Skip to content

Enable support for multiple issuers per namespace #2103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
turetske merged 16 commits into from
Mar 19, 2025
Merged

Enable support for multiple issuers per namespace #2103

turetske merged 16 commits into from
Mar 19, 2025

Conversation

@jhiemstrawisc
Copy link
Member

@jhiemstrawisc jhiemstrawisc commented Mar 14, 2025

This lets origin administrators do the following in their config file:

Origin:
  Exports:
    - StoragePrefix: /foo
      FederationPrefix: /foo
      IssuerUrls: ["https://issuer1.com", "https://issuer2.com"]
    - StoragePrefix: /bar
      FederationPrefix: /bar
      IssuerUrls: ["https://issuer1.com", "https://issuer3.com"]
    - StoragePrefix: /baz
      FederationPrefix: /baz
     # no list provided falls back to value from `config.GetServerIssuerURL()`

I accomplished this by treating issuers as part of each OriginExport object, which changes a few of our assumptions about setting things up (see commit RE pre-allocating ports for XRootD). Luckily, we were forward thinking enough to design server/origin/namespace ads such that they already take a list of issuers, meaning there are no backwards compatibility issues to be concerned about there.

Otherwise, I'm punting slightly on re-defining some of the other issuer types (Origin server issuer as opposed to xrootd data issuers). Once we're sure this is working as intended, it'll let us stop registering services in Topology, which we're still doing to handle this multi-issuer case.

@jhiemstrawisc
Fix annoying warning about test using nonexistent config param
d126dbf
@jhiemstrawisc
Prefer helper function for getting server issuer URL
12dd946
@jhiemstrawisc
Fix bug in setting default config param
b37caf2
@jhiemstrawisc
Plumb 'Origin.AudienceUrl' into params
e3ffb59
@jhiemstrawisc
Add new config mechanism for multiple issuers per namespace
6a52046 
This introduces the new Origin.Exports.IssuerUrls param for populating
the exports with a list of issuer URLs, but the commit does not yet plumb
the rest of this into other relevant places (scitokens config, origin ads, etc).

For now, if no issuer URLs are provided, the server will still create a list
for the export using the result of `config.GetServerIssuerURL()` as a fallback.
This makes the code backwards compatible.
@jhiemstrawisc
Plumb new multi-issuer logic into Scitokens config and Director ads
f76261b 
This handles creation of the correct scitokens config for the Origin,
and sends the relevant information to the Director. That I can tell,
both from unit tests and a few hand-crafted checks, the information that
arrives in the Director is sufficient for caches to turn around and
construct their own correct scitokens config for multi-issuer Origins.
@jhiemstrawisc
Remove test that doesn't appear to be needed anymore
c9c3bd8 
Not sure what the original need for this test was, but it doesn't look
like it actually does anything we don't do already with every fed test
(other than using the test file transfer implementation, which has its
own unit tests). Rather than update the test to work with the new multi-
issuer setup, let's just excise the cruft.
@jhiemstrawisc
Pre-allocate available ports for xrootd tests
70193c7 
Because issuer configuration now happens on instantiation of the Origin
exports, we really do need to know the ports ahead of time. Unfortunately
this breaks some of our testing infrastructure, which relied on a feature
in XRootD that turned a port of '0' into a random, available port handed
over by the OS.

However, setting '0' as the port causes many of the default issuers to use
this port, both for the issuer proper and the server's audience URL in
scitokens config. Manually correcting ports in this file would be complicated
and would require waiting for XRootD to sit around long enough that it decides
to re-load the file.

Instead, this pre-allocates the ports by asking the OS for a few that are
available. There's a small race condition in testing environments where
the ports we get back from the OS might become bound before our Pelican
servers start. Hopefully this doesn't make testing super flaky, but I'm
assuming the odds of that happening are currently relatively minimal.
@jhiemstrawisc jhiemstrawisc added enhancement New feature or request origin Issue relating to the origin component director Issue relating to the director component security labels Mar 14, 2025
@jhiemstrawisc jhiemstrawisc added this to the v7.15 milestone Mar 14, 2025
@jhiemstrawisc jhiemstrawisc linked an issue Mar 14, 2025 that may be closed by this pull request
Multi Issuer Exports #2040
Closed
brianaydemir
brianaydemir reviewed Mar 14, 2025
View reviewed changes
@brianaydemir brianaydemir self-assigned this Mar 14, 2025
@bbockelm bbockelm added the critical High priority for next release label Mar 17, 2025
turetske
turetske requested changes Mar 18, 2025
View reviewed changes
Copy link
Collaborator

@turetske turetske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I foresee a lot of merge conflicts between this and my PR involving scopes because we both touched a lot of the same code, but that's a problem for future me to rebase and deal with after this has been merged in.

I have a few questions and comments, otherwise, before I approve.

@brianaydemir brianaydemir self-requested a review March 18, 2025 16:50
brianaydemir
brianaydemir reviewed Mar 18, 2025
View reviewed changes
Copy link
Contributor

@brianaydemir brianaydemir left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've confirmed that the changes here are independent of the origin's built-in OA4MP issuer.

@jhiemstrawisc I did observe one oddity during testing, though.

Suppose we set Origin.Exports[].IssuerUrls to two URLs. We then attempt a pelican object put to that export when the client has no previously saved token. The client will attempt to send the user to two URLs: the first element of Origin.Exports[].IssuerUrls, followed by Server.IssuerUrl.

I find it odd that that the second element of Origin.Exports[].IssuerUrls is ignored.

Alternatively, I find it odd that any elements of Origin.Exports[].IssuerUrls are considered by the client given that the so-called "token generation" URL in the director UI is actually Server.IssuerUrl.

@brianaydemir brianaydemir removed their assignment Mar 18, 2025
@jhiemstrawisc jhiemstrawisc requested a review from turetske March 18, 2025 20:15
@jhiemstrawisc jhiemstrawisc mentioned this pull request Mar 19, 2025
Open
turetske
turetske approved these changes Mar 19, 2025
View reviewed changes
Copy link
Collaborator

@turetske turetske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@turetske turetske merged commit 385793c into PelicanPlatform:main Mar 19, 2025
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianaydemir brianaydemir brianaydemir left review comments

@turetske turetske turetske approved these changes

Assignees

@turetske turetske

Labels

critical High priority for next release director Issue relating to the director component enhancement New feature or request origin Issue relating to the origin component security

Projects

None yet

Milestone

v7.15

Development

Successfully merging this pull request may close these issues.

Multi Issuer Exports

4 participants

@jhiemstrawisc @turetske @brianaydemir @bbockelm