search

opensciencegrid / xrootd-multiuser

A filesystem plugin to allow Xrootd write as a different Unix user
Apache License 2.0
2 stars 12 forks source link

Clients may use GSI (with the client cert unmapped), but also use token auth #48

Closed jthiltges closed 1 year ago

jthiltges commented 1 year ago

A GSI client may append the token to the URI:

/foo/bar?authz=Bearer%20ey...

If an unmapped GSI client has a token, don't flag the client as anonymous

matyasselmeci commented 1 year ago

Hi @jthiltges , is this in a state where we can try it out as a patch?

matyasselmeci commented 1 year ago

Something appears wrong -- this caused xrootd to fail to start up in our automated tests, but only on EL8 and EL9: https://osg-sw-submit.chtc.wisc.edu/tests/20230728-1404/results.html

I untagged the builds from osg-3.6-development, but you can download them directly here:

jthiltges commented 1 year ago

@matyasselmeci It looks like the same issue I'd mentioned to you with the HCC build: on el8 and el9, xrootd v5.6 is being pulled in from EPEL, which results in a plugin that v5.5 cannot load:

Plugin version XrdOfs v5.5.5 is incompatible with osg-multiuser v5.6.1 (must be <= 5.5.x) in osslib libXrdMultiuser-5.so

matyasselmeci commented 1 year ago

That is what appears to happen but it makes no sense... I thought RPMs tagged in Koji always won over RPMs from external repos...

matyasselmeci commented 1 year ago

I have a hunch. Koji has two merge modes for external repos, bare and koji. The latter has the behavior that I said, where the latest RPM in a Koji tag wins over RPMs from external repos; with bare, all the RPMs are added to the generated repo, regardless of versions. The el8 and el9 external repos are merged in bare mode (IIRC for reasons having to do with Modularity) meaning the EPEL RPMs win due to the newer version.

Fortunately, it also means that there are multiple versions of RPMs in the build repo, so I can compile xrootd-multiuser against xrootd 5.5 by adding BuildRequires: xrootd-server-devel < 1:5.6. My build whines a bit but works in the end: https://koji.opensciencegrid.org/koji/taskinfo?taskID=380155 I'll run VMU tests and get back to you...

matyasselmeci commented 1 year ago

Good news: my hunch is correct and our tests seem to work: https://osg-sw-submit.chtc.wisc.edu/tests/20230804-1005/packages.html