 |
 |
I have an XRootD proxy server using ztn and a scitoken mapfile. I see this in the proxy log: ``` 221206 09:31:31 3355724 scitokens_Access: Trying token-based access control 221206 09:31:31 3355724 scitokens_Access: Cached token mapped_username=, subject=REDACTED-SUBJECT, issuer=REDACTED-ISSUER, authorizations=/PATH:read,dir,stat,create,mkdir,mv,insert,update,chmod,del 221206 09:31:31 3355724 scitokens_Access: Grant authorization based on scopes for operation=create, path=/PATH/fff 221206 09:31:31 3355724 scitokens_Access: Request username USERNAME ``` I use sss with an "anybody" and "anygroup" key, and `pss.persona client` to pass along the username to the origin. I expected to see the mapped username on the origin, but instead I get the token subject. On the origin: `221206 15:00:02 2365770 XrootdXeq: U1.3361370:23@dtn2201 pub IP46 login as REDACTED-SUBJECT via sss auth for USER.214883:32@HOST` I would like to handle all the authorization decisions at the proxy, then pass the mapped unix usernames (via sss) to the origin so that I can have a set of unix accounts to separate ownership on the origin (It is running the MultiUser plugin). Everything seems to work except for getting the username from the mapfile over sss to the origin. Is this possible? -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1851 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1