> The redirector should work in a way that it can redirect > clients as fast as possible, leaving the grunt work to the leafs. I complete agree with that. > > For your approach, you would need to modify the xrootd protocol in a way > that > the redirector informs the leaf that your access is allowed, because your > client is not proxied through the redirector to the leafs, but really > makes > an own connection to the leaf node: Actually, that's already in the protocol. We put it in so that you could tell the leaf node in a "light weight" way that the client went through the redirector. This was in response to a Castor requirement. Fortunately, that bit of the protocol also allows you to do many other things, like authentication/authorization on the redirector (possible, though not particularly useful for large sites). I should also point out that while this is in the protocol, none of the current code makes use of it. Andy