Fix token file and directory permission

jhiemstrawisc · Jun 13, 2024 · 45b5a57 · 45b5a57
1 parent 2971adf
commit 45b5a57
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/origin/globus.go b/origin/globus.go
@@ -34,6 +34,7 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/sync/errgroup"
 
+	"github.com/pelicanplatform/pelican/config"
 	"github.com/pelicanplatform/pelican/param"
 	"github.com/pelicanplatform/pelican/server_structs"
 	"github.com/pelicanplatform/pelican/server_utils"
@@ -78,6 +79,16 @@ var (
 //     from the origin's SQLite DB and populate the global map, refresh the access token by the persisted
 //     refresh token
 func InitGlobusBackend(exps []server_utils.OriginExport) error {
+	uid, err := config.GetDaemonUID()
+	if err != nil {
+		return errors.Wrap(err, "failed to initialize Globus backend: failed to get uid")
+	}
+
+	gid, err := config.GetDaemonGID()
+	if err != nil {
+		return errors.Wrap(err, "failed to initialize Globus backend: failed to get gid")
+	}
+
 	if server_utils.OriginStorageType(param.Origin_StorageType.GetString()) != server_utils.OriginStorageGlobus {
 		return errors.Errorf("failed to initialize Globus backend: Origin.StorageType is not Globus: %s",
 			param.Origin_StorageType.GetString())
@@ -91,6 +102,13 @@ func InitGlobusBackend(exps []server_utils.OriginExport) error {
 	if err := os.MkdirAll(tokFdr, 0755); err != nil {
 		return errors.Wrapf(err, "failed to create directory for Globus tokens: %s", tokFdr)
 	}
+	// We need to change the directory and file permission to XRootD user/group so that it can access the token
+	if err = os.Chown(globusFdr, uid, gid); err != nil {
+		return errors.Wrapf(err, "unable to change the ownership of %s to xrootd daemon uid %d and gid %d for Globus config", globusFdr, uid, gid)
+	}
+	if err = os.Chown(tokFdr, uid, gid); err != nil {
+		return errors.Wrapf(err, "unable to change the ownership of %s to xrootd daemon uid %d and gid %d for Globus tokens", tokFdr, uid, gid)
+	}
 
 	globusAuthCfg, err := GetGlobusOAuthCfg()
 	if err != nil {
@@ -118,7 +136,7 @@ func InitGlobusBackend(exps []server_utils.OriginExport) error {
 			globusExports[esp.GlobusCollectionID] = &globusEsp
 			continue
 		}
-		// We found the collection in DB, try to get access token with the refresh token
+		// We found the collection in DB, try to get access token via the refresh token
 		col, err := getCollectionByUUID(esp.GlobusCollectionID)
 		if err != nil {
 			return errors.Wrapf(err, "failed to get credentials for Globus collection %s with name %s", esp.GlobusCollectionID, esp.GlobusCollectionName)

diff --git a/origin/globus_client.go b/origin/globus_client.go
@@ -562,6 +562,15 @@ func handleGlobusAuth(ctx *gin.Context) {
 
 // Persist the access token on the disk
 func persistAccessToken(collectionID string, token *oauth2.Token) error {
+	uid, err := config.GetDaemonUID()
+	if err != nil {
+		return errors.Wrap(err, "failed to persist Globus access token on disk: failed to get uid")
+	}
+
+	gid, err := config.GetDaemonGID()
+	if err != nil {
+		return errors.Wrap(err, "failed to persist Globus access token on disk: failed to get gid")
+	}
 	globusFdr := param.Origin_GlobusConfigLocation.GetString()
 	tokBase := filepath.Join(globusFdr, "tokens")
 	if filepath.Clean(tokBase) == "" {
@@ -572,8 +581,11 @@ func persistAccessToken(collectionID string, token *oauth2.Token) error {
 	if err != nil {
 		return errors.Wrap(err, "failed to update Globus token: unable to create a temporary Globus token file")
 	}
+	// We need to change the directory and file permission to XRootD user/group so that it can access the token
+	if err = tmpTokFile.Chown(uid, gid); err != nil {
+		return errors.Wrapf(err, "unable to change the ownership of Globus token file at %s to xrootd daemon", tmpTokFile.Name())
+	}
 	defer tmpTokFile.Close()
-	defer os.Remove(tmpTokFile.Name())
 
 	_, err = tmpTokFile.Write([]byte(token.AccessToken + "\n"))
 	if err != nil {