dcache icon indicating copy to clipboard operation
dcache copied to clipboard
verified publisher icon dCache

gplazma: update `explain login` to allow admin to specify a token on the command-line

Open paulmillar opened this issue 1 year ago • 2 comments

The explain login command currently accepts a list of principals.

Based on an idea from @onnozweers, it would be much easier (and more closely reflects reality) if the explain login command accepted an OIDC access token as a command-line argument. It would then generate a login report, based on that input.

paulmillar avatar May 21 '24 11:05 paulmillar

Would it be an idea to implement the same for macaroons? Or is that already possible?

onnozweers avatar Jun 04 '24 09:06 onnozweers

Macaroons don't pass through gPlazma, the door handles them directly. Therefore adding support for them with explain login doesn't make sense (at least, not to me). Minting a macaroon is like "freezing" the result of some (successful) login. Using the macaroon is like unfreezing that login result.

You can find out more about this frozen login result by calling dCache's user introspection endpoint with a macaroon; e.g.,

curl -H "Authorization: Bearer $MACAROON" https://frontend-door.dcache.example.org/api/v1/user

paulmillar avatar Jun 07 '24 20:06 paulmillar