Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gplazma: update explain login to allow admin to specify a token on the command-line #7576

Open
paulmillar opened this issue May 21, 2024 · 2 comments
Open

gplazma: update explain login to allow admin to specify a token on the command-line #7576

paulmillar opened this issue May 21, 2024 · 2 comments
Labels
Admin Shell/Commands Issues having to do with admin commands Authentication Issues affecting how users authenticate easypick enhancement A request that enhances existing behaviour

Comments

@paulmillar
Copy link
Member

paulmillar commented May 21, 2024
edited
Loading

The explain login command currently accepts a list of principals.

Based on an idea from @onnozweers, it would be much easier (and more closely reflects reality) if the explain login command accepted an OIDC access token as a command-line argument. It would then generate a login report, based on that input.
@paulmillar paulmillar added enhancement A request that enhances existing behaviour easypick Authentication Issues affecting how users authenticate Admin Shell/Commands Issues having to do with admin commands labels May 21, 2024
@onnozweers
Copy link
Contributor

Would it be an idea to implement the same for macaroons? Or is that already possible?

@onnozweers onnozweers mentioned this issue Jun 4, 2024
Open
@paulmillar
Copy link
Member Author

Macaroons don't pass through gPlazma, the door handles them directly. Therefore adding support for them with explain login doesn't make sense (at least, not to me). Minting a macaroon is like "freezing" the result of some (successful) login. Using the macaroon is like unfreezing that login result.

You can find out more about this frozen login result by calling dCache's user introspection endpoint with a macaroon; e.g.,

curl -H "Authorization: Bearer $MACAROON" https://frontend-door.dcache.example.org/api/v1/user

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Admin Shell/Commands Issues having to do with admin commands Authentication Issues affecting how users authenticate easypick enhancement A request that enhances existing behaviour
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulmillar @onnozweers