diff --git a/src/README.md b/src/README.md index eff54a945..dd6d52aec 100644 --- a/src/README.md +++ b/src/README.md @@ -442,7 +442,7 @@ For every cache resource, add a `u rl rl ...` ACL for The Authfile for a public cache is served at `/cache/Authfile-public?fqdn=`. The public Authfile is basically a giant `u *` list: -- Explicitly deny read access to `/user/ligo` (with `-rl` permissions) +- Explicitly deny read access to `/user/ligo` (with `-rl` permissions); this is needed, because granting access to the OSG VO `/user` path would otherwise also grant access to `/user/ligo` - Allow read access to the path of each namespace supported by the cache (`rl` permissions) ### Cache authenticated Authfile generation @@ -452,9 +452,9 @@ The Authfile for an authenticated cache is served at `/cache/Authfile?fqdn= rl rl ...` for every DN listed in the Authorizations list of every namespace supported by the cache. - Add a `g rl rl ...` for every FQAN listed in the Authorizations list of every namespace supported by the cache. -In addition, if the cache supports the `/user/ligo` namespace and the webapp can access LIGO's LDAP server: +In addition, if the cache supports the LIGO VO and the webapp can access LIGO's LDAP server: -- Add a `u /user/ligo rl` for every DN obtained from the LIGO's LDAP server. +- Add a `u rl rl ...` for every DN obtained from the LIGO's LDAP server. ### Origin xrootd-scitokens config generation diff --git a/src/stashcache.py b/src/stashcache.py index 838bf90c0..39467e53c 100644 --- a/src/stashcache.py +++ b/src/stashcache.py @@ -151,7 +151,7 @@ def fetch_ligo_authz_list_if_needed(): ligo_authz_list.append(parse_authz(f"DN:{dn}")[0]) return ligo_authz_list - for stashcache_obj in vos_data.stashcache_by_vo_name.values(): + for vo_name, stashcache_obj in vos_data.stashcache_by_vo_name.items(): for path, namespace in stashcache_obj.namespaces.items(): if not namespace_allows_cache_resource(namespace, cache_resource): continue @@ -165,7 +165,7 @@ def fetch_ligo_authz_list_if_needed(): # Extend authz list with LIGO DNs if applicable extended_authz_list = namespace.authz_list - if path == "/user/ligo": + if vo_name.lower() == "ligo": if legacy: extended_authz_list += fetch_ligo_authz_list_if_needed() else: @@ -323,11 +323,6 @@ def generate_cache_grid_mapfile(global_data: GlobalData, if not resource: return "" - ligo_authz_list: List[AuthMethod] = [] - if legacy: - for dn in global_data.get_ligo_dn_list(): - ligo_authz_list.append(parse_authz(f"DN:{dn}")[0]) - idns = _IdNamespaceData.for_cache( global_data=global_data, topology=topology, diff --git a/src/tests/test_stashcache.py b/src/tests/test_stashcache.py index d7924d7fe..da72cb74d 100644 --- a/src/tests/test_stashcache.py +++ b/src/tests/test_stashcache.py @@ -50,14 +50,14 @@ def test_allowedVO_includes_ANY_for_ligo_inclusion(self, client: flask.Flask, mo stashcache.generate_cache_authfile(global_data, "osg-sunnyvale-stashcache.t2.ucsd.edu") - assert spy.call_count == 1 + assert spy.call_count == 5 def test_allowedVO_includes_LIGO_for_ligo_inclusion(self, client: flask.Flask, mocker: MockerFixture): spy = mocker.spy(global_data, "get_ligo_dn_list") stashcache.generate_cache_authfile(global_data, "stashcache.gwave.ics.psu.edu") - assert spy.call_count == 1 + assert spy.call_count == 5 def test_allowedVO_excludes_LIGO_and_ANY_for_ligo_inclusion(self, client: flask.Flask, mocker: MockerFixture): spy = mocker.spy(global_data, "get_ligo_dn_list")