Macaroon Management

Macaroons are a type of authorization tokens that allows setting specific capabilities. An overview of their capabilities and use in dCache is provided in this presentation. For users that have a personal X509 certificate, which is registered in the LOFAR VOMS administration, may generate macaroons themselves if they wish to do so. User generated macaroons will however not allow data to be staged from tape and will thus only work for data that is available for immediate access (i.e. has a copy available on disk). Most users are expected to work with the macaroons that are generated by the LOFAR staging service. Note that new macaroons can be derived from an existing macaroon to further limit specific access by adding 'caveats'. Generating derived macaroons is beyond the scope of this documentation.

The Macaroons that are distributed by the stageIT service have a limited lifetime and are only guaranteed to grant access to data (paths) that are part of the staging request. If a request includes data for multiple sites or projects, multiple macaroons may be provided. The user is expected to follow instructions to make sure the appropriate macaroon is used for accessing a given data path. Using an invalid macaroon (e.g. after it has expired or if limited to access for another data path) will result in commands failing as unauthorized.