Skip to content

Enable support for multiple issuers per namespace #2103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
turetske merged 16 commits into from
Mar 19, 2025
Merged

Enable support for multiple issuers per namespace #2103

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
d126dbf
Fix annoying warning about test using nonexistent config param
jhiemstrawisc Mar 13, 2025
12dd946
Prefer helper function for getting server issuer URL
jhiemstrawisc Mar 13, 2025
b37caf2
Fix bug in setting default config param
jhiemstrawisc Mar 13, 2025
e3ffb59
Plumb 'Origin.AudienceUrl' into params
jhiemstrawisc Mar 14, 2025
6a52046
Add new config mechanism for multiple issuers per namespace
jhiemstrawisc Mar 14, 2025
f76261b
Plumb new multi-issuer logic into Scitokens config and Director ads
jhiemstrawisc Mar 14, 2025
c9c3bd8
Remove test that doesn't appear to be needed anymore
jhiemstrawisc Mar 14, 2025
70193c7
Pre-allocate available ports for xrootd tests
jhiemstrawisc Mar 14, 2025
c8b45ac
Cleanup missed linter items
jhiemstrawisc Mar 14, 2025
265dae1
Clean up comment
jhiemstrawisc Mar 18, 2025
5ac650c
Remove now-unused origin.GetAuthorizedPrefixes() func
jhiemstrawisc Mar 18, 2025
e28b57c
Fix server issuer fallback bug that was hidden by fed tests
jhiemstrawisc Mar 18, 2025
8a8ff37
Add extra tests for cache scitokens issuer generation
jhiemstrawisc Mar 18, 2025
01acd5a
Give stat test a random port
jhiemstrawisc Mar 18, 2025
19b2e2c
Hardcode Server.WebPort using web UI port
jhiemstrawisc Mar 18, 2025
1de89b9
Replace Origin.AudienceUrl with Origin.TokenAudience and mark hidden
jhiemstrawisc Mar 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion cache/advertise.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,12 @@ func (server *CacheServer) GetAdTokCfg(ctx context.Context) (adTokCfg server_str
}
adTokCfg.Audience = directorUrl
adTokCfg.Subject = param.Cache_Url.GetString()
adTokCfg.Issuer = param.Server_IssuerUrl.GetString()
issuer, err := config.GetServerIssuerURL()
if err != nil {
err = errors.Wrap(err, "unable to determine server's issuer URL, needed for server advertising token")
return
}
adTokCfg.Issuer = issuer

return
}
Expand Down
6 changes: 4 additions & 2 deletions cmd/origin_token.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (
"github.com/spf13/cobra"

"github.com/pelicanplatform/pelican/config"
"github.com/pelicanplatform/pelican/param"
"github.com/pelicanplatform/pelican/server_structs"
"github.com/pelicanplatform/pelican/token"
)
Expand Down Expand Up @@ -133,7 +132,10 @@ func cliTokenCreate(cmd *cobra.Command, args []string) error {

// If a custom issuer is provided, we need to add it to the claims. If there is none, we'll end up falling back to
// the issuer generated by config.go/GetServerIssuerURL()
issuer := param.Server_IssuerUrl.GetString()
issuer, err := config.GetServerIssuerURL()
if err != nil {
return errors.Wrap(err, "unable to determine which issuer to use in token")
}
if issuer != "" {
args = append(args, "iss="+issuer)
}
Expand Down
63 changes: 40 additions & 23 deletions config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -560,39 +560,56 @@ func setupTransport() {
}
}

// Return an audience string appropriate for the current server
func GetServerAudience() string {
return viper.GetString("Origin.AudienceURL")
}
// GetServerIssuerURL tries to determine the correct issuer URL for the server in order of precedence:
// - Server.IssuerUrl
// - Server.IssuerHostname and Server.IssuerPort
// - Server.ExternalWebUrl
// In general, functions should avoid using `param.Server_IssuerUrl.GetString()` directly and use this function instead.
func GetServerIssuerURL() (issuerUrl string, err error) {
// Even though we prefer using this function, we'll populate the config param
// based on whatever we determine here.
defer func() {
if err == nil && param.Server_IssuerUrl.GetString() == "" {
viper.Set(param.Server_IssuerUrl.GetName(), issuerUrl)
}
}()

func GetServerIssuerURL() (string, error) {
if issuerUrl := param.Server_IssuerUrl.GetString(); issuerUrl != "" {
_, err := url.Parse(param.Server_IssuerUrl.GetString())
if err != nil {
return "", errors.Wrapf(err, "Failed to parse the Server.IssuerUrl %s loaded from config", param.Server_IssuerUrl.GetString())
// Prefer the concretely configured param
if issuerUrl = param.Server_IssuerUrl.GetString(); issuerUrl != "" {
if _, err := url.Parse(issuerUrl); err != nil {
return "", errors.Wrapf(err, "failed to parse '%s' as issuer URL from config param '%s'",
param.Server_IssuerUrl.GetString(), param.Server_IssuerUrl.GetName())
}
log.Debugf("Populating server's issuer URL as '%s' from config param '%s'", issuerUrl, param.Server_IssuerUrl.GetString())
return issuerUrl, nil
}

// Next, try to piece it together based on concretely configured hostname:port
if param.Server_IssuerHostname.GetString() != "" {
if param.Server_IssuerPort.GetInt() != 0 { // Will be the default if not set
// We assume any issuer is running https, otherwise we're crazy
issuerUrl := url.URL{
Scheme: "https",
Host: fmt.Sprintf("%s:%d", param.Server_IssuerHostname.GetString(), param.Server_IssuerPort.GetInt()),
}
return issuerUrl.String(), nil
if param.Server_IssuerPort.GetInt() == 0 {
return "", errors.Errorf("if '%s' is configured, you must also configure a valid port via '%s'",
param.Server_IssuerHostname.GetName(), param.Server_IssuerPort.GetName())
}

// We assume any issuer is running https, otherwise we're crazy
issuerUrl := fmt.Sprintf("https://%s:%d", param.Server_IssuerHostname.GetString(), param.Server_IssuerPort.GetInt())
if _, err := url.Parse(issuerUrl); err != nil {
return "", errors.Wrapf(err, "failed to parse '%s' as issuer URL from config params '%s' and '%s'",
issuerUrl, param.Server_IssuerHostname.GetName(), param.Server_IssuerPort.GetName())
}
return "", errors.New("If Server.IssuerHostname is configured, you must provide a valid port")
log.Debugf("Populating server's issuer URL as '%s' from configured values of '%s' and '%s'",
issuerUrl, param.Server_IssuerHostname.GetName(), param.Server_IssuerPort.GetName())
return issuerUrl, nil
}

issuerUrlStr := param.Server_ExternalWebUrl.GetString()
issuerUrl, err := url.Parse(issuerUrlStr)
log.Debugln("GetServerIssuerURL:", issuerUrlStr)
if err != nil {
return "", errors.Wrap(err, "Failed to parse the issuer URL generated using the parsed Server.ExternalWebUrl")
// Finally, fall back to the external web URL
issuerUrl = param.Server_ExternalWebUrl.GetString()
if _, err := url.Parse(issuerUrl); err != nil {
return "", errors.Wrapf(err, "failed to parse '%s' as the issuer URL generated from config param '%s'",
issuerUrl, param.Server_ExternalWebUrl.GetName())
}
return issuerUrl.String(), nil
log.Debugf("Populating server's issuer URL as '%s' from configured value of '%s'", issuerUrl, param.Server_ExternalWebUrl.GetName())
return issuerUrl, nil
}

// function to get/setup the transport (only once)
Expand Down