitokens/scitokens-cpp/blob/3b36ea8c38539b1ed8dcfcf63494829852034b93/src/scitokens_internal.cpp#L611-L616

This violates the WLCG JWT specification, which differentiates between create (which must not allow to replace, delete or overwrite data) and modify (which is a superset allowing that). Renaming a file (without overwriting an existing one) is allowed by storage.create. The driving use case is stage-out of data from jobs on a worker node (which should only have storage.create but not storage.modify).

This currently breaks JWT Compliance tests as outlined in:
indigo-iam/wlcg-jwt-compliance-tests#34 (comment)
(i.e. the test storage.create does not allow overwriting files fails).

@bbockelm already mentioned this requirement in the commit message here:
xrootd/xrootd-scitokens@e3fe219

I'm not sure about the best way to implement this without breaking the use case for SciTokens— while scitokens-cpp exposes create, modify and write, in case the token was a SciToken and not a WLCG token, I believe only write will arrive in the ACL list, while for a WLCG token, both will arrive. So a simple change of the if / else ladder is not sufficient, and I wonder whether a new config parameter to decide whether the SciToken interpretation or the WLCG interpretation should be used is needed — or whether there is a better way.

@bbockelm Any proposal (or maybe even solution / code) already in mind?


Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/issues/1655@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1655", "url": "https://github.com/xrootd/xrootd/issues/1655", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1