LISTSERV 16.5 - XROOTD-DEV Archives

As documented http://xrootd.org/doc/dev4/tpc_protocol.htm , it seems no separate authentication between the servers is needed.

However, this seems to be actually required. Consider the following setup:

Source: Server A with sec.protocol gsi
Destination: Server B with sec.protocol gsi
Client able to authenticate to both

Then, I observe the following when looking at the debug logs of the xrdcp started by Server B to pull from Server A:

[Debug  ][TaskMgr           ] Registering task: "TickGeneratorTask for: ServerA.example.com:1094" to be run at: [2018-04-25 00:03:37 +0200]
[Dump   ][PostMaster        ] [ServerA.example.com:1094 #0] Sending message kXR_open (file: /some/source/file?tpc.key=XXXXXX&tpc.org=XXXXXX, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ) (0xb1bfc0) through substream 0 expecting answer at 0
[Debug  ][PostMaster        ] [ServerA.example.com:1094] Found 1 address(es): [::ffff:SOMEIP]:1094
[Debug  ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Attempting connection to [::ffff:SOMEIP]:1094
[Debug  ][Poller            ] Adding socket 0xb20710 to the poller
[Debug  ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Async connection call returned
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Sending out the initial hand shake + kXR_protocol
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Wrote a message:  (0xe0000950), 44 bytes
[Dump   ][XRootDTransport   ] [msg: 0xe0000950] Expecting 8 bytes of message body
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received a message of 16 bytes
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Got the server hand shake response (type: server [], protocol version 310)
[Dump   ][XRootDTransport   ] [msg: 0xe0000950] Expecting 8 bytes of message body
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received a message of 16 bytes
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] kXR_protocol successful (type: server [], protocol version 310)
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Sending out kXR_login request, username: xrootd, cgi: ?xrd.cc=de&xrd.tz=1&xrd.appname=xrdcp.orig&xrd.info=&xrd.hostname=ServerB.example.com&xrd.rn=v4.8.2, dual-stack: false, private IPv4: true, private IPv6: false
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Wrote a message:  (0xe0000bd0), 133 bytes
[Dump   ][XRootDTransport   ] [msg: 0xe0000950] Expecting 61 bytes of message body
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received a message of 69 bytes
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Logged in, session: 02000000591900001800000082000000
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Authentication is required: &P=gsi,v:10300,c:ssl,ca:XXXXXX.0|XXXXXX.0
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Sending authentication data
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Trying to authenticate using gsi
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init
[Error  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] No protocols left to try
[Error  ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Socket error while handshaking: [FATAL] Auth failed
[Debug  ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Closing the socket

Finally, I see [FATAL] Auth failed. and TPC does not take place.

However, it works just fine if the Source-server has the unsafe "unix" authentication enabled on ServerA:

[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Wrote a message:  (0xc000bd0), 133 bytes
[Dump   ][XRootDTransport   ] [msg: 0xc000950] Expecting 68 bytes of message body
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received a message of 76 bytes
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Logged in, session: 020000004d5b00001800000003000000
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Authentication is required: &P=gsi,v:10300,c:ssl,ca:XXXXXX.0|XXXXXX.0&P=unix
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Sending authentication data
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Trying to authenticate using gsi
[Dump   ][TaskMgr           ] Running task: "FileTimer task"
[Dump   ][TaskMgr           ] Will rerun task "FileTimer task" at [2018-04-25 00:35:04 +0200]
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Trying to authenticate using unix
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Wrote a message:  (0xc0faa50), 43 bytes
[Dump   ][XRootDTransport   ] [msg: 0xc0faa50] Expecting 0 bytes of message body
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
[Dump   ][AsyncSock         ] [ServerA.example.com:1094 #0.0] Received a message of 8 bytes
[Debug  ][XRootDTransport   ] [ServerA.example.com:1094 #0.0] Authenticated with unix.
[Debug  ][PostMaster        ] [ServerA.example.com:1094 #0] Stream 0 connected.

It seems login happens as user xrootd, even though this user is not listed in acc.authdb.

Now, there are two issues here:

TPC does not seem to work unless the security protocol settings allow authentication of ServerB to ServerA.
I don't think this security is needed, since the tpc.key is already shared with both servers at this point. It's also not obvious from http://xrootd.org/doc/dev4/tpc_protocol.htm that this is to be expected.
In the common Grid DDM usecase with GSI authentication, cross-server authentication is not really foreseen....
The only "easy" hack appears to be to enable user authentication. It seems some endpoints, e.g. eosatlas, are doing that...

Is there another configuration "trick" one could use to have TPC working in a safe configuration?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"TPC requires server-to-server XRootDTransport authentication (#694)"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/694"}}}

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1