This ACC (authorization) plugin for the Xrootd framework utilizes the SciTokens library to validate and extract authorization claims from a SciToken passed during a transfer.
Configured appropriately, this allows the Xrootd server admin to delegate authorization decisions for a subset of the namespace to an external issuer. For example, this would allow LIGO to decide the read/write authorizations for pieces of the LIGO namespace.
To load the plugin, add the following lines to your Xrootd configuration file:
ofs.authorize
ofs.authlib libXrdAccSciTokens.so
# Pass the bearer token to the Xrootd authorization framework.
http.header2cgi Authorization authz
Restart the Xrootd service. The SciTokens plugin in the ofs.authlib line additionally can take a
parameter to specify the configuration file:
ofs.authlib libXrdAccSciTokens.so config=/path/to/config/file
If not given, it defaults to /etc/xrootd/scitokens.cfg. Restart the service for new settings to take effect.
The SciTokens configuration file (default: /etc/xrootd/scitokens.cfg) specifies the recognized
issuers and maps them to the Xrootd namespace. It uses the popular INI-format. Here is an example
entry:
[Global]
audience = test_server
[Issuer OSG-Connect]
issuer = https://scitokens.org/osg-connect
base_path = /stash
map_subject = True
default_user = osg
name_mapfile = /path/to/mapfile
Within the Global section, the available attributes are:
-
audience(optional): A comma separated list of acceptable audiences. The tokens must have anaudattribute that exactly matches this value -
audience_json(optional): JSON string or list specifying the acceptable audiences. This audience option will allow commas and spaces within the audience.audience_jsontakes precedence overaudience. -
onmissing(optional): The behavior for the plugin when a token is not present or the token does not authorize the requested action. Valid values are:passthrough: Invoke the next configured authorization plugin.allow: Immediately authorize the request. This may be useful when the XRootD authorization is supposed to always succeed because authorization is implemented in the filesystem (note this plugin may still update the internal credential with useful information for the filesystem to make a decision).deny: Immediately deny the request.
If the token is present and valid, then the internal XRootD credential will be populated with any present group or issuer information from the token. The username is only populated if either scope-based mapping or the mapfile-based approach is successful.
Each section name specifying a new issuer MUST be prefixed with Issuer. Known attributes
are:
issuer(required): The URI of the token issuer; this must match the value of the corresponding claim int the token.base_path(required): The paths any token authorizations are relative to; a comma-separated list is permitted.restricted_path(optional): Any restrictions on the paths the issuer can authorize inside their namespace. This meant to be a mechanism to help with transitions, where the local site storage is setup such that an issuer's namespace contains directories that should not be managed by the issuer.map_subject(optional): Defaults tofalse; if set totrue, any contents of thesubclaim will be copied into the Xrootd username. When combined with the xrootd-multiuser plugin, this will allow the Xrootd daemon to write out files utilizing the Unix username specified by the VO in the token. Except in narrow use cases, the default offalseis sufficient.default_user(optional): If set, then all authorized operations will be done under the provided username when interacting with the filesystem. This is useful in the case where the administrator desires that all files owned by an issuer should be mapped to a particular Unix user account at the site.name_mapfile(options): If set, then the referenced file is parsed as a JSON object and the specified mappings are applied to the username inside the XRootD framework. See below for more information on the mapfile.
WLCG tokens can contain either group- or scope-based attributes. The scope-based attributes specify a path the user is allowed to access (relative to one of the base paths). If a request is permitted via a scope-based attribute, then it is approved immediately by the plugin.
If there is a group-based attribute, then the contents are copied into XRootD's internal credential. The plugin does
not necessarily immediately authorize (see the onmissing attribute) but rather can be used by a further authorization
plugin.
The file specified by the name_mapfile attribute can be used to perform identity mapping for a given issuer.
It must parse as valid JSON and may look like this:
[ {"sub": "bbockelm", "path": "/home/bbockelm", "result": "bbockelm"}, {"group": "/cms/prod", "path": "/cms", "result": "cmsprod" comment="Added 1 Sept 2020"}, {"group": "/cms", "result": "cmsuser"}, {"group": "/cms", "result": "atlas" ignore="Only for testing"} ]
That is, we have a JSON list of objects; each object is interpreted as a rule. For an incoming request to match a rule,
each present attribute must evaluate to true. In this case, the value of the result key is populated as the username
in the XRootD internal credential.
The enumerated keys are:
sub: True if thesubclaim in the token matches the value in the mapfile (case-sensitive comparison).path: True iff the value of the attribute matches (case-sensitive) the prefix of the (normalized) requested path. For example, if the issuer's base path is/home, the operation is accessing/home/bbockelm/foo, and the path in the rule is/bbockelm, then this attribute evaluates totrue. Note the path value and the requested path must be normalized; if presented with/home//bbockelm/, then this is treated as if/home/bbockelmwas given.group: Case-sensitive match against one of the groups in the token.ignore: If present (regardless of the value), the rule is ignored.comment: Ignored; reserved for adding comments from the administrator.
Unknown keys are ignored.