Minimal changes for DPoP token support (!11) · Merge requests · atlas-tdaq-software / ProcessManager

Reiner Hauser requested to merge rhauser/ProcessManager:dpop into master Nov 25, 2024

The new token extension has been in nightly for weeks. I tested it both in complete stand-alone partitions and on the testbed where it interacts with older versions of the token server. It behaves well in all situations (but has no real effect until the token server is upgraded in the testbed).

This patch is the minimal change I propose for tdaq-12-00-00. Together with a change for the pmgserver systemd service which will enable TLS for them this should completely close any possibility to capture a token and use it to execute processes under the victims account.

The pmgserver on my VM (rhauser-c9s.cern.ch) has been running since a long time with TLS. You can see that it transparently works for the nightly release by running something like:

env ORBtraceLevel=20 pmg_list_on_host -H rhauser-c9s.cern.ch

and look for IORs of the form giop:ssl:... which show that the connection using TLS.

cc: @isolov

Minimal changes for DPoP token support

Merge request reports