From 424e97ef343236494826c1331b626fc8ba7a79e6 Mon Sep 17 00:00:00 2001 From: Haoming Meng Date: Tue, 14 May 2024 20:07:20 +0000 Subject: [PATCH 1/4] Use externalWebUrl as the token issuer for self-tests --- origin/self_monitor.go | 9 +++------ server_utils/server_utils.go | 20 ++------------------ xrootd/authorization.go | 11 ++++------- 3 files changed, 9 insertions(+), 31 deletions(-) diff --git a/origin/self_monitor.go b/origin/self_monitor.go index eec038c33..700a2a503 100644 --- a/origin/self_monitor.go +++ b/origin/self_monitor.go @@ -22,21 +22,18 @@ import ( "context" "time" + log "github.com/sirupsen/logrus" + "github.com/pelicanplatform/pelican/config" "github.com/pelicanplatform/pelican/metrics" "github.com/pelicanplatform/pelican/param" "github.com/pelicanplatform/pelican/server_utils" - log "github.com/sirupsen/logrus" ) func doSelfMonitor(ctx context.Context) { log.Debug("Starting a new self-test monitoring cycle") fileTests := server_utils.TestFileTransferImpl{} - issuerUrl, err := config.GetServerIssuerURL() - if err != nil { - log.Warningln("Self-test monitoring cycle failed due to lack of issuer URL: ", err) - metrics.SetComponentHealthStatus(metrics.OriginCache_XRootD, metrics.StatusCritical, "Self-test monitoring cycle due to lack of issuer URL: "+err.Error()) - } + issuerUrl := param.Server_ExternalWebUrl.GetString() ok, err := fileTests.RunTests(ctx, param.Origin_Url.GetString(), config.GetServerAudience(), issuerUrl, server_utils.OriginSelfFileTest) if ok && err == nil { log.Debugln("Self-test monitoring cycle succeeded at", time.Now().Format(time.UnixDate)) diff --git a/server_utils/server_utils.go b/server_utils/server_utils.go index 194c60f9c..22b920bc4 100644 --- a/server_utils/server_utils.go +++ b/server_utils/server_utils.go @@ -28,16 +28,15 @@ import ( "context" "io" "net/http" - "net/url" "reflect" "time" "github.com/fsnotify/fsnotify" - "github.com/pelicanplatform/pelican/config" - "github.com/pelicanplatform/pelican/param" "github.com/pkg/errors" log "github.com/sirupsen/logrus" "golang.org/x/sync/errgroup" + + "github.com/pelicanplatform/pelican/config" ) // Wait until given `reqUrl` returns a HTTP 200. @@ -131,21 +130,6 @@ func WaitUntilWorking(ctx context.Context, method, reqUrl, server string, expect } } -// For calling from within the server. Returns the server's issuer URL/port -func GetServerIssuerURL() (*url.URL, error) { - issuerUrlStr, err := config.GetServerIssuerURL() - if err != nil { - return nil, errors.Wrap(err, "The server failed to determine its own issuer url. Something is wrong!") - } - - issuerUrl, err := url.Parse(issuerUrlStr) - if err != nil { - return nil, errors.Wrapf(err, "The server's issuer URL is malformed: %s. Something is wrong!", param.Server_IssuerUrl.GetString()) - } - - return issuerUrl, nil -} - // Launch a maintenance goroutine. // The maintenance routine will watch the directory `dirPath`, invoking `maintenanceFunc` whenever // an event occurs in the directory. Note the behavior of directory watching differs across platforms; diff --git a/xrootd/authorization.go b/xrootd/authorization.go index fb4cdcf08..fb5929f58 100644 --- a/xrootd/authorization.go +++ b/xrootd/authorization.go @@ -442,11 +442,8 @@ func GenerateMonitoringIssuer() (issuer Issuer, err error) { return } issuer.Name = "Built-in Monitoring" - issuerUrl, err := server_utils.GetServerIssuerURL() - if err != nil { - return - } - issuer.Issuer = issuerUrl.String() + // We use server local issuer regardless of Server.IssuerUrl + issuer.Issuer = param.Server_ExternalWebUrl.GetString() issuer.BasePaths = []string{"/pelican/monitoring"} issuer.DefaultUser = "xrootd" @@ -459,11 +456,11 @@ func GenerateOriginIssuer(exportedPaths []string) (issuer Issuer, err error) { return } issuer.Name = "Origin" - issuerUrl, err := server_utils.GetServerIssuerURL() + issuerUrl, err := config.GetServerIssuerURL() if err != nil { return } - issuer.Issuer = issuerUrl.String() + issuer.Issuer = issuerUrl issuer.BasePaths = exportedPaths issuer.RestrictedPaths = param.Origin_ScitokensRestrictedPaths.GetStringSlice() issuer.MapSubject = param.Origin_ScitokensMapSubject.GetBool() From a2cc0297180d793ff1d3fb99f7f0f0d4f77be7e9 Mon Sep 17 00:00:00 2001 From: Haoming Meng Date: Tue, 14 May 2024 20:40:52 +0000 Subject: [PATCH 2/4] Improve scitoken generation error handling --- xrootd/authorization.