Additional Packages
xrootd-scitokens
XrootD Config
<security>
sec.protocol ztn
sec.protbind * only ztn gsi
<TLS>
xrootd.tls capable all
http.header2cgi Authorization authz
<authlib>
ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
ofs.authlib ++ libXrdMacaroons.so
scitokens.cfg
[Global]
# give other auth mechanisms a chance to allow the request
onmissing = passthrough
#
# don't use https://wlcg.cern.ch/jwt/v1/any audience from clients on production instances
#
# tokens must provide an "aud" which must match to one of these (comma-separated)
audience = rdr.echo.stfc.ac.uk,webdav.echo.stfc.ac.uk,xrootd.echo.stfc.ac.uk,https://wlcg.cern.ch/jwt/v1/any,root://ceph-svc17.gridpp.rl.ac.uk:1094,davs://ceph-svc17.gridpp.rl.ac.uk:1094,https://ceph-svc17.gridpp.rl.ac.uk:1094,root://xrootd.echo.stfc.ac.uk:1094,davs://webdav.echo.stfc.ac.uk:1094,https://webdav.echo.stfc.ac.uk,root://rdr.echo.stfc.ac.uk:1094,davs://rdr.echo.stfc.ac.uk:1094,https://rdr.echo.stfc.ac.uk:1094
[Issuer CMS_IAM]
issuer = https://cms-auth.web.cern.ch/
base_path = /
map_subject = False
restricted_path=/store
#name_mapfile = /etc/xrootd/scitokens_mapfile_cms.json
[Issuer ATLAS]
issuer = https://atlas-auth.web.cern.ch/
base_path = /
map_subject = False
restricted_path=/atlas:datadisk /atlas:scratchdisk /atlas:accounting /atlas:test
default_user = xrootd
[Issuer LHCb_IAM]
issuer = https://lhcb-auth.web.cern.ch/
base_path = /
map_subject = False
restricted_path=/lhcb:prod /lhcb:user /lhcb:failover /lhcb:buffer /lhcb:accounting
Patches needed:
https://github.com/stfc/xrootd/commit/afe6e32a03a738763ec42ba043a8d3f7c88c5f12
https://github.com/stfc/xrootd/commit/f2422aebeae99f249be3af1d44e059350291ac37
https://github.com/stfc/xrootd/pull/4