From 5dedcc4486a5505bc88cfe539743cb3c0a4b9d76 Mon Sep 17 00:00:00 2001 From: Andres Tanasijczuk Date: Tue, 20 Jun 2023 15:34:46 +0200 Subject: [PATCH 1/3] Extend authz list with LIGO DNs in all LIGO private namespaces in cache Authfile --- src/README.md | 6 +++--- src/stashcache.py | 4 ++-- src/tests/test_stashcache.py | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/README.md b/src/README.md index eff54a945..dd6d52aec 100644 --- a/src/README.md +++ b/src/README.md @@ -442,7 +442,7 @@ For every cache resource, add a `u rl rl ...` ACL for The Authfile for a public cache is served at `/cache/Authfile-public?fqdn=`. The public Authfile is basically a giant `u *` list: -- Explicitly deny read access to `/user/ligo` (with `-rl` permissions) +- Explicitly deny read access to `/user/ligo` (with `-rl` permissions); this is needed, because granting access to the OSG VO `/user` path would otherwise also grant access to `/user/ligo` - Allow read access to the path of each namespace supported by the cache (`rl` permissions) ### Cache authenticated Authfile generation @@ -452,9 +452,9 @@ The Authfile for an authenticated cache is served at `/cache/Authfile?fqdn= rl rl ...` for every DN listed in the Authorizations list of every namespace supported by the cache. - Add a `g rl rl ...` for every FQAN listed in the Authorizations list of every namespace supported by the cache. -In addition, if the cache supports the `/user/ligo` namespace and the webapp can access LIGO's LDAP server: +In addition, if the cache supports the LIGO VO and the webapp can access LIGO's LDAP server: -- Add a `u /user/ligo rl` for every DN obtained from the LIGO's LDAP server. +- Add a `u rl rl ...` for every DN obtained from the LIGO's LDAP server. ### Origin xrootd-scitokens config generation diff --git a/src/stashcache.py b/src/stashcache.py index 981a07616..06a7dbbfa 100644 --- a/src/stashcache.py +++ b/src/stashcache.py @@ -148,7 +148,7 @@ def fetch_ligo_authz_list_if_needed(): ligo_authz_list.append(parse_authz(f"DN:{dn}")[0]) return ligo_authz_list - for stashcache_obj in vos_data.stashcache_by_vo_name.values(): + for vo_name, stashcache_obj in vos_data.stashcache_by_vo_name.items(): for path, namespace in stashcache_obj.namespaces.items(): if not namespace_allows_cache_resource(namespace, cache_resource): continue @@ -162,7 +162,7 @@ def fetch_ligo_authz_list_if_needed(): # Extend authz list with LIGO DNs if applicable extended_authz_list = namespace.authz_list - if path == "/user/ligo": + if vo_name.lower() == "ligo": if legacy: extended_authz_list += fetch_ligo_authz_list_if_needed() else: diff --git a/src/tests/test_stashcache.py b/src/tests/test_stashcache.py index d7924d7fe..ed32c4645 100644 --- a/src/tests/test_stashcache.py +++ b/src/tests/test_stashcache.py @@ -50,14 +50,14 @@ def test_allowedVO_includes_ANY_for_ligo_inclusion(self, client: flask.Flask, mo stashcache.generate_cache_authfile(global_data, "osg-sunnyvale-stashcache.t2.ucsd.edu") - assert spy.call_count == 1 + assert spy.call_count == 4 def test_allowedVO_includes_LIGO_for_ligo_inclusion(self, client: flask.Flask, mocker: MockerFixture): spy = mocker.spy(global_data, "get_ligo_dn_list") stashcache.generate_cache_authfile(global_data, "stashcache.gwave.ics.psu.edu") - assert spy.call_count == 1 + assert spy.call_count == 4 def test_allowedVO_excludes_LIGO_and_ANY_for_ligo_inclusion(self, client: flask.Flask, mocker: MockerFixture): spy = mocker.spy(global_data, "get_ligo_dn_list") From 7df3d3630e86395fc284e4aae3b1f17af71085de Mon Sep 17 00:00:00 2001 From: Andres Tanasijczuk Date: Tue, 20 Jun 2023 15:35:19 +0200 Subject: [PATCH 2/3] Remove unused code --- src/stashcache.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/stashcache.py b/src/stashcache.py index 06a7dbbfa..ebde3338a 100644 --- a/src/stashcache.py +++ b/src/stashcache.py @@ -320,11 +320,6 @@ def generate_cache_grid_mapfile(global_data: GlobalData, if not resource: return "" - ligo_authz_list: List[AuthMethod] = [] - if legacy: - for dn in global_data.get_ligo_dn_list(): - ligo_authz_list.append(parse_authz(f"DN:{dn}")[0]) - idns = _IdNamespaceData.for_cache( global_data=global_data, topology=topology, From 49f88e6ea96f2eb0adb63a9348e42ee6cbe3dc62 Mon Sep 17 00:00:00 2001 From: Matyas Selmeci Date: Wed, 13 Sep 2023 18:33:20 -0500 Subject: [PATCH 3/3] Update tests --- src/tests/test_stashcache.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tests/test_stashcache.py b/src/tests/test_stashcache.py index ed32c4645..da72cb74d 100644 --- a/src/tests/test_stashcache.py +++ b/src/tests/test_stashcache.py @@ -50,14 +50,14 @@ def test_allowedVO_includes_ANY_for_ligo_inclusion(self, client: flask.Flask, mo stashcache.generate_cache_authfile(global_data, "osg-sunnyvale-stashcache.t2.ucsd.edu") - assert spy.call_count == 4 + assert spy.call_count == 5 def test_allowedVO_includes_LIGO_for_ligo_inclusion(self, client: flask.Flask, mocker: MockerFixture): spy = mocker.spy(global_data, "get_ligo_dn_list") stashcache.generate_cache_authfile(global_data, "stashcache.gwave.ics.psu.edu") - assert spy.call_count == 4 + assert spy.call_count == 5 def test_allowedVO_excludes_LIGO_and_ANY_for_ligo_inclusion(self, client: flask.Flask, mocker: MockerFixture): spy = mocker.spy(global_data, "get_ligo_dn_list")