XRootD tokens

Additional Packages

xrootd-scitokens

XrootD Config

<security>

sec.protocol ztn
sec.protbind * only ztn gsi

<TLS>

xrootd.tls capable all
http.header2cgi Authorization authz

<authlib>

ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
ofs.authlib ++ libXrdMacaroons.so

<trace>

scitokens.trace all

scitokens.cfg

[Global]

# give other auth mechanisms a chance to allow the request

onmissing = passthrough

#

# don't use https://wlcg.cern.ch/jwt/v1/any audience from clients on production instances

#

# tokens must provide an "aud" which must match to one of these (comma-separated)

#audience = https://wlcg.cern.ch/jwt/v1/any,davs://ceph-dev-gw2.gridpp.rl.ac.uk:1094,https://ceph-dev-gw2.gridpp.rl.ac.uk:1094,root://ceph-dev-gw2.gridpp.rl.ac.uk:1094

audience = rdr.echo.stfc.ac.uk,webdav.echo.stfc.ac.uk,xrootd.echo.stfc.ac.uk,https://wlcg.cern.ch/jwt/v1/any,root://ceph-svc17.gridpp.rl.ac.uk:1094,davs://ceph-svc17.gridpp.rl.ac.uk:1094,https://ceph-svc17.gridpp.rl.ac.uk:1094,root://xrootd.echo.stfc.ac.uk:1094,davs://webdav.echo.stfc.ac.uk:1094,https://webdav.echo.stfc.ac.uk,root://rdr.echo.stfc.ac.uk:1094,davs://rdr.echo.stfc.ac.uk:1094,https://rdr.echo.stfc.ac.uk:1094

[Issuer CMS_IAM]

issuer = https://cms-auth.web.cern.ch/

base_path = /

map_subject = False

restricted_path=/store

#name_mapfile = /etc/xrootd/scitokens_mapfile_cms.json

[Issuer ATLAS]

issuer = https://atlas-auth.web.cern.ch/

base_path = /

map_subject = False

restricted_path=/atlas:datadisk /atlas:scratchdisk /atlas:accounting /atlas:test

default_user = xrootd

[Issuer LHCb_IAM]

issuer = https://lhcb-auth.web.cern.ch/

base_path = /

map_subject = False

restricted_path=/lhcb:prod /lhcb:user /lhcb:failover /lhcb:buffer /lhcb:accounting

Patches needed:

CMS token patch for scope / · stfc/xrootd@afe6e32

patch to reject /foobar paths when scope is set to /foo · stfc/xrootd@f2422ae

Superfolder access by Jo-stfc · Pull Request #4 · stfc/xrootd