Skip to content

Add test coverage for cache scitoken overrides using Xrootd.ScitokensConfig#3028

Merged
bbockelm merged 4 commits intomainfrom
copilot/allow-scitoken-overrides-cache
Mar 1, 2026
Merged

Add test coverage for cache scitoken overrides using Xrootd.ScitokensConfig#3028
bbockelm merged 4 commits intomainfrom
copilot/allow-scitoken-overrides-cache

Conversation

Copy link
Contributor

Copilot AI commented Jan 23, 2026
edited
Loading

Changes

Reverted the addition of Cache.ScitokensUserOverride parameter because the functionality already exists via Xrootd.ScitokensConfig, which is marked as usable by both cache and origin components.

New comprehensive E2E test: TestCacheScitokensConfigOverride demonstrates:

  1. Sets up a full federation with private reads and pulls a file through cache
  2. Simulates origin downtime by removing namespace ads from cache
  3. Triggers cache authz refresh by overwriting Xrootd.ScitokensConfig with unrelated issuer
  4. Verifies data is no longer accessible through cache
  5. Triggers another authz refresh with proper authorization for the test prefix
  6. Verifies cached object is now accessible even without origin

This test validates that Xrootd.ScitokensConfig provides the override mechanism needed for caches to serve objects during origin downtime.

All review feedback addressed including linter fixes.

Original prompt

This section details on the original issue you should resolve

<issue_title>Allow scitoken overrides in the cache</issue_title>
<issue_description>ONLY is the cache is unregistered, we should allow the administrator to specify a scitoken overrides file that gets merged into the calculated scitoken file.

This is analogous to what is done for the origin.

When adding the new configuration parameter, mark it as runtime reloadable. Make sure the file to use (if a file is used) can indeed be changed at runtime.

The goal is to have this be a mechanism where specific caches can continue to serve objects even when the origin is in downtime. Add an integration test along those lines.</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Add support for scitoken overrides in the cache Add scitoken override support for site-local caches Jan 24, 2026
Copilot AI requested a review from bbockelm January 24, 2026 00:17
bbockelm
bbockelm previously requested changes Jan 26, 2026
View reviewed changes
Copy link
Collaborator

@bbockelm bbockelm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like Xrootd.ScitokensConfig works for both caches and origins, meaning this functionality already exists. Let's focus on providing test coverage for this fact in cache mode. I like having both a unit test and an e2e test as is done in this PR.

I'd additionally like a new E2E test that:

  • Sets up a full federation and pulls a file through the cache.
  • Places the origin in downtime and removes corresponding namespace ads.
  • Triggers a cache authz refresh. This can be done by overwriting the Xrootd.ScitokensConfig file with some new issuer covering an unrelated path. You can verify the refresh by seeing new data show up in the corresponding generated file.
  • Verify you can no longer access the data through the cache.
  • Trigger another cache authz refresh, this time adding the authorization information explicitly for the test prefix.
  • Verify you can now access the cached object, even with the origin offline.

This new test will demonstrate that the Xrootd.ScitokensConfig override is the only thing needed to access offline data in a cache.

e2e_fed_tests/cache_scitoken_override_test.go Outdated

/***************************************************************
*
* Copyright (C) 2025, Pelican Project, Morgridge Institute for Research
Copy link
Collaborator

@bbockelm bbockelm Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's 2026

Copy link
Contributor Author

Copilot AI Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in commit 0bdf17e

Copy link
Contributor Author

Copilot AI commented Jan 26, 2026

It looks like Xrootd.ScitokensConfig works for both caches and origins, meaning this functionality already exists. Let's focus on providing test coverage for this fact in cache mode. I like having...

Added comprehensive E2E test as requested in commit 0bdf17e. The test:

  • Sets up federation and pulls file through cache
  • Removes namespace ads to simulate origin downtime
  • Triggers cache authz refresh with unrelated issuer
  • Verifies data is no longer accessible
  • Triggers another refresh with proper authorization for test prefix
  • Verifies cached object is accessible despite "offline" origin

The test demonstrates that Xrootd.ScitokensConfig override is sufficient for accessing offline data in a cache.

