LISTSERV 16.5 - XROOTD-DEV Archives

> First, what is the actual contents of authinfo when a token is used to populate that field

Of course, currently there is nothing.  Here's how the fields are populated from a XrdSecEntity object (from https://github.com/xrootd/xrootd/blob/master/src/XrdXrootd/XrdXrootdXeq.cc#L4037-L4048):

```
snprintf(Buff,sizeof(Buff),
    "&p=%s&n=%s&h=%s&o=%s&r=%s&g=%s&m=%s%s&I=%c",
    Client->prot,
    (Client->name ? Client->name : ""),
    (Client->host ? Client->host : ""),
    (Client->vorg ? Client->vorg : ""),
    (Client->role ? Client->role : ""),
    (Client->grps ? Client->grps : ""),
    (Client->moninfo ? Client->moninfo : ""),
    (Entity.moninfo  ? Entity.moninfo  : ""),
    (clientPV & XrdOucEI::uIPv4 ? '4' : '6')
```

For the XrdSciTokens plugin (https://github.com/xrootd/xrootd/blob/master/src/XrdSciTokens/XrdSciTokensAccess.cc#L453), here's what's in those fields:

- `prot`: Unfilled by plugin, I consider this owned by the authorization plugin (could be `ztn`, for example, or `https`).
- `name`: Unfilled by plugin.
   - Instead, `request.name` in extended attributes is set to the mapped username.
   - `token.subject` is set to the `sub` claim of the token.
- `host`: Unfilled by plugin, not relevant here.
- `vorg`: Set to the issuer (`iss` claim)
- `grps`: Set to the groups in the token (`wlcg.groups` for WLCG tokens).  Unused by macaroons plugin.
- `role`: Unused by the SciTokens and Macaroons plugin currently.
- `moninfo`: Unused by either plugin.

Here's what I'd propose for an authinfo for a request:

- `n`: Set to `request.name`.
- `o`: Set to issuer
- `r`: Set to role if non-empty.
- `g`: Set to groups if non-empty.
- `m`: Set to `token.subject`.

This is to be taken from the `XrdSecEntity` object associated with the file-open request.  I'd propose it's only populated if the `request.name` extended attribute is set as that attribute indicates something occurred per-request.  Notably, `p` and `h` are not included.  So, for an existing token from the WLCG issuer, here's a proposed authinfo:

```
n=bbockelm&o=https://cms-auth.web.cern.ch&m=e608252d-e817-4071-b15c-1a72fe557b3f
```

About 80 characters total.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1987#issuecomment-1499088998
You are receiving this because you are subscribed to this thread.

Message ID: <[log in to unmask]>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1