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/xrootd/authorization.go b/xrootd/authorization.go index fb5929f58..6149e295d 100644 --- a/xrootd/authorization.go +++ b/xrootd/authorization.go @@ -553,7 +553,7 @@ func EmitScitokensConfig(server server_structs.XRootDServer) error { } // Writes out the origin's scitokens.cfg configuration -func WriteOriginScitokensConfig(exportedPaths []string) error { +func WriteOriginScitokensConfig(authedPaths []string) error { cfg, err := makeSciTokensCfg() if err != nil { return err @@ -566,8 +566,11 @@ func WriteOriginScitokensConfig(exportedPaths []string) error { cfg.IssuerMap[issuer.Issuer] = issuer cfg.Global.Audience = append(cfg.Global.Audience, config.GetServerAudience()) } + } else if err != nil { + return errors.Wrap(err, "failed to generate xrootd issuer for self-monitoring") } - if issuer, err := GenerateOriginIssuer(exportedPaths); err == nil && len(issuer.Name) > 0 { + + if issuer, err := GenerateOriginIssuer(authedPaths); err == nil && len(issuer.Name) > 0 { if val, ok := cfg.IssuerMap[issuer.Issuer]; ok { val.BasePaths = append(val.BasePaths, issuer.BasePaths...) cfg.IssuerMap[issuer.Issuer] = val @@ -575,7 +578,10 @@ func WriteOriginScitokensConfig(exportedPaths []string) error { cfg.IssuerMap[issuer.Issuer] = issuer cfg.Global.Audience = append(cfg.Global.Audience, config.GetServerAudience()) } + } else if err != nil { + return errors.Wrap(err, "failed to generate xrootd issuer for the origin") } + if issuer, err := GenerateDirectorMonitoringIssuer(); err == nil && len(issuer.Name) > 0 { if val, ok := cfg.IssuerMap[issuer.Issuer]; ok { val.BasePaths = append(val.BasePaths, issuer.BasePaths...) @@ -583,6 +589,8 @@ func WriteOriginScitokensConfig(exportedPaths []string) error { } else { cfg.IssuerMap[issuer.Issuer] = issuer } + } else if err != nil { + return errors.Wrap(err, "failed to generate xrootd issuer for director-based monitoring") } return writeScitokensConfiguration(config.OriginType, &cfg) From cb5f3c854aa939fcce23aa7d452b89655616f0b0 Mon Sep 17 00:00:00 2001 From: Haoming Meng Date: Tue, 14 May 2024 20:49:21 +0000 Subject: [PATCH 3/4] Concatenate multiple issuer names for the same issuer url --- xrootd/authorization.go | 11 +++++++---- xrootd/resources/test-scitokens-monitoring.cfg | 5 ++--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/xrootd/authorization.go b/xrootd/authorization.go index 6149e295d..1512c4860 100644 --- a/xrootd/authorization.go +++ b/xrootd/authorization.go @@ -558,33 +558,36 @@ func WriteOriginScitokensConfig(authedPaths []string) error { if err != nil { return err } - if issuer, err := GenerateMonitoringIssuer(); err == nil && len(issuer.Name) > 0 { + if issuer, err := GenerateOriginIssuer(authedPaths); err == nil && len(issuer.Name) > 0 { if val, ok := cfg.IssuerMap[issuer.Issuer]; ok { val.BasePaths = append(val.BasePaths, issuer.BasePaths...) + val.Name += "; " + issuer.Name cfg.IssuerMap[issuer.Issuer] = val } else { cfg.IssuerMap[issuer.Issuer] = issuer cfg.Global.Audience = append(cfg.Global.Audience, config.GetServerAudience()) } } else if err != nil { - return errors.Wrap(err, "failed to generate xrootd issuer for self-monitoring") + return errors.Wrap(err, "failed to generate xrootd issuer for the origin") } - if issuer, err := GenerateOriginIssuer(authedPaths); err == nil && len(issuer.Name) > 0 { + if issuer, err := GenerateMonitoringIssuer(); err == nil && len(issuer.Name) > 0 { if val, ok := cfg.IssuerMap[issuer.Issuer]; ok { val.BasePaths = append(val.BasePaths, issuer.BasePaths...) + val.Name += "; " + issuer.Name cfg.IssuerMap[issuer.Issuer] = val } else { cfg.IssuerMap[issuer.Issuer] = issuer cfg.Global.Audience = append(cfg.Global.Audience, config.GetServerAudience()) } } else if err != nil { - return errors.Wrap(err, "failed to generate xrootd issuer for the origin") + return errors.Wrap(err, "failed to generate xrootd issuer for self-monitoring") } if issuer, err := GenerateDirectorMonitoringIssuer(); err == nil && len(issuer.Name) > 0 { if val, ok := cfg.IssuerMap[issuer.Issuer]; ok { val.BasePaths = append(val.BasePaths, issuer.BasePaths...) + val.Name += "; " + issuer.Name cfg.IssuerMap[issuer.Issuer] = val } else { cfg.IssuerMap[issuer.Issuer] = issuer diff --git a/xrootd/resources/test-scitokens-monitoring.cfg b/xrootd/resources/test-scitokens-monitoring.cfg index 62454ae18..283536413 100644 --- a/xrootd/resources/test-scitokens-monitoring.cfg +++ b/xrootd/resources/test-scitokens-monitoring.cfg @@ -27,10 +27,9 @@ issuer = https://demo.scitokens.org base_path = /foo, /bar default_user = osg -[Issuer Built-in Monitoring] +[Issuer Origin; Built-in Monitoring] issuer = https://origin.example.com:8444 -base_path = /pelican/monitoring, /foo/bar -default_user = xrootd +base_path = /foo/bar, /pelican/monitoring [Issuer WLCG] issuer = https://wlcg.cnaf.infn.it From ec4fd03e6429848e0f134ac2bdcebb207ce9f797 Mon Sep 17 00:00:00 2001 From: Haoming Meng Date: Tue, 14 May 2024 21:09:35 +0000 Subject: [PATCH 4/4] Use `and` to connect two issuer names --- xrootd/authorization.go | 6 +++--- xrootd/resources/test-scitokens-monitoring.cfg | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/xrootd/authorization.go b/xrootd/authorization.go index 1512c4860..2250bbf0c 100644 --- a/xrootd/authorization.go +++ b/xrootd/authorization.go @@ -561,7 +561,7 @@ func WriteOriginScitokensConfig(authedPaths []string) error { if issuer, err := GenerateOriginIssuer(authedPaths); err == nil && len(issuer.Name) > 0 { if val, ok := cfg.IssuerMap[issuer.Issuer]; ok { val.BasePaths = append(val.BasePaths, issuer.BasePaths...) - val.Name += "; " + issuer.Name + val.Name += " and " + issuer.Name cfg.IssuerMap[issuer.Issuer] = val } else { cfg.IssuerMap[issuer.Issuer] = issuer @@ -574,7 +574,7 @@ func WriteOriginScitokensConfig(authedPaths []string) error { if issuer, err := GenerateMonitoringIssuer(); err == nil && len(issuer.Name) > 0 { if val, ok := cfg.IssuerMap[issuer.Issuer]; ok { val.BasePaths = append(val.BasePaths, issuer.BasePaths...) - val.Name += "; " + issuer.Name + val.Name += " and " + issuer.Name cfg.IssuerMap[issuer.Issuer] = val } else { cfg.IssuerMap[issuer.Issuer] = issuer @@ -587,7 +587,7 @@ func WriteOriginScitokensConfig(authedPaths []string) error { if issuer, err := GenerateDirectorMonitoringIssuer(); err == nil && len(issuer.Name) > 0 { if val, ok := cfg.IssuerMap[issuer.Issuer]; ok { val.BasePaths = append(val.BasePaths, issuer.BasePaths...) - val.Name += "; " + issuer.Name + val.Name += " and " + issuer.Name cfg.IssuerMap[issuer.Issuer] = val } else { cfg.IssuerMap[issuer.Issuer] = issuer diff --git a/xrootd/resources/test-scitokens-monitoring.cfg b/xrootd/resources/test-scitokens-monitoring.cfg index 283536413..efd36259a 100644 --- a/xrootd/resources/test-scitokens-monitoring.cfg +++ b/xrootd/resources/test-scitokens-monitoring.cfg @@ -27,7 +27,7 @@ issuer = https://demo.scitokens.org base_path = /foo, /bar default_user = osg -[Issuer Origin; Built-in Monitoring] +[Issuer Origin and Built-in Monitoring] issuer = https://origin.example.com:8444 base_path = /foo/bar, /pelican/monitoring