WLCG JWT profile storage.*
scope improvements (issue#21)
Audience and global XRootD redirector (CMS AAA)
- Did CMS decided not to use audience at all / use just one "CMS" in
aud
claim for services hosted by different providers?- No "CMS" specific audience - plan to use generic https://wlcg.cern.ch/jwt/v1/any
- useful for reading together with storage.read:/ scope in token
- write tokens should always use precise audience scheme://fqdn:port
- Policy for audiences on IAM side in future - issue with not very high priority
- Use generic https://wlcg.cern.ch/jwt/v1/any - not optional for service (WLCG JWT profile)
StoRM config documentation for WLCG compliance tests
TLS configuration for xroots protocol
- Support for
xroots://
protocol should be included in our configuration examples- Become ready not only for DC24 HTTP-TPC with tokens but also SE should be ready for tests with jobs
- XRootD
- XRootD client receives from storage - Authentication is required: &P=gsi,v:10600,c:ssl,ca:8d33f237.0|dec71a0b.0&P=ztn,0:4096:
- XRootD client asks for X.509 proxy even with
BEARER_TOKEN
set in the environment- no proxy & token => access denied
- Even more weird behavior with gfal2 => more operations => more X.509 cert+key password questions
- Fixed by changing order of
sec.protocol
configuration (ztn
, gsi
)- XRootD client receives from storage: Authentication is required: &P=ztn,0:4096:&P=gsi,v:10600,c:ssl,ca:8d33f237.0|dec71a0b.0
- dCache (host certificate required for all xroot doors)
- 7.x - can be configured on dedicated port
xrootd.plugins=gplazma:ztn,authz:scitokens
- 8.x - available with default configuration
xrootd.plugins=gplazma:gsi,gplazma:ztn,gplazma:none,authz:scitokens
- XRootD client receives from storage - Authentication is required: &P=ztn,0:4096:&P=unix&P=gsi,v:10400,c:ssl,ca:dec71a0b
- XRootD client asks for X.509 proxy even with
BEARER_TOKEN
set in the environment - operation than succeeds even without X.509 proxy and token (or bad token)
- better configuration
xrootd.plugins=gplazma:ztn,gplazma:gsi,authz:scitokens
for X.509 to tokens transition- Authentication is required: &P=ztn,0:4096:&P=gsi,v:10400,c:ssl,ca:dec71a0b
- Try WLCG JWT token first with fallback to X.509 proxy
- fallback works when there is no token and also for bad token
gplazma:none
is necessary for third-party-copy- There is environment variable for XRootD client not to ask for password for missing X.509 proxy
export XrdSecGSICREATEPROXY=0
- dCache team is going to discuss if token should be first in the default dCache configuration
- WLCG prefers token first with fallback to X.509
- gfal2 currently reject
roots://
scheme- we can't rely on
root://
protocol and just hope TLS was negotiated before sending token- enforcing TLS for token is not yet enforced in XRootD client, details in xrootd#1842
- fixed in develop branch & testing repo
- EOS is not currently implementing ZTN protocol (EOS-5460)