 |
 |
Hello, I have been looking at the xrootd documentation (yes, Andy I really do read it) on security. Right now our cluster (an others who use our example) are using unix security (yes I know that - "*/Warning/*: *unix* protocol does not provide any significant level of security and should only be used in instances where security violations do not matter." Can I have only one security protocol defined for each data server? Are the following lines valid in the server section of the config file: sec.protocol /usr/lib64 unix sec.protocol /usr/lib64 sss We would like to use security for xrootdfs so that they follow the same security model as the using xrootd clients (like those in root or xrdcp). From the xrootdfs readme file in the git repository the security section has the lines: |>Security: >======== > >Without enabling Xrootd security module, Xrootd data servers map all XrootdFS >users from a given XrootdFS instance to the user that actually runs that XrootdFS >instance. With Xrootd's security module "sss" enabled in both Xrootd data server >and XrootdFS, XrootdFS will provide to the Xrootd data servers the actual user >information for access control. Does this mean that when xrootdfs process makes a connection to the datasever the user name of the person using the xrootdfs command (not the daemon running the xrootdfs process) is passed to the data server. In this way the authorization file specified by acc.authdb /etc/xrootd/auth_file is followed? I am assuming yes, but have not tested it yet. My next question is about the ownership of the client's keytable. I understand that in configuration of the data server I can make this declaration sec.protocol /usr/lib64 sss -c /etc/xrootd/.xrd/|*sss.keytab.grp -s*|/etc/xrootd/.xrd/|*sss.keytab*.grp On the data server machines the file must be owned by the same process who is running the data servers. On the client machines the situation is a bit more complex. If I want xrootdfs running as when as user client jobs, then can I have the keytab file owned by the process running xrootdfs and the group permission being a group common to all of the users? Thanks in advance for your help. Cheers, Doug Benjamin