LISTSERV 16.5 - XROOTD-L Archives

Hi David,
I had a similar issue at RAL before. I solved it by putting any non-url type audience at the start of the audience. In your case, try to set it as:
audience=umiss005.hep.olemiss.edu,https://wlcg.cern.ch/jwt/v1/any
Regards,
Jyothish

From: [log in to unmask] <[log in to unmask]> On Behalf Of Fabio Andrijauskas
Sent: Friday, February 2, 2024 7:25 AM
To: David Sanders <[log in to unmask]>
Cc: [log in to unmask]
Subject: Re: Problems with the scitokens "audience" feature.

Hi David,

  During the token creation, add the AUD information. I think the scitoken lib requires this field.

--
Fábio Andrijauskas


On Thu, Feb 1, 2024 at 2:54 PM David Sanders <[log in to unmask]<mailto:[log in to unmask]>> wrote:
Dear Colleagues:

I run a OSG Tier-3 here at the University of Mississippi. I am running xrootd on our Storage Element as multi-user because we are serving a few VOs, primarially CMS and BELLE (for the Belle II experiment). A week or 2 ago the CMS rucio team requested that I add the line “audience = https://wlcg.cern.ch/jwt/v1/any,umiss005.hep.olemiss.edu” to our scitokens.conf file. (umiss005.hep.olemiss.edu<http://umiss005.hep.olemiss.edu> is the FQDN of out Storage Element). When someone uses a command like this they can read my files:
$export BEARER_TOKEN=$(oidc-token --scope=offline_access --scope=storage.read:/ --time=3600 test_dsanders)
However when they use a command like this it fails with a permissions error:
$export BEARER_TOKEN=$(oidc-token --aud=umiss005.hep.olemiss.edu<http://umiss005.hep.olemiss.edu> --scope=offline_access --scope=storage.read:/ --time=3600 test_dsanders)

Please see the GGUS ticket: https://ggus.eu/index.php?mode=ticket_info&ticket_id=164957

Can you please give me some suggestions  about how to get the “audience” token working in xrootd. The part of my scitokens.conf file that should apply is:

[Issuer CMS_IAM]
issuer = https://cms-auth.web.cern.ch/
audience = https://wlcg.cern.ch/jwt/v1/any,umiss005.hep.olemiss.edu
###audience = https://wlcg.cern.ch/jwt/v1/any
base_path = /cms
map_subject = False
default_user = uscms01
###name_mapfile = /etc/xrootd/scitokens_mapfile_cms.json

Best regards,

David Sanders


________________________________

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

________________________________

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1