Hi Bryan,
Give this a go....
https://xrootd.slac.stanford.edu/doc/dev54/sec_config.htm#_Toc79102015
The configuration for sss will be somewhat different as your trying to
delegate the original client's credentials.
Andy
On Tue, 6 Dec 2022, Bryan Hess wrote:
> I have an XRootD proxy server using ztn and a scitoken mapfile. I see this in the proxy log:
>
> ```
> 221206 09:31:31 3355724 scitokens_Access: Trying token-based access control
> 221206 09:31:31 3355724 scitokens_Access: Cached token mapped_username=, subject=REDACTED-SUBJECT, issuer=REDACTED-ISSUER, authorizations=/PATH:read,dir,stat,create,mkdir,mv,insert,update,chmod,del
> 221206 09:31:31 3355724 scitokens_Access: Grant authorization based on scopes for operation=create, path=/PATH/fff
> 221206 09:31:31 3355724 scitokens_Access: Request username USERNAME
> ```
>
> I use sss with an "anybody" and "anygroup" key, and `pss.persona client` to pass along the username to the origin.
>
> I expected to see the mapped username on the origin, but instead I get the token subject. On the origin:
>
> `221206 15:00:02 2365770 XrootdXeq: ***@***.*** pub IP46 login as REDACTED-SUBJECT via sss auth for ***@***.***`
>
> I would like to handle all the authorization decisions at the proxy, then pass the mapped unix usernames (via sss) to the origin so that I can have a set of unix accounts to separate ownership on the origin (It is running the MultiUser plugin).
>
> Everything seems to work except for getting the username from the mapfile over sss to the origin. Is this possible?
>
>
>
>
> --
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/issues/1851
> You are receiving this because you are subscribed to this thread.
>
> Message ID: ***@***.***>
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/issues/1851/1340047875@github.com>
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1340047875",
"url": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1340047875",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1