## RUCIO/FTS TPC scenario (service identity, capability-based authz)In this sc

1. ## RUCIO/FTS TPC scenario (service identity, capability-based authz)
2.  
3. In this scenario, RUCIO and FTS managed transfers using their service identity.
4.  
5. The chain of services is
6.  
7. RUCIO -> FTS -> SE1, SE2
8.  
9. RUCIO wants to trigger transfer of file /cms/example from SE1 to SE2.
10.  
11. 1. RUCIO gets a token (T_fts) scoped to FTS to submit the transfer. T_fts is
12. requested with the client_credentials flow, with the following parameters:
13.  
14. ```
15. audience="fts"
16. scope="fts:submit-transfer"
17. ```
18.  
19. This assumes that FTS implements authorization on its API taking that will
20. take token scopes into consideration (this isn't the case now AFAIK).
21.  
22. 2. FTS queues the transfer. When the transfer is about to start, FTS requests a
23. token (T_xfer) (again with client_credentials) from IAM with the following parameters:
24.  
25. ```
26. audience="se1 se2"
27. scope="storage.read:/cms/example storage.create:/cms/example"`
28. ```
29.  
30. T_xfer is used for the third-party transfer, i.e. included in the Authorization and
31. TransferHeaderAuthorization headers.
32.  
33. Note that T_xfer could also be exchanged by FTS with SE-issued tokens, which
34. would be then used for the third-party transfer.
35.  
36. No refresh tokens are needed. If FTS for some reason needs a fresh token, it
37. simply goes back to IAM to fetch one.
38.  
39. This scenario can be supported today by IAM.
40.  
41. This scenario will require that all SEs can enforce audience checks and know
42. how to map the capabilities to local authorization.
43.  
44. ## RUCIO TPC scenario (user identity, capability-based authz)
45.  
46. User John wants to transfer file /cms/john/example from SE1 to SE2 through
47. RUCIO -> FTS etc.
48.  
49. 1. User gets an access token (T_rucio) from IAM to submit the transfer to RUCIO
50. through its API:
51.  
52. ```
53. audience="rucio"
54. scope="openid rucio:submit-transfer"
55. ```
56.  
57. This assumes that RUCIO implements authorization on its API that will
58. take token scopes into consideration (this isn't the case now).
59.  
60. 2. Now RUCIO needs to manage the transfer on behalf of John. To do so, it
61. exchanges T_rucio with a token (T_fts) suitable to submit the transfer to
62. FTS. This is done using the token exchange flow:
63.  
64. ```
65. subject_token="T_rucio"
66. audience="fts"
67. scope="openid fts:submit-transfer"
68. ```
69.  
70. Note that no refresh token is asked at this stage (probably not needed).
71.  
72. 3. FTS queues the transfer and exchanges T_fts with a new access token
73. (T_xfer) and refresh token (R_xfer) to manage the transfer. The new tokens
74. are obtained using the token exchange flow:
75.  
76. ```
77. subject_token="T_fts"
78. audience="se1 se2"
79. scope="openid offline_access storage.read:/cms/john/example storage.create:/cms/john/example"
80. ```
81.  
82. FTS stores R_xfer and uses it to refresh T_xfer if needed when the transfer is
83. starting.
84.  
85. T_xfer (or a fresher token with equivalent privileges) is used for the
86. third-party transfer, i.e. included in the Authorization and
87. TransferHeaderAuthorization headers.
88.  
89. Note that T_xfer could also be exchanged by FTS with SE-issued tokens, which
90. would be then used for the third-party transfer.
91.  
92. This scenario requires minor changes in the token-exchange flow support in IAM,
93. which has a stricter scope validation policy in place for token-exchange.
94.  
95. As above, this scenario will require that all SEs can enforce audience checks
96. and know how to map the capabilities to local authorization.
97.  
98. ## RUCIO TPC scenario (user identity, group-based authz)
99.  
100. User John wants to transfer file /cms/john/example from SE1 to SE2 through
101. RUCIO -> FTS etc.
102.  
103. 1. User gets an access token (T_rucio) from IAM to submit the transfer to RUCIO
104. through its API:
105.  
106. ```
107. audience="rucio"
108. scope="openid wlcg.groups"
109. ```
110.  
111. In this example flow John requests all his default groups in the default
112. ordering. A different ordering and optional groups can be included following
113. the rules in the WLCG JWT profile.
114.  
115. This assumes that RUCIO implements authorization on its API that will take user
116. groups information extracted from the T_rucio into consideration (this isn't the
117. case now, AFAIK).
118.  
119. 2. Now RUCIO needs to manage the transfer on behalf of John. To do so, it
120. exchanges T_rucio with one suitable to submit the transfer to FTS. This is
121. done using the token exchange flow:
122.  
123. ```
124. subject_token="T_rucio"
125. audience="fts"
126. scope="openid wlcg.groups"
127. ```
128.  
129. This assumes that FTS implements authorization on its API taking user groups
130. information into account (this isn't the case now, AFAIU).
131.  
132. 3. FTS queues the transfer and exchanges the token obtained from RUCIO with a
133. new access token (T_xfer) and refresh token (R_xfer) to manage the transfer.
134. The new tokens are obtained using the token exchange flow:
135. ```
136. subject_token="T_fts"
137. audience="se1 se2"
138. scope="openid offline_access wlcg.groups"
139. ```
140.  
141. FTS stores R_xfer and uses it to refresh the access token obtained if needed
142. when the transfer is starting.
143.  
144. T_xfer (or a fresher token with equivalent privileges) is used for the
145. third-party transfer, i.e. included in the Authorization and
146. TransferHeaderAuthorization headers.
147.  
148. Note that T_xfer could also be exchanged by FTS with SE-issued tokens, which
149. would be then used for the third-party transfer.
150.  
151. This scenario can be supported today by IAM, with a caveat: groups are exposed
152. in the "groups" claim (while the JWT profile wants "wlcg.groups"). As soon as I
153. am done implementing the WLCG JWT profile (ETA: mid October), the scenario will
154. be fully supported.
155.  
156. This scenario will require that all SEs can enforce audience checks
157. and know how to map group information extracted from the tokens to local authz.
158.  
159. Notice how token exchange is mainly used to change the audience of tokens. We
160. could reduce these exchanges if we are fine with having tokens e.g., scoped to
161. both RUCIO and FTS, so that exchanges are needed only when offline_access needs
162. to be requested.
163.  
164. # Wrap up
165.  
166. There are two main differences with Brian's proposal:
167.  
168. - when RUCIO and FTS act with their own service identity, the client
169. credentials flow is used. No refresh tokens needed.
170. - a single token, scoped at two SEs, is requested from IAM for each transfer. I
171. think this is a reasonable tradeoff security-wise (while cutting in half the
172. number of tokens in the IAM db) since the token is scoped and limited to
173. access only the files transferred, and also makes more sense if IAM tokens
174. are going to be exchanged with SE-issued tokens.