CI tests failing with EOS 5.3.20 due to Token ACL implementation

Summary

Since EOS 5.3.20, by default, to issue a token on a directory you need to be the owner of that directory. This can be fixed by modifying the ACLs.

is_owner = (dh->getCUid() == vid.uid);

      if (fh) {
    is_owner = (fh->getCUid() == vid.uid);
      }

      // check if people who don't own a file or directory can issue token
      if (!is_owner && (mode & T_OK) && !acl.CanIssueToken()) {
    errno = EPERM;
    return Emsg(epname, error, EPERM, "access - you cannot issue tokens", path);
      }

dss/eos@48501c2a

Thanks to @ccaffy for helping to understand the problem.

Relevant logs and/or screenshots

• Pipeline running EOS 5.3.19-2 without problem: https://gitlab.cern.ch/cta/CTA/-/jobs/60868744
• Pipeline running EOS 5.3.20 failing: https://gitlab.cern.ch/cta/CTA/-/jobs/60868700

Needs discussion

Do we have any other use of EOS tokens in production that might be affected by this change? This would require updating ACLs.