Token-based WebDAV protocol is not working after upgrading 9.2.24 #7654

geonmo · 2024-09-06T14:32:58Z

(I sent an email to dcache support saying the same thing, but thought I'd share this as a reference for others).

The following message appears, indicating that the token-based webdav protocol cannot be used.

If you've seen the same error after upgrading, please let us know in the comments, or if you haven't upgraded yet, you might want to wait a bit.

Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]: 06 Sep 2024 22:49:06 (gPlazma) [door:CMST2_XRootD_1094@xrootdDomain:AAYhc6u62eg CMST2_XRootD_1094 Login MAP multimap] Bug in plugin:                                   
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]: java.lang.RuntimeException: Failed to create principal: java.lang.NoSuchMethodException: org.dcache.auth.OAuthProviderPrincipal.<init>(java.lang.String)               
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.plugins.GplazmaMultiMapFile$MappablePrincipal.buildPrincipal(GplazmaMultiMapFile.java:148)                                               
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.plugins.GplazmaMultiMapFile$MappablePrincipal.buildMatcher(GplazmaMultiMapFile.java:163)                                                 
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.plugins.GplazmaMultiMapFile.asMatcher(GplazmaMultiMapFile.java:270)                                                                      
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.plugins.GplazmaMultiMapFile.parseMapFile(GplazmaMultiMapFile.java:248)                                                                   
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.plugins.GplazmaMultiMapFile.mapping(GplazmaMultiMapFile.java:216)                                                                        
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.plugins.GplazmaMultiMapPlugin.map(GplazmaMultiMapPlugin.java:37)                                                                         
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.strategies.DefaultMappingStrategy.lambda$map$0(DefaultMappingStrategy.java:57)                                                           
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.strategies.PAMStyleStrategy.callPlugins(PAMStyleStrategy.java:91)                                                                        
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.strategies.DefaultMappingStrategy.map(DefaultMappingStrategy.java:49)                                                                    
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.GPlazma$Setup.doMapPhase(GPlazma.java:478)                                                                                               
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.GPlazma.login(GPlazma.java:183)                                                                                                          
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.gplazma.GPlazma.login(GPlazma.java:138)                                                                                                          
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.auth.Gplazma2LoginStrategy.login(Gplazma2LoginStrategy.java:211)                                                                                 
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.services.login.MessageHandler.messageArrived(MessageHandler.java:58)                                                                             
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                                                                              
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)                                                            
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)                                                    
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at java.base/java.lang.reflect.Method.invoke(Method.java:566)                                                                                                  
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.cells.CellMessageDispatcher$LongReceiver.deliver(CellMessageDispatcher.java:286)                                                                 
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.cells.CellMessageDispatcher.call(CellMessageDispatcher.java:188)                                                                                 
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.cells.AbstractCell.messageArrived(AbstractCell.java:302)                                                                                         
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at dmg.cells.nucleus.CellAdapter.messageArrived(CellAdapter.java:856)                                                                                          
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at dmg.cells.nucleus.CellNucleus$DeliverMessageTask.run(CellNucleus.java:1273)                                                                                 
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at org.dcache.util.BoundedExecutor$Worker.run(BoundedExecutor.java:247)                                                                                        
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)                                                                   
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)                                                                   
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at dmg.cells.nucleus.CellNucleus.lambda$wrapLoggingContext$2(CellNucleus.java:725)                                                                             
Sep 06 22:49:06 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:         at java.base/java.lang.Thread.run(Thread.java:829)                                                
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]: 06 Sep 2024 22:49:58 (gPlazma) [WebDAV_T2_KR_KISTI Login] Login attempt failed; detailed explanation follows:                                                          
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]: LOGIN FAIL                                                                                                                                                             
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |    in: Origin[2001:1458:301:cd::100:3b0]                                                                                                                            
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |        JWT bearer token:                                                                                                                                            
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          |                                                                                                                                                          
