 |
 |
Hi, Artem and Andy > I can't quite see how the setup with one master aviolates security. Yuo > secure pool is still protected by a firewall from certian clients. Master > only tell a client which pool to use. This setup sounds fine to me (except that it leaves the server open to denial of service attacks from outside, if one is worried about such things. This could degrade the service for internal jobs quite a bit, if lots of requests for nonexistent files are made, or even worse, if staging on servers is triggered). About the ALICE stuff: The TokenAuthz module implements authorization, not authentication. It needs the gsi authentication (XrdSecgsi) to work sensibly. A client obtains an encrypted authorization token via a request to a file catalog (the natural place to store file permissions, and the client needs to get the site name of the file anyways). This token is submitted by the xrootd client to a xrootd server with the request for the file. Server decrypts token, checks that distinguished name in token matches the one from authentication, gets file permissions for the file from the token and makes a decision. Current problem: gsi authentication is slow and in the current implementation we would be forced to run it on both redirectors and leaf nodes (awful). Cheers, Derek On Wednesday 01 February 2006 22.33, Artem Trunov wrote: > Hi, Andy! > > I can't quite see how the setup with one master aviolates security. Yuo > secure pool is still protected by a firewall from certian clients. Master > only tell a client which pool to use. > > Absence of this setup, actually, forces people to make all their servers > open to world where they may need only few. > > And, again, in dcache you have only one head node for all your needs, and > site hapily deploy it. > > Artem. > > On Wed, 1 Feb 2006, Andrew Hanushevsky wrote: > > Hi Artem, > > > > Convenient yes but it also violates the prime security directive here. If > > the security need is to keep servers separate then allowing even one to > > be shared destroys the whole structure (the weakest link phenomena). The > > security team here doesn't like wall paper security. So if you're going > > to violate the security policy then overtly do so. This, of course, is > > not to say there may be non-security reasons for doing this. Anyway, no > > you will need to run two redirectors to keep the server pools truly > > separate. > > > > Andy > > > > ----- Original Message ----- > > From: "Artem Trunov" <[log in to unmask]> > > To: <[log in to unmask]> > > Sent: Wednesday, February 01, 2006 6:44 AM > > Subject: xrootd redirection based on client's subnet > > > > > Hi Andy et all, > > > > > > Does xrootd support it? The use case is when you want to have one > > > redirector, but kee ptwo separate pools of servers - one for access > > > from WNs (servers in IFZ), and another for out of site access (servers > > > in DMZ). Then you'd specify selection rools in you olbd config. This is > > > a feature of dCache, very convinient. > > > > > > Artem.