Remove conveyor.request_oidc_audience and reaper.oidc_audience
#6524
Comments
dchristidis
changed the title
conveyor.oidc_audience and reaper.oidc_audienceconveyor.request_oidc_audience and reaper.oidc_audience
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Mar 5, 2024
This affects third-party-copy transfers and deletions. The following
configuration options are removed:
[conveyor]
request_oidc_audience = ...
[reaper]
oidc_audience = ...
They were part of the original token implementation and were kept as a
contingency option for the Data Challenge 2024. However, they should
not be used due to security concerns.
Wildcard audiences can make tokens less secure than X.509 certificates.
For one thing, an unintentional token leak is more likely to happen
(e.g. debugging logs). For another, the token is fully transferred to
the storages; a compromised site could be used as a vector to affect
data at other sites.
Moving forward, Rucio communities which use tokens must coordinate with
their sites to ensure that the storages properly identify themselves as
the intended recipient of a token (using the domains of the RSE
protocols in the audience claim).
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Mar 5, 2024
This affects third-party-copy transfers and deletions. The following
configuration options are removed:
[conveyor]
request_oidc_audience = ...
[reaper]
oidc_audience = ...
They were part of the original token implementation and were kept as a
contingency option for the Data Challenge 2024. However, they should
not be used due to security concerns.
Wildcard audiences can make tokens less secure than X.509 certificates.
For one thing, an unintentional token leak is more likely to happen
(e.g. debugging logs). For another, the token is fully transferred to
the storages; a compromised site could be used as a vector to affect
data at other sites.
Moving forward, Rucio communities which use tokens must coordinate with
their sites to ensure that the storages properly identify themselves as
the intended recipient of a token (using the domains of the RSE
protocols in the audience claim).
bari12
pushed a commit
that referenced
this issue
Mar 8, 2024
This affects third-party-copy transfers and deletions. The following
configuration options are removed:
[conveyor]
request_oidc_audience = ...
[reaper]
oidc_audience = ...
They were part of the original token implementation and were kept as a
contingency option for the Data Challenge 2024. However, they should
not be used due to security concerns.
Wildcard audiences can make tokens less secure than X.509 certificates.
For one thing, an unintentional token leak is more likely to happen
(e.g. debugging logs). For another, the token is fully transferred to
the storages; a compromised site could be used as a vector to affect
data at other sites.
Moving forward, Rucio communities which use tokens must coordinate with
their sites to ensure that the storages properly identify themselves as
the intended recipient of a token (using the domains of the RSE
protocols in the audience claim).
voetberg
pushed a commit
to voetberg/rucio
that referenced
this issue
Mar 21, 2024
This affects third-party-copy transfers and deletions. The following
configuration options are removed:
[conveyor]
request_oidc_audience = ...
[reaper]
oidc_audience = ...
They were part of the original token implementation and were kept as a
contingency option for the Data Challenge 2024. However, they should
not be used due to security concerns.
Wildcard audiences can make tokens less secure than X.509 certificates.
For one thing, an unintentional token leak is more likely to happen
(e.g. debugging logs). For another, the token is fully transferred to
the storages; a compromised site could be used as a vector to affect
data at other sites.
Moving forward, Rucio communities which use tokens must coordinate with
their sites to ensure that the storages properly identify themselves as
the intended recipient of a token (using the domains of the RSE
protocols in the audience claim).
voetberg
pushed a commit
to voetberg/rucio
that referenced
this issue
Apr 15, 2024
This affects third-party-copy transfers and deletions. The following
configuration options are removed:
[conveyor]
request_oidc_audience = ...
[reaper]
oidc_audience = ...
They were part of the original token implementation and were kept as a
contingency option for the Data Challenge 2024. However, they should
not be used due to security concerns.
Wildcard audiences can make tokens less secure than X.509 certificates.
For one thing, an unintentional token leak is more likely to happen
(e.g. debugging logs). For another, the token is fully transferred to
the storages; a compromised site could be used as a vector to affect
data at other sites.
Moving forward, Rucio communities which use tokens must coordinate with
their sites to ensure that the storages properly identify themselves as
the intended recipient of a token (using the domains of the RSE
protocols in the audience claim).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Remove the option to use a wildcard audience for third-party-copy transfers and deletions. Moving forward, Rucio communities which use tokens must coordinate with their sites to ensure that the storages properly identify themselves as the intended recipient of a token (using the domains of the RSE protocols in the audience claim).
Motivation
Wildcard audiences can make tokens less secure than X.509 certificates. For one thing, an unintentional token leak is more likely to happen (e.g. debugging logs). For another, the token is fully transferred to the storages; a compromised site could be used as a vector to affect data at other sites.
Change
No response
The text was updated successfully, but these errors were encountered: