> The redirector should work in a way that it can redirect
> clients as fast as possible, leaving the grunt work to the leafs.
I complete agree with that.
> For your approach, you would need to modify the xrootd protocol in a way
> the redirector informs the leaf that your access is allowed, because your
> client is not proxied through the redirector to the leafs, but really
> an own connection to the leaf node:
Actually, that's already in the protocol. We put it in so that you could
tell the leaf node in a "light weight" way that the client went through the
redirector. This was in response to a Castor requirement. Fortunately, that
bit of the protocol also allows you to do many other things, like
authentication/authorization on the redirector (possible, though not
particularly useful for large sites). I should also point out that while
this is in the protocol, none of the current code makes use of it.