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          +- iss: "https://cms-auth.web.cern.ch/"                                                                                                                    
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          +- jti: "96c7c867-65fe-4150-8c2d-ed18b7b4750e"                                                                                                             
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          +- sub: "ab9316f0-e0a0-4a8c-bd72-dbb17087b1da"                                                                                                             
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          +- scope: "offline_access storage.modify:/store/mc/RunIISummer20UL16NanoAODAPVv9/CGToBHpm_MH-400_TuneCP5_13TeV_G2HDM-madgraphMLM-pythia8/NANOAODSIM/106X_mc
Run2_asymptotic_preVFP_v11-v2/ storage.read:/"                                                                                                                                                                                              
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          +- iat: 1725628567 --> 2024-09-06 22:16:07.000 (33 min ago)                                                                                                
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          +- nbf: 1725628567 --> 2024-09-06 22:16:07.000 (33 min ago)                                                                                                
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          +- exp: 1725639367 --> 2024-09-07 01:16:07.000 (2 hours in the future)                                                                                     
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          +- aud: "cms-t2-se01.sdfarm.kr"                                                                                                                            
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          +- client_id: "c5a75d6d-3664-4e24-a72a-fcd6abbbe69b"                                                                                                       
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |                                                                                                                                                                     
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   out: OidcSubjectPrincipal[ab9316f0-e0a0-4a8c-bd72-dbb17087b1da@cms]                                                                                               
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |        Origin[2001:1458:301:cd::100:3b0]                                                                                                                            
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |        OP[cms]                                                                                                                                                      
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |        JwtJtiPrincipal[96c7c867-65fe-4150-8c2d-ed18b7b4750e@cms]                                                                                                    
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |        ExemptFromNamespaceChecks                                                                                                                                    
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |        JwtSubPrincipal[ab9316f0-e0a0-4a8c-bd72-dbb17087b1da@cms]                                                                                                    
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |                                                                                                                                                                     
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  +--AUTH OK                                                                                                                                                            
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |    added: OidcSubjectPrincipal[ab9316f0-e0a0-4a8c-bd72-dbb17087b1da@cms]                                                                                        
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |           OP[cms]                                                                                                                                               
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |           JwtJtiPrincipal[96c7c867-65fe-4150-8c2d-ed18b7b4750e@cms]                                                                                             
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |           ExemptFromNamespaceChecks                                                                                                                             
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |           JwtSubPrincipal[ab9316f0-e0a0-4a8c-bd72-dbb17087b1da@cms]        
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   +--x509 OPTIONAL:FAIL (no X.509 certificate chain) => OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   +--voms SUFFICIENT:FAIL (no X509 certificate chain) => OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   +--oidc SUFFICIENT:OK => OK (ends the phase) 
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |          added: OidcSubjectPrincipal[ab9316f0-e0a0-4a8c-bd72-dbb17087b1da@cms]
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |                 OP[cms]
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |                 JwtJtiPrincipal[96c7c867-65fe-4150-8c2d-ed18b7b4750e@cms]
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |                 ExemptFromNamespaceChecks
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |                 JwtSubPrincipal[ab9316f0-e0a0-4a8c-bd72-dbb17087b1da@cms]
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  +--MAP OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   +--vorolemap OPTIONAL:FAIL (no record) => OK 
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   +--gridmap OPTIONAL:FAIL (no mapping) => OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   +--multimap SUFFICIENT:FAIL (no mappable principals) => OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   +--authzdb SUFFICIENT:FAIL (no mappable principal) => OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  +--ACCOUNT OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  +--SESSION OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   +--authzdb SUFFICIENT:FAIL (no username principal) => OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |   +--omnisession SUFFICIENT:FAIL (bad config file) => OK
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  |
Sep 06 22:49:58 cms-t2-se01.sdfarm.kr dcache@gPlazmaDomain[1319655]:  +--VALIDATION FAIL (no username, no UID, no primary GID)

