search

dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
276 stars 132 forks source link

gplazma: update `explain login` to allow admin to specify a token on the command-line #7576

Open paulmillar opened 1 month ago

paulmillar commented 1 month ago

The explain login command currently accepts a list of principals.

Based on an idea from @onnozweers, it would be much easier (and more closely reflects reality) if the explain login command accepted an OIDC access token as a command-line argument. It would then generate a login report, based on that input.

onnozweers commented 1 month ago

Would it be an idea to implement the same for macaroons? Or is that already possible?

paulmillar commented 3 weeks ago

Macaroons don't pass through gPlazma, the door handles them directly. Therefore adding support for them with explain login doesn't make sense (at least, not to me). Minting a macaroon is like "freezing" the result of some (successful) login. Using the macaroon is like unfreezing that login result.

You can find out more about this frozen login result by calling dCache's user introspection endpoint with a macaroon; e.g.,

curl -H "Authorization: Bearer $MACAROON" https://frontend-door.dcache.example.org/api/v1/user