New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove conveyor.request_oidc_audience
and reaper.oidc_audience
#6524
Comments
dchristidis
changed the title
Remove
Remove Mar 5, 2024
conveyor.oidc_audience
and reaper.oidc_audience
conveyor.request_oidc_audience
and reaper.oidc_audience
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Mar 5, 2024
This affects third-party-copy transfers and deletions. The following configuration options are removed: [conveyor] request_oidc_audience = ... [reaper] oidc_audience = ... They were part of the original token implementation and were kept as a contingency option for the Data Challenge 2024. However, they should not be used due to security concerns. Wildcard audiences can make tokens less secure than X.509 certificates. For one thing, an unintentional token leak is more likely to happen (e.g. debugging logs). For another, the token is fully transferred to the storages; a compromised site could be used as a vector to affect data at other sites. Moving forward, Rucio communities which use tokens must coordinate with their sites to ensure that the storages properly identify themselves as the intended recipient of a token (using the domains of the RSE protocols in the audience claim).
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Mar 5, 2024
This affects third-party-copy transfers and deletions. The following configuration options are removed: [conveyor] request_oidc_audience = ... [reaper] oidc_audience = ... They were part of the original token implementation and were kept as a contingency option for the Data Challenge 2024. However, they should not be used due to security concerns. Wildcard audiences can make tokens less secure than X.509 certificates. For one thing, an unintentional token leak is more likely to happen (e.g. debugging logs). For another, the token is fully transferred to the storages; a compromised site could be used as a vector to affect data at other sites. Moving forward, Rucio communities which use tokens must coordinate with their sites to ensure that the storages properly identify themselves as the intended recipient of a token (using the domains of the RSE protocols in the audience claim).
bari12
pushed a commit
that referenced
this issue
Mar 8, 2024
This affects third-party-copy transfers and deletions. The following configuration options are removed: [conveyor] request_oidc_audience = ... [reaper] oidc_audience = ... They were part of the original token implementation and were kept as a contingency option for the Data Challenge 2024. However, they should not be used due to security concerns. Wildcard audiences can make tokens less secure than X.509 certificates. For one thing, an unintentional token leak is more likely to happen (e.g. debugging logs). For another, the token is fully transferred to the storages; a compromised site could be used as a vector to affect data at other sites. Moving forward, Rucio communities which use tokens must coordinate with their sites to ensure that the storages properly identify themselves as the intended recipient of a token (using the domains of the RSE protocols in the audience claim).
voetberg
pushed a commit
to voetberg/rucio
that referenced
this issue
Mar 21, 2024
This affects third-party-copy transfers and deletions. The following configuration options are removed: [conveyor] request_oidc_audience = ... [reaper] oidc_audience = ... They were part of the original token implementation and were kept as a contingency option for the Data Challenge 2024. However, they should not be used due to security concerns. Wildcard audiences can make tokens less secure than X.509 certificates. For one thing, an unintentional token leak is more likely to happen (e.g. debugging logs). For another, the token is fully transferred to the storages; a compromised site could be used as a vector to affect data at other sites. Moving forward, Rucio communities which use tokens must coordinate with their sites to ensure that the storages properly identify themselves as the intended recipient of a token (using the domains of the RSE protocols in the audience claim).
voetberg
pushed a commit
to voetberg/rucio
that referenced
this issue
Apr 15, 2024
This affects third-party-copy transfers and deletions. The following configuration options are removed: [conveyor] request_oidc_audience = ... [reaper] oidc_audience = ... They were part of the original token implementation and were kept as a contingency option for the Data Challenge 2024. However, they should not be used due to security concerns. Wildcard audiences can make tokens less secure than X.509 certificates. For one thing, an unintentional token leak is more likely to happen (e.g. debugging logs). For another, the token is fully transferred to the storages; a compromised site could be used as a vector to affect data at other sites. Moving forward, Rucio communities which use tokens must coordinate with their sites to ensure that the storages properly identify themselves as the intended recipient of a token (using the domains of the RSE protocols in the audience claim).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Remove the option to use a wildcard audience for third-party-copy transfers and deletions. Moving forward, Rucio communities which use tokens must coordinate with their sites to ensure that the storages properly identify themselves as the intended recipient of a token (using the domains of the RSE protocols in the audience claim).
Motivation
Wildcard audiences can make tokens less secure than X.509 certificates. For one thing, an unintentional token leak is more likely to happen (e.g. debugging logs). For another, the token is fully transferred to the storages; a compromised site could be used as a vector to affect data at other sites.
Change
No response
The text was updated successfully, but these errors were encountered: