FUSEX: allow to configure 'global' key/EosTokens for a mount which can connect with sss (preset a global XrdSecsssENDORSEMENT environemnt) - fixes EOS-6458

apeters1971 · apeters1971 · commit dbaa63c81524 · 2025-08-01T16:13:26.000+02:00
You can either set as an endorsement any invented key, which you can then for example reference in a global ACL like k:7fdbc131-6513-416a-8f47-abd5919c1760:rx or you can create an EOS token which brings the ACL and assign this token in the config file under "auth":"sssEndorsement"
diff --git a/fusex/README.md b/fusex/README.md
@@ -71,6 +71,7 @@ This
     "gsi-first" : 0,
     "sss" : 1,
     "ssskeytab" : "/etc/eos/fuse.sss.keytab",
+    "sssEndorsement" : "",
     "oauth2" : 1,
     "ztn" : 1,    	     
     "unix" : 0,
@@ -306,7 +307,7 @@ Use these authentication directives in the config file:
   }
 ```
 The mount daemon uses /etc/fuse/fuse.sss.keytab as default keytab when running as a shared mount. The user mount default is $HOME/.eos/fuse.sss.keytab. Unlike Kerberos it is not possible in XRootD to use different keytabs for individual users. If you want to create a 'trusted' mount mapping local users to their local username, you have to create an sss keytab entry for user **anybody** and group **anygroup**. Otherwise you can create an sss keytab for a given application user.
-The mount also supports to forward sss endorsements, which are forwarded to the server. These endorsement can be used server-side to define an ACL entry by key e.g. sys.acl="k:9c2bd333-5331-4095-8fcd-28726404742f:rwx". This would provide access to all sss clients having this key in their environment even if the mapped sss user/group wouldn't have access.
+The mount also supports to forward sss endorsements, which are forwarded to the server. These endorsement can be used server-side to define an ACL entry by key e.g. sys.acl="k:9c2bd333-5331-4095-8fcd-28726404742f:rwx". This would provide access to all sss clients having this key in their environment even if the mapped sss user/group wouldn't have access. Another type of endorsement can be EosToken, which are read from XrdSecsssENDORSEMENT environemnt variables. You can also configure a mount with a static endorsement using "auth":"sssEndorsement" : zteos:... which will be used by all users on this mount using sss authentication.
 
 
 Mounting for UNIX gateways
diff --git a/fusex/auth/BoundIdentityProvider.cc b/fusex/auth/BoundIdentityProvider.cc
@@ -221,6 +221,10 @@ BoundIdentityProvider::sssEnvToBoundIdentity(const JailInformation& jail,
   std::string endorsement = env.get("XrdSecsssENDORSEMENT");
   std::string key = env.get("EOS_FUSE_SECRET");
 
+  if (credConfig.sssEndorsement.length()) {
+    endorsement = credConfig.sssEndorsement;
+  }
+
   if (key.empty() && credConfig.encryptionKey.length()) {
     key = credConfig.encryptionKey;
   }
@@ -286,12 +290,11 @@ BoundIdentityProvider::environmentToBoundIdentity(const JailInformation& jail,
         return output;
       }
     }
-
     //----------------------------------------------------------------------------
     // Try to use SSS if available.
     //----------------------------------------------------------------------------
     if (credConfig.use_user_sss && ((!skip_sss) ||
-                                    (!env.get("XrdSecsssENDORSEMENT").empty()))) {
+                                    (!env.get("XrdSecsssENDORSEMENT").empty() || !credConfig.sssEndorsement.empty()))) {
       output = sssEnvToBoundIdentity(jail, env, uid, gid, reconnect, scope);
 
       if (output) {
@@ -342,7 +345,7 @@ BoundIdentityProvider::environmentToBoundIdentity(const JailInformation& jail,
   // Try to use SSS if available.
   //----------------------------------------------------------------------------
   if (credConfig.use_user_sss && (!skip_sss ||
-                                  !env.get("XrdSecsssENDORSEMENT").empty())) {
+                                  (!env.get("XrdSecsssENDORSEMENT").empty() || !credConfig.sssEndorsement.empty()))) {
     output = sssEnvToBoundIdentity(jail, env, uid, gid, reconnect, scope);
 
     if (output) {
@@ -532,8 +535,14 @@ BoundIdentityProvider::defaultPathsToBoundIdentity(const JailInformation& jail,
                                << uid)));
   // attach secret key and endorsement
   defaultEnv.push_back("EOS_FUSE_SECRET=" + pidEnv.get("EOS_FUSE_SECRET"));
-  defaultEnv.push_back("XrdSecsssENDORSEMENT=" +
-                       pidEnv.get("XrdSecsssENDORSEMENT"));
+
+  if (credConfig.sssEndorsement.length()) {
+    defaultEnv.push_back("XrdSecsssENDROSEMENT=" + credConfig.sssEndorsement);
+  } else {
+    defaultEnv.push_back("XrdSecsssENDORSEMENT=" +
+			 pidEnv.get("XrdSecsssENDORSEMENT"));
+  }
+
   return environmentToBoundIdentity(jail, defaultEnv, uid, gid, reconnect,
                                     subscope, false);
 }
@@ -558,8 +567,12 @@ BoundIdentityProvider::globalBindingToBoundIdentity(const JailInformation& jail,
                           SSTR("Attempting to produce BoundIdentity out of eosfusebind " <<
                                "global binding for uid=" << uid)));
   defaultEnv.push_back("EOS_FUSE_SECRET=" + pidEnv.get("EOS_FUSE_SECRET"));
-  defaultEnv.push_back("XrdSecsssENDORSEMENT=" +
-                       pidEnv.get("XrdSecsssENDORSEMENT"));
+  if (credConfig.sssEndorsement.length()) {
+    defaultEnv.push_back("XrdSecsssENDORSEMENT=" + credConfig.sssEndorsement);
+  } else {
+    defaultEnv.push_back("XrdSecsssENDORSEMENT=" +
+			 pidEnv.get("XrdSecsssENDORSEMENT"));
+  }
   return environmentToBoundIdentity(jail, defaultEnv, uid, gid, reconnect,
                                     subscope, true);
 }
diff --git a/fusex/auth/CredentialFinder.hh b/fusex/auth/CredentialFinder.hh
@@ -80,6 +80,8 @@ public:
   bool ignore_containerization;
   //! Encryption Key
   std::string encryptionKey;
+  //! Static token
+  std::string sssEndorsement;
 };
 
 //------------------------------------------------------------------------------
diff --git a/fusex/eosxd/eosfuse.cc b/fusex/eosxd/eosfuse.cc
@@ -1144,6 +1144,7 @@ EosFuse::run(int argc, char* argv[], void* userdata)
       root["auth"]["ignore-containerization"].asInt();
     config.auth.use_user_gsiproxy = root["auth"]["gsi"].asInt();
     config.auth.use_user_sss = root["auth"]["sss"].asInt();
+    config.auth.sssEndorsement = root["auth"]["sssEndorsement"].asString();
     config.auth.credentialStore = root["auth"]["credential-store"].asString();
     config.auth.encryptionKey = config.encryptionkey;
 
diff --git a/fusex/fuse.conf.example b/fusex/fuse.conf.example
@@ -52,6 +52,7 @@
     "gsi-first" : 0,
     "sss" : 1,
     "ssskeytab" : "/etc/eos/fuse.sss.keytab",
+    "sssEndorsement" : "",
     "oauth2" : 1,
     "unix" : 0,
     "environ-deadlock-timeout" : 100,
