Add SciTokens authorization (!75) · Merge requests · IGWN Computing and Software / DQSegDB / DQSegDB Client

Duncan Macleod requested to merge github/fork/duncan-brown/scitokens into master Nov 12, 2020

Created by: duncan-brown

This pull requests adds authorization using SciTokens to the SegDB WSGI server. The SciToken should be passed in the https authorization header as

Authorization: Bearer serialized_token_text

where serialized_token_text is a serialized SciToken generated by a the issuer specified in scitokens_issuer in Constants.py. The SegDB server and the SciToken issuer need to agree on the audience for tokens, which is specified in scitokens_audience in Constants.py.

GET access to obtain segments is given to SegDB if the token scope is read:/DQSegDB and PUT and PATCH access to insert and update segments is given if the token scope is write:/DQSegDB.

If the request does not contain a valid SciToken, or the token cannot be deserialized for the right audience, the server will silently fail over to trying X509 authentication. If a SciToken is provided with the correct audience, the server will fail if the token does not contain the correct scope for the requested action and will not fall through to X509 authentication.

One this patch is merged, the SciTokens library must be installed on the server with yum -y install python2-scitokens. This has been added to the install scripts.

WSGI must to be configured to pass the authorization headers to the python layer with WSGIPassAuthorization On in wsgi.conf. See https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIPassAuthorization.html for details. I think I did this correctly in the cit_install_script.sh and install_script.sh files, but in cit_install_script_sl7update.sh the file wsgi.conf seems to be coming from some cached location, so that file may need to be fixed separately.

In addition, the following configuration values need to be set to their production settings before deployment:

scitokens_issuer = 'https://test.cilogon.org'
scitokens_audience = 'segments.ligo.org'

The scitokens_issuer should be the URL of the scitokens issuer against which scitokens should be validated. The scitokens_audience should be the audience that is agreed for the SegDB server(s).

This patch hard codes the scitoken scopes as read:/DQSegSB for GET access to the segment database and write:/DQSegSB for PUT/PATCH access to the segment database. These scopes need to be agreed collaboration-wide. It might also make sense to make them configuration variables as well, rather than being hard coded.

Scitokens caches keys in a cache directory which is set in the configuration file to

scitokens_cache_dir = '/var/cache/httpd'

This directory should exist and have read/write by the DQSegDB server process, or should be changed to another suitable location.

Closes #112

Edited Sep 09, 2022 by Duncan Macleod

Add SciTokens authorization

Merge request reports