paulmillar · 2024-09-07T06:35:44Z

Hi @geonmo,

Thanks for sharing this issue.

Could you also share your multimap configuration file?

Cheers,
Paul.

geonmo · 2024-09-07T07:55:24Z

@paulmillar Here it is.

# /etc/dcache/multi-mapfile.wlcg_jwt
op:wlcg               uid:1999 gid:1999,true username:wlcg_oidc
op:cms                uid:50301 gid:1400,true username:cmsreadwrite
op:cmsv2              uid:50301 gid:1400,true username:cmsreadwrite

Now that I think about it, I probably should have checked that the # symbol is a comment here. However, it worked fine in previous versions.

paulmillar · 2024-09-08T09:18:06Z

Thanks @geonmo

I think I understand the problem and have a fix.

Motivation: Commit ef2dc1e introduced a regression in the multimap plugin. Where the 'op' principal type is used, logins will fail with dCache logging a stacktrace like: java.lang.RuntimeException: Failed to create principal: java.lang.NoSuchMethodException: org.dcache.auth.OAuthProviderPrincipal.<init>(java.lang.String) at org.dcache.gplazma.plugins.GplazmaMultiMapFile$MappablePrincipal.buildPrincipal(GplazmaMultiMapFile.java:148) at org.dcache.gplazma.plugins.GplazmaMultiMapFile$MappablePrincipal.buildMatcher(GplazmaMultiMapFile.java:163) at org.dcache.gplazma.plugins.GplazmaMultiMapFile.asMatcher(GplazmaMultiMapFile.java:270) at org.dcache.gplazma.plugins.GplazmaMultiMapFile.parseMapFile(GplazmaMultiMapFile.java:248) at org.dcache.gplazma.plugins.GplazmaMultiMapFile.mapping(GplazmaMultiMapFile.java:216) at org.dcache.gplazma.plugins.GplazmaMultiMapPlugin.map(GplazmaMultiMapPlugin.java:37) at org.dcache.gplazma.strategies.DefaultMappingStrategy.lambda$map$0(DefaultMappingStrategy.java:57) at org.dcache.gplazma.strategies.PAMStyleStrategy.callPlugins(PAMStyleStrategy.java:91) This problem is because the above commit replaced the single-string constructor that was being used by the multimap plugin via reflection. Modification: Define the following semantics: When `op` is used as a principal matcher, the matcher will be selected when the login has an OAuthProviderPrincipal with that value as its (dCache) name; for example, `op:FOO` will match if the login has an OAuthProviderPrincipal with name `FOO`. The URL of the issuer (the `iss` claim value) is not considered. This recreates the previous semantics. When used as a principal, the `op` takes two colon-sparated arguments: the (dCache) name for the OP and the issuer URL (the `iss` claim value). For example, `op:FOO:https://my-op.example.org/` creates an OP with name `FOO` and issuer URL `https://my-op.example.org/`. For backwards compatibility, if the second colon and the issuer URL is omitted then a placeholder URL is used and a warning is logged; for example, `op:FOO` will add a OAuthProviderPrincipal with name `FOO` and a placeholder issuer URL. Unit tests are added that verify correct behaviour. Result: A regression is fixed in the multimap plugin when `op:` principal type is used. Target: master Request: 10.1 Request: 10.0 Request: 9.2 Requires-notes: yes Requires-book: no Closes: dCache#7654

Motivation: Commit ef2dc1e introduced a regression in the multimap plugin. Where the 'op' principal type is used, logins will fail with dCache logging a stacktrace like: java.lang.RuntimeException: Failed to create principal: java.lang.NoSuchMethodException: org.dcache.auth.OAuthProviderPrincipal.<init>(java.lang.String) at org.dcache.gplazma.plugins.GplazmaMultiMapFile$MappablePrincipal.buildPrincipal(GplazmaMultiMapFile.java:148) at org.dcache.gplazma.plugins.GplazmaMultiMapFile$MappablePrincipal.buildMatcher(GplazmaMultiMapFile.java:163) at org.dcache.gplazma.plugins.GplazmaMultiMapFile.asMatcher(GplazmaMultiMapFile.java:270) at org.dcache.gplazma.plugins.GplazmaMultiMapFile.parseMapFile(GplazmaMultiMapFile.java:248) at org.dcache.gplazma.plugins.GplazmaMultiMapFile.mapping(GplazmaMultiMapFile.java:216) at org.dcache.gplazma.plugins.GplazmaMultiMapPlugin.map(GplazmaMultiMapPlugin.java:37) at org.dcache.gplazma.strategies.DefaultMappingStrategy.lambda$map$0(DefaultMappingStrategy.java:57) at org.dcache.gplazma.strategies.PAMStyleStrategy.callPlugins(PAMStyleStrategy.java:91) This problem is because the above commit replaced the single-string constructor that was being used by the multimap plugin via reflection. Modification: Define the following semantics: When `op` is used as a principal matcher, the matcher will be selected when the login has an OAuthProviderPrincipal with that value as its (dCache) name; for example, `op:FOO` will match if the login has an OAuthProviderPrincipal with name `FOO`. The URL of the issuer (the `iss` claim value) is not considered. This recreates the previous semantics. When used as a principal, the `op` takes two colon-sparated arguments: the (dCache) name for the OP and the issuer URL (the `iss` claim value). For example, `op:FOO:https://my-op.example.org/` creates an OP with name `FOO` and issuer URL `https://my-op.example.org/`. For backwards compatibility, if the second colon and the issuer URL is omitted then a placeholder URL is used and a warning is logged; for example, `op:FOO` will add a OAuthProviderPrincipal with name `FOO` and a placeholder issuer URL. Unit tests are added that verify correct behaviour. Result: A regression is fixed in the multimap plugin when `op:` principal type is used. Target: master Request: 10.1 Request: 10.0 Request: 9.2 Requires-notes: yes Requires-book: no Closes: dCache#7654 Patch: https://rb.dcache.org/r/14314/ Acked-by: Tigran Mkrtchyan

