Print

Print

Hi Bryan,

Give this a go....

https://xrootd.slac.stanford.edu/doc/dev54/sec_config.htm#_Toc79102015

The configuration for sss will be somewhat different as your trying to
delegate the original client's credentials.

Andy


On Tue, 6 Dec 2022, Bryan Hess wrote:

> I have an XRootD proxy server using ztn and a scitoken mapfile. I see this in the proxy log:
>
> ```
> 221206 09:31:31 3355724 scitokens_Access: Trying token-based access control
> 221206 09:31:31 3355724 scitokens_Access: Cached token mapped_username=, subject=REDACTED-SUBJECT, issuer=REDACTED-ISSUER, authorizations=/PATH:read,dir,stat,create,mkdir,mv,insert,update,chmod,del
> 221206 09:31:31 3355724 scitokens_Access: Grant authorization based on scopes for operation=create, path=/PATH/fff
> 221206 09:31:31 3355724 scitokens_Access: Request username USERNAME
> ```
>
> I use sss with an "anybody" and "anygroup" key, and `pss.persona client` to pass along the username to the origin.
>
> I expected to see the mapped username on the origin, but instead I get the token subject. On the origin:
>
> `221206 15:00:02 2365770 XrootdXeq: ***@***.*** pub IP46 login as REDACTED-SUBJECT via sss auth for ***@***.***`
>
> I would like to handle all the authorization decisions at the proxy, then pass the mapped unix usernames (via sss) to the origin so that I can have a set of unix accounts to separate ownership on the origin (It is running the MultiUser plugin).
>
> Everything seems to work except for getting the username from the mapfile over sss to the origin. Is this possible?
>
>
>
>
> --
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/issues/1851
> You are receiving this because you are subscribed to this thread.
>
> Message ID: ***@***.***>


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/issues/1851/1340047875@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1340047875", "url": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1340047875", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1