jbasney
commented
1 year ago Unlike X.509 CA signing keys, which IGTF updates once per month via RPMs, the SciTokens signing keys need to be updated more frequently, because there are no CRLs in the SciTokens world. Assuming the cluster head node (or management node) has external connectivity, then the head node could update the SciTokens key cache once per hour / once per day and distribute the key cache to the cluster nodes. We'd need a tool that takes a set of trusted issuers and updates the key cache for all the issuers, rather than letting the library do it on demand. This would also require fixing caching lifetimes (#80 & #86).
In scitokens-cpp, the key cache is in $XDG_CACHE_HOME/scitokens/scitokens_cpp.sqllite. See: https://github.com/scitokens/scitokens-cpp/blob/master/src/scitokens_cache.cpp
In Python, the SciTokens key cache is in $XDG_CACHE_HOME/scitokens/scitokens_keycache.sqllite. See: https://github.com/scitokens/scitokens/blob/master/src/scitokens/utils/keycache.py
Seems to me we should try to use the same cache for both C++ and Python.
bbockelm
Currently one cannot validate a bearer token without an outbound network connection:
Is this feasible? It would enable using tokens for jobs on cluster nodes that are not exposed to the network (e.g. on LIGO/Hawk in Cardiff).