Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Pelican cache with auth #423

Merged
merged 22 commits into from
Dec 4, 2023
Merged

Pelican cache with auth #423

merged 22 commits into from
Dec 4, 2023

Conversation

turetske
Copy link
Collaborator

@turetske turetske commented Nov 29, 2023
edited
Loading

Adds authentication to the pelican cache

-- Adds scitokens authenticated to the pelican cache
-- Fixes some errors that were in the namespace registration
-- Does a refactor to move common code out of origin specific folders/functions to be used by both the cache and origin

For ease of understanding, the first 6 commits (up through b0606ce) are the actual cache with auth functionality and all the commits afterwards are the refactor.

@turetske turetske requested a review from bbockelm November 29, 2023 16:37
@turetske turetske added this to the v7.3.0 milestone Nov 29, 2023
This was linked to issues Nov 29, 2023
Programmatically Generate Cache Config w/ auth #310
Closed
Pelican cache serve w/ authentication #311
Closed
@turetske turetske force-pushed the pelican-cache-with-auth branch from ad11dbc to 4052af8 Compare November 29, 2023 19:24
@turetske
Allow for cache and origin xrootd instances on same machine
ca08894 
    -- Created a Cache.XrootdPort which will overwrite XrootdPort if
        initServer is called by a cache
    -- Created a ServerType const for config that is used by initServer
        to do any server type specific actions
    -- Refactored the calls to initServer as needed
    -- Adjusted parameters.yaml
    -- Adjusted the default parameters to use a cache port
@turetske
Set Origin.EnableMacaroons to default to false
dff2d93
@turetske
Fixed missed error in register_origin_test
fe22109
@turetske
Fixed error in origin advertisement
c4a057b 
    -- Issuer is now the IssuerURL as opposed to the NamespaceURL
    -- The basepath is now the prefix rather than the hardcoded "/"
@turetske
Adjusted xrootd cache/origin cfg files
8edd0c1 
    -- Added scitokens tracing to the xrootd-origin.cfg
    -- Added auth checking to the xrootd-cache.cfg
@turetske
Adjusted xrootd cache authorization to xrootd/authorization
fc61ac2 
    -- Added a WriteCacheSciTokensConfig file
    -- Adjusted to Authfile generation to handle empty nsAds
    -- Added testing of the new scitokens generation and authfile generation
@turetske
Added a struct for servers using xrootd
40ac0df 
    -- This is part of a refactor to allow much greater code reuse
    -- The code will use this struct and composition to reuse code for
        namespace registration, periodic advertisement, xrootd config
        generation, etc.
@turetske
Refactored origin/cache advertisement
9222992 
    -- Refactored common code into server_ui/advertise.go
    -- Individual cache/origin ad creation is now in cache_ui/advertise.go and origin_ui/advertise.go respectively
@turetske
Refactored code to use common namespace registration code
1fd4005 
    -- moved common code out of origin_ui into server_ui
    -- Adjusted cache_serve and origin_serve
@turetske
Moved general scitokens code to a shared function
f6ebb64
@turetske
Refactored xrootd environment checking/configuration
f9d96d1 
    -- Origin/Cache xrootd environment configuration are now in their own functions
    -- Common code moved from origin_ui to server_ui/xrootd_servers.go
    -- Some cleanup of cmd/cache_serve.go
@turetske
Removed VOMS from xrootd-cache
760d8d4
@turetske turetske force-pushed the pelican-cache-with-auth branch from 4052af8 to 760d8d4 Compare November 29, 2023 22:52
@turetske turetske requested review from jhiemstrawisc and removed request for bbockelm November 30, 2023 15:28
bbockelm
bbockelm requested changes Dec 2, 2023
View reviewed changes
Copy link
Collaborator

@bbockelm bbockelm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few requested changes; see inline comments.

The only substantial request is switching from a struct with a function pointer to an interface.

cache_ui/advertise.go Outdated Show resolved Hide resolved
xrootd/resources/xrootd-cache.cfg Show resolved Hide resolved
server_utils/server_struct.go Outdated Show resolved Hide resolved
config/config.go Outdated Show resolved Hide resolved
xrootd/authorization.go Outdated
foundPublicLine = true
} else {
output.Write([]byte(lineContents + "\n"))
if nsAds == nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could probably use some explaining. It looks like the input auth file is ignored nsAds isn't null. Why?

To support some legacy use cases, we'll need to merge in an authfile for the cache.

@bbockelm
Migrate the server object to be an interface
3bb510a 
This tidies up the definitions to use a golang interface instead
of a struct with a pointer.  Also switches the type struct to
a bitmask to allow multi-type servers in the future.
@bbockelm
Add EnableVoms to the cache config; disable by default
74d31a1 
VOMS-based authentication may be needed by some specific caches.  Add
it back to the cache config, defaulting to false.  Add its existence
to the documentation.
@bbockelm
Tweak the temporary directory creation so multiple runs don't use the…
1edefa5 
… same dir
@bbockelm
Merge remote-tracking branch 'origin/main' into pelican-cache-with-auth
16ef263
@bbockelm
Allow CLI-based cache list override in director mode
af6898e 
The director mode did not duplicate the logic for CLI-based cache overrides.
Instead of copy/pasting, this refactors the cache selection logic to a single
location, fixing the underlying bug.
@bbockelm
Error out on failure
3f98d23 
There was a missing "return" after a failure to invoke `HEAD`; without this,
a null pointer panic ensued.
@bbockelm
Workaround XRootD 5.6.3 segfault bug in configuration
af93517 
If a port is not specified (e.g., https://foo.com), then XRootD 5.6.3
will segfault when parsing the pss.origin.

This adds the default port if not present (e.g., https://foo.com:443).
@bbockelm
Disable multi-space setup of PFC for now
332bf3f 
The multi-space setup appears to not work if the different directories are on the
same device (it appears that XRootD is doing some device discovery here?).  Disable
it for now, leaving a note for later.
bbockelm
bbockelm approved these changes Dec 4, 2023
View reviewed changes
Copy link
Collaborator

@bbockelm bbockelm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pre-approving.

Before merging, however, please cleanup the EmitAuthfile function so we keep the input authfile from the admin, even for a cache.

@turetske turetske merged commit 92cb63b into PelicanPlatform:main Dec 4, 2023
6 checks passed
@haoming29 haoming29 mentioned this pull request Dec 6, 2023
Closed
@turetske turetske deleted the pelican-cache-with-auth branch February 5, 2025 22:34
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@bbockelm bbockelm bbockelm approved these changes

@jhiemstrawisc jhiemstrawisc Awaiting requested review from jhiemstrawisc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v7.3.0
Development

Successfully merging this pull request may close these issues.

Pelican cache serve w/ authentication Programmatically Generate Cache Config w/ auth
2 participants
@turetske @bbockelm