EOS 5:scitokens:mapfile:ignore scopes

Dear Experts,

EOS seems to ignore the set “scope” in Scitokens when using the mapfile (https://github.com/xrootd/xrootd/tree/master/src/XrdSciTokens).
Illustration:

scitokens.cfg

[Global]
audience = https://wlcg.cern.ch/jwt/v1/any

[Issuer OSG-Connect]
issuer = https://my-iam.domain.com
base_path = /
map_subject = true
default_user = telecast
name_mapfile = /etc/xrootd/mapfile

mapfile

[ {“group”: “/eos”, “result”: “telecast”} ]

Token: # echo $(cat /tmp/bt_u333) | cut -d. -f2 | base64 --decode | jq .

{
“wlcg.ver”: “1.0”,
“sub”: “325b2a1a-7053-49a7-af00-fbfd4c1e9b01”,
“aud”: “https://wlcg.cern.ch/jwt/v1/any”,
“nbf”: 1660720240,
“scope”: “openid offline_access profile storage.read:/eos/user/t/telecast/ email wlcg wlcg.groups”,
“iss”: “https://my-iam.domain.com”,
“exp”: 1660723840,
“iat”: 1660720240,
“jti”: “c3b966ba-ed52-49ec-858b-41fb8e31a4bf”,
“client_id”: “ffb17627-4b5f-4ed4-9e5c-f9935e5cca94”,
“wlcg.groups”: [
“/eos”
]
}

I tried to write the file (I expect the system to reject operation and return error #403 token authorization failed)
curl -k -v -L -X PUT -H “Authorization: Bearer $(cat /tmp/bt_u333)” --upload-file file https://vm-eos.domain.com:9000/eos/user/t/telecast/file

Result: the file is completely uploaded in the directory (???)

User-Agent: curl/7.29.0
Host: vm3-eos-fst0.jinr.ru:9001
Accept: /
Content-Length: 20
Expect: 100-continue

< HTTP/1.1 100 Continue
< Connection: Close
< Date: Wed, 17 Aug 2022 08:00:06 GMT

  • We are completely uploaded and fine
    < HTTP/1.1 201 CREATED
    < Connection: Keep-Alive
    < Content-Length: 0
    < Date: Wed, 17 Aug 2022 08:00:06 GMT
Installed EOS packages:

[root@vm1-eos-mgm1 ~]# rpm -qa | grep eos
eos-libmicrohttpd-0.9.38-eos.el7.cern.x86_64
eos-folly-deps-2019.11.11.00-1.el7.cern.x86_64
eos-grpc-devel-1.41.0-1.el7.x86_64
eos-rocksdb-6.2.4-1.el7.cern.x86_64
eos-client-5.0.31-1.el7.cern.x86_64
eos-server-5.0.31-1.el7.cern.x86_64
eos-nginx-1.12.2-5.x86_64
eos-protobuf3-3.17.3-1.el7.cern.eos.x86_64
eos-richacl-1.12-14.el7.cern.x86_64
eos-grpc-1.41.0-1.el7.x86_64
eos-fusex-core-5.0.31-1.el7.cern.x86_64
eos-ns-inspect-5.0.31-1.el7.cern.x86_64
libmicrohttpd-0.9.38-eos.yves.el7.cern.x86_64
eos-librichacl-1.12-14.el7.cern.x86_64
eos-fusex-selinux-5.0.31-1.el7.cern.x86_64
eos-quarkdb-5.0.31-1.el7.cern.x86_64
eos-folly-2019.11.11.00-1.el7.cern.x86_64
eos-xrootd-5.4.7-1.el7.cern.x86_64
eos-fusex-5.0.31-1.el7.cern.x86_64
[root@vm1-eos-mgm1 ~]# rpm -qa | grep scitokens
xrootd-scitokens-5.4.3-1.el7.x86_64
scitokens-cpp-0.7.1-1.el7.x86_64

P.S. If I use a token when mapfile is disabled in scitokens.cfg then EOS works correctly. i.e. on a given scope only: storage.read:/ - can only read or storage.create:/ - only write.

Any Idea why EOS ignoring scopes when is using mapfile?

Thanks!

Hi Alexandr,

This difference in behavior does not come from the EOS code base per se, but actually from the way the XrdSciTokens authorization plugin is implemented. If the mapping is applied then the scope based authz is allowed to fail and not actually enforced [1]. Therefore, what happens in this case EOS will use the priviledges of the username that you are mapped to and the destination directory permissions to decide if the operation can go through or not. And most likely the user you are mapped to is allowed to write to the target destination.

Here you have the relevant pointer to the code in XRootD dealing with mapped clients and scopes:
[1] https://github.com/xrootd/xrootd/blob/master/src/XrdSciTokens/XrdSciTokensAccess.cc#L509

This behavior is of course up for discussion but this is the current state of affairs.

Cheers,
Elvin

Hi Elvin,

Thank you very much, for the detailed explanation and link, I will think about how to act in these restrictions.

Thanks!