First, what is the actual contents of authinfo when a token is used to populate that field
Of course, currently there is nothing. Here's how the fields are populated from a XrdSecEntity object (from https://github.com/xrootd/xrootd/blob/master/src/XrdXrootd/XrdXrootdXeq.cc#L4037-L4048):
snprintf(Buff,sizeof(Buff),
"&p=%s&n=%s&h=%s&o=%s&r=%s&g=%s&m=%s%s&I=%c",
Client->prot,
(Client->name ? Client->name : ""),
(Client->host ? Client->host : ""),
(Client->vorg ? Client->vorg : ""),
(Client->role ? Client->role : ""),
(Client->grps ? Client->grps : ""),
(Client->moninfo ? Client->moninfo : ""),
(Entity.moninfo ? Entity.moninfo : ""),
(clientPV & XrdOucEI::uIPv4 ? '4' : '6')
For the XrdSciTokens plugin (https://github.com/xrootd/xrootd/blob/master/src/XrdSciTokens/XrdSciTokensAccess.cc#L453), here's what's in those fields:
prot
: Unfilled by plugin, I consider this owned by the authorization plugin (could be ztn
, for example, or https
).name
: Unfilled by plugin.
request.name
in extended attributes is set to the mapped username.token.subject
is set to the sub
claim of the token.host
: Unfilled by plugin, not relevant here.vorg
: Set to the issuer (iss
claim)grps
: Set to the groups in the token (wlcg.groups
for WLCG tokens). Unused by macaroons plugin.role
: Unused by the SciTokens and Macaroons plugin currently.moninfo
: Unused by either plugin.Here's what I'd propose for an authinfo for a request:
n
: Set to request.name
.o
: Set to issuerr
: Set to role if non-empty.g
: Set to groups if non-empty.m
: Set to token.subject
.This is to be taken from the XrdSecEntity
object associated with the file-open request. I'd propose it's only populated if the request.name
extended attribute is set as that attribute indicates something occurred per-request. Notably, p
and h
are not included. So, for an existing token from the WLCG issuer, here's a proposed authinfo:
n=bbockelm&o=https://cms-auth.web.cern.ch&m=e608252d-e817-4071-b15c-1a72fe557b3f
About 80 characters total.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1