First, what is the actual contents of authinfo when a token is used to populate that field

Of course, currently there is nothing. Here's how the fields are populated from a XrdSecEntity object (from https://github.com/xrootd/xrootd/blob/master/src/XrdXrootd/XrdXrootdXeq.cc#L4037-L4048):

snprintf(Buff,sizeof(Buff),
    "&p=%s&n=%s&h=%s&o=%s&r=%s&g=%s&m=%s%s&I=%c",
    Client->prot,
    (Client->name ? Client->name : ""),
    (Client->host ? Client->host : ""),
    (Client->vorg ? Client->vorg : ""),
    (Client->role ? Client->role : ""),
    (Client->grps ? Client->grps : ""),
    (Client->moninfo ? Client->moninfo : ""),
    (Entity.moninfo  ? Entity.moninfo  : ""),
    (clientPV & XrdOucEI::uIPv4 ? '4' : '6')

For the XrdSciTokens plugin (https://github.com/xrootd/xrootd/blob/master/src/XrdSciTokens/XrdSciTokensAccess.cc#L453), here's what's in those fields:

prot: Unfilled by plugin, I consider this owned by the authorization plugin (could be ztn, for example, or https).
name: Unfilled by plugin.
- Instead, request.name in extended attributes is set to the mapped username.
- token.subject is set to the sub claim of the token.
host: Unfilled by plugin, not relevant here.
vorg: Set to the issuer (iss claim)
grps: Set to the groups in the token (wlcg.groups for WLCG tokens). Unused by macaroons plugin.
role: Unused by the SciTokens and Macaroons plugin currently.
moninfo: Unused by either plugin.

Here's what I'd propose for an authinfo for a request:

n: Set to request.name.
o: Set to issuer
r: Set to role if non-empty.
g: Set to groups if non-empty.
m: Set to token.subject.

This is to be taken from the XrdSecEntity object associated with the file-open request. I'd propose it's only populated if the request.name extended attribute is set as that attribute indicates something occurred per-request. Notably, p and h are not included. So, for an existing token from the WLCG issuer, here's a proposed authinfo:

n=bbockelm&o=https://cms-auth.web.cern.ch&m=e608252d-e817-4071-b15c-1a72fe557b3f

About 80 characters total.

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1987#issuecomment-1499088998", "url": "https://github.com/xrootd/xrootd/issues/1987#issuecomment-1499088998", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1