Copilot AI changed the title Add scitoken override support for site-local caches Add test coverage for cache scitoken overrides using Xrootd.ScitokensConfig Jan 26, 2026
Copilot AI requested a review from bbockelm January 26, 2026 21:35
@bbockelm bbockelm force-pushed the copilot/allow-scitoken-overrides-cache branch from 8b9d74c to 996bf60 Compare January 27, 2026 02:04
@bbockelm bbockelm added client Issue affecting the OSDF client cache Issue relating to the cache component user-request labels Feb 21, 2026
@bbockelm bbockelm requested a review from turetske February 21, 2026 16:22
@bbockelm bbockelm force-pushed the copilot/allow-scitoken-overrides-cache branch from 996bf60 to a259732 Compare February 21, 2026 16:58
@bbockelm bbockelm marked this pull request as ready for review February 21, 2026 17:17
turetske
turetske requested changes Feb 25, 2026
View reviewed changes
Copy link
Collaborator

@turetske turetske left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The linked task specifies that "ONLY if the cache is unregistered, we should allow the administrator to specify a scitoken overrides file that gets merged into the calculated scitoken file" which makes sense as it could potentially override security in certain places. I don't see any check for if the cache is unregistered to allow this.

Edit: Nevermind, had a discussion with Brian about this. Ignore this comment

@turetske turetske self-requested a review February 25, 2026 17:54
turetske
turetske requested changes Feb 26, 2026
View reviewed changes
@turetske
Copy link
Collaborator

turetske commented Feb 26, 2026

@copilot Please address the review comments that are tagging you.

Copilot AI requested a review from turetske February 26, 2026 18:22
turetske
turetske reviewed Feb 26, 2026
View reviewed changes
Copilot AI requested a review from turetske February 26, 2026 19:20
@turetske
Copy link
Collaborator

turetske commented Feb 26, 2026

@copilot Please fix the linter errors

Copy link
Contributor Author

Copilot AI commented Feb 26, 2026

@copilot Please fix the linter errors

Fixed in commit 9122618 - removed unused assert import (all assertions were changed to require.* in earlier commits)

turetske
turetske approved these changes Feb 26, 2026
View reviewed changes
Copy link
Collaborator

@turetske turetske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bbockelm Throwing this back to you.

bbockelm and others added 4 commits February 28, 2026 09:12
@bbockelm
Automatically refresh the namespaces when scitokens.cfg changes
7a717d2 
This helps refresh information quickly in unit tests.  Includes a "floor"
to prevent this from happening too quickly in production.
@bbockelm
Continue despite director failure
cb84892 
If the director failed - but the user specified a cache to use - continue
trying the request against that cache.

Use the default token; in this case, it will not select the right token
automatically.

This allows a cache to be leveraged and Pelican to work while everything
else in the federation is 100% offline.
@bbockelm
Provide an E2E cache test for offline origins
7f6de36 
Shows that data can be accessed at a cache even when the origin
is offline!
@turetske @bbockelm
Address review feedback on test and client code
1e02d4d 
- Change assert.Equal/Error to require.Equal/Error for critical assertions
- Increase test timeouts from 5s/10s to 20s to handle CI load
- Use URL construction instead of string concatenation for cache URL
- Create resource file for origin config (single-private-full.yml)
- Fix tj.token.DirResp not being set when director fails with explicit caches

Co-authored-by: turetske <498529+turetske@users.noreply.github.com>
@bbockelm bbockelm force-pushed the copilot/allow-scitoken-overrides-cache branch from 9122618 to 1e02d4d Compare February 28, 2026 15:13
@bbockelm bbockelm dismissed their stale review February 28, 2026 15:14

All items addressed!

@bbockelm bbockelm merged commit 894da13 into main Mar 1, 2026
31 of 32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turetske turetske turetske approved these changes

@bbockelm bbockelm Awaiting requested review from bbockelm

Assignees

@turetske turetske

@bbockelm bbockelm

Copilot code review Copilot

Labels

cache Issue relating to the cache component client Issue affecting the OSDF client user-request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow scitoken overrides in the cache

3 participants

@turetske @bbockelm