Open esindril opened 2 years ago
Hi @esindril ,
Please bear in mind that a JWT is a carrier both of explicit authorisation statements (storage.*
elements in the scope
claim) and of group- and VO membership information (e.g., the wlcg.groups
). The latter is intended as a (more-or-less) direct replacement for the existing VOMS-based authorisation decisions that storage systems already make.
That isn't to say that the wording should be tightened up: the text could be improved and I've already made modest contributions in this direction.
However, I'm not aware of any final decision on how storage should handle JWT; specifically, on whether a user who presents a token with no explicit authorisation (i.e., no storage.*
elements in the scope
claim) but with group membership information can reasonably expect that token to authorise any operations.
Hi @paulmillar ,
Yes, indeed, both types of information can be present in the token but currently the scitokens implementation in XRootD (XrdSciTokens - which is also used as plugin in EOS) denies access for tokens without a (properly) specified scope. I also think this could benefit from a bit for discussion between the different SE providers and major projects involved. I actually suggested this on the wlgc-doma-tpc mailing list.
The list of pre-requisites includes some statements which are a bit contradictory to my understanding. For example:
and then
From what I remember, it was agreed that access to SE with tokens targeting such systems should be done using an appropriate scope, like
storage.read:/...
or storage.write:/...`. Once this is addressed, also the tests need to be properly adjusted (at least in terms of the scope of the tokens used).