Skip to content

Use proper name from registry when requesting federation tokens#2343

Merged
jhiemstrawisc merged 4 commits into
PelicanPlatform:mainfrom
jhiemstrawisc:issue-2306
May 29, 2025
Merged

Use proper name from registry when requesting federation tokens#2343
jhiemstrawisc merged 4 commits into
PelicanPlatform:mainfrom
jhiemstrawisc:issue-2306

Conversation

@jhiemstrawisc

@jhiemstrawisc jhiemstrawisc commented May 22, 2025

Copy link
Copy Markdown
Member

The bug was that I'd designed this to always use the server's hostname when requesting federation tokens. However, when Xrootd.Sitename is set in caches, that's the name that gets registered. This misalignment prevented the Director from validating caches' advertise tokens, which blocked it from handing out the federation tokens.

Assigning @h2zh as the reviewer since I know he's currently working on some things related to server names in the Registry -- does this approach look okay to you? Ultimately the value I send to the director's fed token API in the host query parameter needs to match the cache/origin's registered name.

@jhiemstrawisc
Update docs for 'Xrootd.Sitename' to explain additional side effects
6b250b7
@jhiemstrawisc
Change server_structs.GetCacheNS to server_structs.GetCacheNs to matc…
ee35531 
…h origin invocation
@jhiemstrawisc
Use registration name and not hostname when requesting fed tokens
5cf6603 
Previously the code always used the hostname. After we saw errors popping
up in production related to failed advertise token verification, I realized
we need the registration name, which is always the hostname for Origins,
and _sometimes_ the hostname for Caches. When `Xrootd.Sitename` is set in
caches, that's the value we should use.
@jhiemstrawisc jhiemstrawisc added this to the v7.17 milestone May 22, 2025
@jhiemstrawisc jhiemstrawisc requested a review from h2zh May 22, 2025 18:30
@jhiemstrawisc jhiemstrawisc added bug Something isn't working critical High priority for next release cache Issue relating to the cache component origin Issue relating to the origin component security create-patch Patch this into multiple versions of Pelican labels May 22, 2025
@jhiemstrawisc jhiemstrawisc linked an issue May 22, 2025 that may be closed by this pull request
"Federation Token" generation does not work with caches that set site names #2306
Closed
h2zh
h2zh approved these changes May 29, 2025
View reviewed changes

@h2zh h2zh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after patching that log message!

Comment thread docs/parameters.yaml Outdated
@jhiemstrawisc jhiemstrawisc merged commit 5de4269 into PelicanPlatform:main May 29, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h2zh h2zh h2zh approved these changes

Assignees

@h2zh h2zh

Labels

bug Something isn't working cache Issue relating to the cache component create-patch Patch this into multiple versions of Pelican critical High priority for next release origin Issue relating to the origin component security

Projects

None yet

Milestone

v7.17

Development

Successfully merging this pull request may close these issues.

"Federation Token" generation does not work with caches that set site names

2 participants

@jhiemstrawisc @h2zh