From e00b4b2b2b242ad28951823e8bbc290ade5ad8be Mon Sep 17 00:00:00 2001 From: Brian Bockelman Date: Mon, 14 Jan 2019 21:21:15 -0600 Subject: [PATCH 1/2] Automatically enable the SciTokens plugin on install. Change the default SciTokens configuration to enable no authorizations. --- CMakeLists.txt | 9 +++++++++ configs/30-scitokens-auth.cfg | 26 ++++++++++++++++++++++++++ configs/scitokens.cfg | 33 +++++++++++++++++---------------- rpm/xrootd-scitokens.spec | 2 ++ 4 files changed, 54 insertions(+), 16 deletions(-) create mode 100644 configs/30-scitokens-auth.cfg diff --git a/CMakeLists.txt b/CMakeLists.txt index db4daf9..5e4a206 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -36,6 +36,7 @@ target_link_libraries(XrdAccSciTokens -ldl ${Boost_PYTHON_LIBRARY} ${PYTHON_LIBR set_target_properties(XrdAccSciTokens PROPERTIES OUTPUT_NAME XrdAccSciTokens-4 SUFFIX ".so" LINK_FLAGS "-Wl,--version-script=${CMAKE_SOURCE_DIR}/configs/export-lib-symbols") SET(LIB_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/lib" CACHE PATH "Install path for libraries") +SET(SYSCONF_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/etc" CACHE PATH "Install path for config files") install( TARGETS _scitokens_xrootd @@ -48,3 +49,11 @@ install( install( FILES ${CMAKE_SOURCE_DIR}/src/scitokens_xrootd.py DESTINATION ${LIB_INSTALL_DIR}/python${PYTHON_VERSION_MAJOR}.${PYTHON_VERSION_MINOR}/site-packages/ ) + +install( + FILES ${CMAKE_SOURCE_DIR}/configs/30-scitokens-auth.cfg + DESTINATION ${SYSCONF_INSTALL_DIR}/xrootd/config.d) + +install( + FILES ${CMAKE_SOURCE_DIR}/configs/scitokens.cfg + DESTINATION ${SYSCONF_INSTALL_DIR}/xrootd) diff --git a/configs/30-scitokens-auth.cfg b/configs/30-scitokens-auth.cfg new file mode 100644 index 0000000..313cfcd --- /dev/null +++ b/configs/30-scitokens-auth.cfg @@ -0,0 +1,26 @@ +# +# Configure authorization based on SciTokens. +# +# ********************************************************************** +# * WARNING: DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN ON UPGRADE * +# ********************************************************************** +# +# To provide your own configuration file, set the ScitokensConfig variable +# in a previous file such as `/etc/xrootd/config.d/10-local.cfg`. +# +# Otherwise, the default configuration file is `/etc/xrootd/scitokens.cfg`. +# + +if defined ?ScitokensConfig + + ofs.authlib libXrdAccSciTokens.so + +else + + ofs.authlib libXrdAccSciTokens.so + +fi + +# Passes the Authorization header from the HTTP request to the authorization +# library +http.header2cgi Authorization authz diff --git a/configs/scitokens.cfg b/configs/scitokens.cfg index 213b025..d9d9b09 100644 --- a/configs/scitokens.cfg +++ b/configs/scitokens.cfg @@ -13,20 +13,21 @@ #audience_json = [ "this,is,a,single,audience", "it can even have spaces" ] #audience_json = "single,audience,with,commas,and:" - -[Issuer OSG-Connect] - -issuer = https://scitokens.org/osg-connect -base_path = /stash -# For the OSG Connect xrootd host, the `sub` claim should -# be identical to the local Unix username. -map_subject = True - -[Issuer CMS] - -issuer = https://scitokens.org/cms -base_path = /user/cms -# For CMS, there is no relationship between local usernames -# and the VO name. -map_subject = False +# Below are some sample issuers you might consider enabling + +# [Issuer OSG-Connect] +# +# issuer = https://scitokens.org/osg-connect +# base_path = /stash +# # For the OSG Connect xrootd host, the `sub` claim should +# # be identical to the local Unix username. +# map_subject = True + +# [Issuer CMS] + +# issuer = https://scitokens.org/cms +# base_path = /user/cms +# # For CMS, there is no relationship between local usernames +# # and the VO name. +# map_subject = False diff --git a/rpm/xrootd-scitokens.spec b/rpm/xrootd-scitokens.spec index c1b04e5..6956ec8 100644 --- a/rpm/xrootd-scitokens.spec +++ b/rpm/xrootd-scitokens.spec @@ -50,6 +50,8 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libXrdAccSciTokens-4.so %{_libdir}/python2.7/site-packages/_scitokens_xrootd.so %{_libdir}/python2.7/site-packages/scitokens_xrootd.py* +%config(noreplace) %{_sysconfdir}/xrootd/scitokens.cfg +%config %{_sysconfdir}/xrootd/config.d/30-scitokens-auth.cfg %defattr(-,root,root,-) From 02625d36f317ede76af52d3e892695c329ee171f Mon Sep 17 00:00:00 2001 From: Brian Bockelman Date: Mon, 14 Jan 2019 21:29:53 -0600 Subject: [PATCH 2/2] Force python 2.7 to avoid python3 libraries being used with python2 interpreter. --- rpm/xrootd-scitokens.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm/xrootd-scitokens.spec b/rpm/xrootd-scitokens.spec index 6956ec8..bd4a482 100644 --- a/rpm/xrootd-scitokens.spec +++ b/rpm/xrootd-scitokens.spec @@ -27,7 +27,7 @@ SciTokens authentication plugin for XRootD %build mkdir build cd build -%cmake .. +%cmake -DPython_ADDITIONAL_VERSIONS=2.7 .. make %install