Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Remove support for wildcard audiences #6524 #6525

Merged
merged 1 commit into from Mar 8, 2024
Merged

Auth: Remove support for wildcard audiences #6524 #6525

merged 1 commit into from Mar 8, 2024

Conversation

dchristidis
Copy link
Contributor

This affects third-party-copy transfers and deletions. The following configuration options are removed:

[conveyor]
request_oidc_audience = ...

[reaper]
oidc_audience = ...

They were part of the original token implementation and were kept as a contingency option for the Data Challenge 2024. However, they should not be used due to security concerns.

Wildcard audiences can make tokens less secure than X.509 certificates. For one thing, an unintentional token leak is more likely to happen (e.g. debugging logs). For another, the token is fully transferred to the storages; a compromised site could be used as a vector to affect data at other sites.

Moving forward, Rucio communities which use tokens must coordinate with their sites to ensure that the storages properly identify themselves as the intended recipient of a token (using the domains of the RSE protocols in the audience claim).

@dchristidis dchristidis linked an issue Mar 5, 2024 that may be closed by this pull request
Remove conveyor.request_oidc_audience and reaper.oidc_audience #6524
Closed
@dchristidis
Auth: Remove support for wildcard audiences rucio#6524
a2f5838 
This affects third-party-copy transfers and deletions.  The following
configuration options are removed:

    [conveyor]
    request_oidc_audience = ...

    [reaper]
    oidc_audience = ...

They were part of the original token implementation and were kept as a
contingency option for the Data Challenge 2024.  However, they should
not be used due to security concerns.

Wildcard audiences can make tokens less secure than X.509 certificates.
For one thing, an unintentional token leak is more likely to happen
(e.g. debugging logs).  For another, the token is fully transferred to
the storages; a compromised site could be used as a vector to affect
data at other sites.

Moving forward, Rucio communities which use tokens must coordinate with
their sites to ensure that the storages properly identify themselves as
the intended recipient of a token (using the domains of the RSE
protocols in the audience claim).
@dchristidis dchristidis force-pushed the feature-6524-Auth__Remove_support_for_wildcard_audiences branch from 7f0fa8f to a2f5838 Compare March 5, 2024 07:39
@dchristidis dchristidis marked this pull request as ready for review March 7, 2024 14:11
@bari12 bari12 merged commit faed8e2 into rucio:master Mar 8, 2024
28 checks passed
@dchristidis dchristidis deleted the feature-6524-Auth__Remove_support_for_wildcard_audiences branch March 8, 2024 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rdimaio rdimaio rdimaio approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove conveyor.request_oidc_audience and reaper.oidc_audience
3 participants
@dchristidis @rdimaio @bari12