Motivation: Commit ef2dc1e introduced a regression in the multimap plugin. Where the 'op' principal type is used, logins will fail with dCache logging a stacktrace like: java.lang.RuntimeException: Failed to create principal: java.lang.NoSuchMethodException: org.dcache.auth.OAuthProviderPrincipal.<init>(java.lang.String) at org.dcache.gplazma.plugins.GplazmaMultiMapFile$MappablePrincipal.buildPrincipal(GplazmaMultiMapFile.java:148) at org.dcache.gplazma.plugins.GplazmaMultiMapFile$MappablePrincipal.buildMatcher(GplazmaMultiMapFile.java:163) at org.dcache.gplazma.plugins.GplazmaMultiMapFile.asMatcher(GplazmaMultiMapFile.java:270) at org.dcache.gplazma.plugins.GplazmaMultiMapFile.parseMapFile(GplazmaMultiMapFile.java:248) at org.dcache.gplazma.plugins.GplazmaMultiMapFile.mapping(GplazmaMultiMapFile.java:216) at org.dcache.gplazma.plugins.GplazmaMultiMapPlugin.map(GplazmaMultiMapPlugin.java:37) at org.dcache.gplazma.strategies.DefaultMappingStrategy.lambda$map$0(DefaultMappingStrategy.java:57) at org.dcache.gplazma.strategies.PAMStyleStrategy.callPlugins(PAMStyleStrategy.java:91) This problem is because the above commit replaced the single-string constructor that was being used by the multimap plugin via reflection. Modification: Define the following semantics: When `op` is used as a principal matcher, the matcher will be selected when the login has an OAuthProviderPrincipal with that value as its (dCache) name; for example, `op:FOO` will match if the login has an OAuthProviderPrincipal with name `FOO`. The URL of the issuer (the `iss` claim value) is not considered. This recreates the previous semantics. When used as a principal, the `op` takes two colon-sparated arguments: the (dCache) name for the OP and the issuer URL (the `iss` claim value). For example, `op:FOO:https://my-op.example.org/` creates an OP with name `FOO` and issuer URL `https://my-op.example.org/`. For backwards compatibility, if the second colon and the issuer URL is omitted then a placeholder URL is used and a warning is logged; for example, `op:FOO` will add a OAuthProviderPrincipal with name `FOO` and a placeholder issuer URL. Unit tests are added that verify correct behaviour. Result: A regression is fixed in the multimap plugin when `op:` principal type is used. Target: master Request: 10.1 Request: 10.0 Request: 9.2 Requires-notes: yes Requires-book: no Closes: #7654 Patch: https://rb.dcache.org/r/14314/ Acked-by: Tigran Mkrtchyan

paulmillar self-assigned this Sep 7, 2024

paulmillar closed this as completed in 83297e9 Sep 9, 2024

This was referenced Sep 9, 2024

gplazma: multimap fix op regression #7656

Merged

gplazma: multimap fix op regression #7657

Merged

paulmillar mentioned this issue Sep 9, 2024

gplazma: multimap fix op regression #7658

Merged

onnozweers mentioned this issue Sep 12, 2024

API: staging through /bulk-requests fails when authenticating with macaroons (master snapshot) #7665

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Token-based WebDAV protocol is not working after upgrading 9.2.24 #7654

Token-based WebDAV protocol is not working after upgrading 9.2.24 #7654

geonmo commented Sep 6, 2024

paulmillar commented Sep 7, 2024

geonmo commented Sep 7, 2024

paulmillar commented Sep 8, 2024

Token-based WebDAV protocol is not working after upgrading 9.2.24 #7654

Token-based WebDAV protocol is not working after upgrading 9.2.24 #7654

Comments

geonmo commented Sep 6, 2024

paulmillar commented Sep 7, 2024

geonmo commented Sep 7, 2024

paulmillar commented Sep 8, 2024