What’s new

Rucio authentication and authorization mechanism was extended to support (JWT) tokens using Open ID Connect protocol (following the OAuth 2.0 specifications). The implementation)is based on pyoidc (OIDC certified) library and it follows the WLCG specifications documented here (subject to certain changes as these specifications are currently still being developed).

To perform operations with Rucio a user can now newly log in via an authorization code grant mechanism. This has been made possible via Rucio WebUI, and Rucio command line interface (CLI). 3 CLI login strategies were implemented to serve various use cases.

Rucio REST API can also accept JWT tokens issued by Identity Providers out of the Rucio authorization code grant flow. Such JWT tokens can serve as means of authentication and authorization if they contain the required minimal scope and audience in their claims, are valid and their identity is known to Rucio. In order to allow permission control downstream (Rucio → FTS3) Rucio implemented also an internal mechanism using token exchange and token refresh grants.

Rucio user pre-provisioning (via new Rucio SCIM client) was implemented as a ‘Rucio probe’ script. In order to manage token life-cycle, a new Rucio daemon was implemented taking care of token deletion, token refresh and clean-up of expired authentication OIDC sessions. Rucio DB schema was extended to contain: necessary new columns in the ‘tokens’ table and a new table ‘oauth_requests’ to handle OIDC authentication sessions.

First functional tests of a third party copy were performed (Rucio → FTS3 → dCache) and a new Rucio testbed instance is being setup.

List of RfCs

  • Features
    • #2612 - Authentication & Authorisation: Rucio user authentication via OIDC protocol (XDC IAM), getting user info and JWT tokens
    • #2412 - Deletion: Reaper 2.0 #2412
    • #3348 - Release management: Add oidc auth templates to setup.py #3348
    • #533 - Release management: Better way to deal with configuration / permissions / policy #533
  • Enhancements
    • #1637 - Deletion: Protection of sources too strict in the reaper #1637
  • Bugs fixes
    • #3337 -Authentication & Authorisation: Fixes to OIDC AuthN/Z after first deployment on a testbed #3337

Installation methods

  • for Rucio-server follow Installing Rucio server guide

    • via pip
    # pip install rucio
    • via docker
    • for more options see above documentation
  • for Rucio-daemons follow Installing Rucio daemons guide

    • via pip
    # pip install rucio
    • via docker
    # docker run --name=rucio-server -p 80:80 -d indigodatacloud/rucio-server:XDC-2
    • for more options see above documentation.

Known Issues

  • N/A