On Sep 26, 2014, at 3:10 AM, Andrew Hanushevsky <[log in to unmask]> wrote:
> Hi Brian,
>
> The TPC is used extensively by EOS so Lukasz and Andreas have a lot og experience in setting up TPC. Specifically, using xrdcp to an arbitrary srver does not bypass any authentication that was setup by the source or destination site. If we did that we would be opening up a huge security hole. So, if a site requires GSI auth then you better have a cert to get past the first hurdle. The same is true for any basic authorization that was setup by the site. In the federated context that usually is not an issue.
>
I guess I don't understand. What's the point of having the temporary tpc.key when the xrdcp also needs to authenticate? Why not have the tpc.key be a valid authentication token for the xrdcp process to use against the source server?
This is how Globus GridFTP works. Client auths with server A, Client auths with server B, client instructs server B to trust connections coming from server A. Server B trusts server A because it trusts the client. This transitive trust model allows the two servers to establish trust - even if they use completely different sets of CA certificates.
> If you really want to bypass authentication, then you can bind an alternate authentication protocal (e.g. host) to particular hosts. That generally isn't scalable but it can be done.
>
> The server will seach for binaries in whatever is in $PATH. My guess is that for daemons /usr/bin isn't in $PATH for historic reasons. But it easy to check.
>
> As for which file the was targeted by the copy is solely determined by the client that initiated the copy. From your command line it specifically asked itto copy to the indicated destination file. So, it was doing exactly what you asked it to do.
>
Yes - but xrdcp cannot write into file://; it needs to use the OSS plugin (plus the N2N module) to translate the name to the correct local one and write into HDFS.
I'm guessing that this implies I need to write a custom client to get TPC working in CMS?
Brian
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|