Reword the pre-requisites and adapt tests

[esindril]

The list of pre-requisites includes some statements which are a bit contradictory to my understanding. For example:

AuthZ will be based on the storage.* scopes in the token,

and then

Read access (allowed to) ... all clients presenting a valid JWT token issued by the WLCG token issuer

From what I remember, it was agreed that access to SE with tokens targeting such systems should be done using an appropriate scope, like storage.read:/... or storage.write:/...`. Once this is addressed, also the tests need to be properly adjusted (at least in terms of the scope of the tokens used).

[paulmillar]

Hi @esindril ,

Please bear in mind that a JWT is a carrier both of explicit authorisation statements (storage.* elements in the scope claim) and of group- and VO membership information (e.g., the wlcg.groups). The latter is intended as a (more-or-less) direct replacement for the existing VOMS-based authorisation decisions that storage systems already make.

That isn't to say that the wording should be tightened up: the text could be improved and I've already made modest contributions in this direction.

However, I'm not aware of any final decision on how storage should handle JWT; specifically, on whether a user who presents a token with no explicit authorisation (i.e., no storage.* elements in the scope claim) but with group membership information can reasonably expect that token to authorise any operations.

[esindril]

Hi @paulmillar ,

Yes, indeed, both types of information can be present in the token but currently the scitokens implementation in XRootD (XrdSciTokens - which is also used as plugin in EOS) denies access for tokens without a (properly) specified scope. I also think this could benefit from a bit for discussion between the different SE providers and major projects involved. I actually suggested this on the wlgc-doma-tpc mailing list.