Dear Experts,
EOS seems to ignore the set “scope” in Scitokens when using the mapfile (https://github.com/xrootd/xrootd/tree/master/src/XrdSciTokens).
Illustration:
scitokens.cfg
[Global]
audience = https://wlcg.cern.ch/jwt/v1/any
[Issuer OSG-Connect]
issuer = https://my-iam.domain.com
base_path = /
map_subject = true
default_user = telecast
name_mapfile = /etc/xrootd/mapfile
mapfile
[ {“group”: “/eos”, “result”: “telecast”} ]
Token: # echo $(cat /tmp/bt_u333) | cut -d. -f2 | base64 --decode | jq .
{
“wlcg.ver”: “1.0”,
“sub”: “325b2a1a-7053-49a7-af00-fbfd4c1e9b01”,
“aud”: “https://wlcg.cern.ch/jwt/v1/any”,
“nbf”: 1660720240,
“scope”: “openid offline_access profile storage.read:/eos/user/t/telecast/ email wlcg wlcg.groups”,
“iss”: “https://my-iam.domain.com”,
“exp”: 1660723840,
“iat”: 1660720240,
“jti”: “c3b966ba-ed52-49ec-858b-41fb8e31a4bf”,
“client_id”: “ffb17627-4b5f-4ed4-9e5c-f9935e5cca94”,
“wlcg.groups”: [
“/eos”
]
}
I tried to write the file (I expect the system to reject operation and return error #403 token authorization failed)
curl -k -v -L -X PUT -H “Authorization: Bearer $(cat /tmp/bt_u333)” --upload-file file https://vm-eos.domain.com:9000/eos/user/t/telecast/file
Result: the file is completely uploaded in the directory (???)
User-Agent: curl/7.29.0
Host: vm3-eos-fst0.jinr.ru:9001
Accept: /
Content-Length: 20
Expect: 100-continue
< HTTP/1.1 100 Continue
< Connection: Close
< Date: Wed, 17 Aug 2022 08:00:06 GMT
- We are completely uploaded and fine
< HTTP/1.1 201 CREATED
< Connection: Keep-Alive
< Content-Length: 0
< Date: Wed, 17 Aug 2022 08:00:06 GMT
Installed EOS packages:
[root@vm1-eos-mgm1 ~]# rpm -qa | grep eos
eos-libmicrohttpd-0.9.38-eos.el7.cern.x86_64
eos-folly-deps-2019.11.11.00-1.el7.cern.x86_64
eos-grpc-devel-1.41.0-1.el7.x86_64
eos-rocksdb-6.2.4-1.el7.cern.x86_64
eos-client-5.0.31-1.el7.cern.x86_64
eos-server-5.0.31-1.el7.cern.x86_64
eos-nginx-1.12.2-5.x86_64
eos-protobuf3-3.17.3-1.el7.cern.eos.x86_64
eos-richacl-1.12-14.el7.cern.x86_64
eos-grpc-1.41.0-1.el7.x86_64
eos-fusex-core-5.0.31-1.el7.cern.x86_64
eos-ns-inspect-5.0.31-1.el7.cern.x86_64
libmicrohttpd-0.9.38-eos.yves.el7.cern.x86_64
eos-librichacl-1.12-14.el7.cern.x86_64
eos-fusex-selinux-5.0.31-1.el7.cern.x86_64
eos-quarkdb-5.0.31-1.el7.cern.x86_64
eos-folly-2019.11.11.00-1.el7.cern.x86_64
eos-xrootd-5.4.7-1.el7.cern.x86_64
eos-fusex-5.0.31-1.el7.cern.x86_64
[root@vm1-eos-mgm1 ~]# rpm -qa | grep scitokens
xrootd-scitokens-5.4.3-1.el7.x86_64
scitokens-cpp-0.7.1-1.el7.x86_64
P.S. If I use a token when mapfile is disabled in scitokens.cfg then EOS works correctly. i.e. on a given scope only: storage.read:/ - can only read or storage.create:/ - only write.
Any Idea why EOS ignoring scopes when is using mapfile?
Thanks!