 |
 |
The TPC protocol is independent of any particular authentication. That is why you can use any authentication you wish -- even different methods for the source and destination. Being independent of the authentication method being used does *not* mean it does not require authentication. All sites typically configure their servers to requires some kind of authentication irrespective of what is being sent on the wire (e.g. TPC). If that is the case, then clearly, server to server cmmunications need to authenticate as well. The TPC protocol spec merely specifies the exchanges *after* any required authentication occurs. Andy On Wed, 25 Apr 2018, Oliver Freyermuth wrote: > As documented http://xrootd.org/doc/dev4/tpc_protocol.htm , it seems no separate authentication between the servers is needed. > > However, this seems to be actually required. Consider the following setup: > - Source: Server A with sec.protocol gsi > - Destination: Server B with sec.protocol gsi > - Client able to authenticate to both > > Then, I observe the following when looking at the debug logs of the `xrdcp` started by Server B to pull from Server A: > ``` > [Debug ][TaskMgr ] Registering task: "TickGeneratorTask for: ServerA.example.com:1094" to be run at: [2018-04-25 00:03:37 +0200] > [Dump ][PostMaster ] [ServerA.example.com:1094 #0] Sending message kXR_open (file: /some/source/file?tpc.key=XXXXXX&tpc.org=XXXXXX, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ) (0xb1bfc0) through substream 0 expecting answer at 0 > [Debug ][PostMaster ] [ServerA.example.com:1094] Found 1 address(es): [::ffff:SOMEIP]:1094 > [Debug ][AsyncSock ] [ServerA.example.com:1094 #0.0] Attempting connection to [::ffff:SOMEIP]:1094 > [Debug ][Poller ] Adding socket 0xb20710 to the poller > [Debug ][AsyncSock ] [ServerA.example.com:1094 #0.0] Async connection call returned > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending out the initial hand shake + kXR_protocol > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xe0000950), 44 bytes > [Dump ][XRootDTransport ] [msg: 0xe0000950] Expecting 8 bytes of message body > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8 > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 16 bytes > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Got the server hand shake response (type: server [], protocol version 310) > [Dump ][XRootDTransport ] [msg: 0xe0000950] Expecting 8 bytes of message body > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8 > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 16 bytes > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] kXR_protocol successful (type: server [], protocol version 310) > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending out kXR_login request, username: xrootd, cgi: ?xrd.cc=de&xrd.tz=1&xrd.appname=xrdcp.orig&xrd.info=&xrd.hostname=ServerB.example.com&xrd.rn=v4.8.2, dual-stack: false, private IPv4: true, private IPv6: false > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xe0000bd0), 133 bytes > [Dump ][XRootDTransport ] [msg: 0xe0000950] Expecting 61 bytes of message body > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8 > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 69 bytes > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Logged in, session: 02000000591900001800000082000000 > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Authentication is required: &P=gsi,v:10300,c:ssl,ca:XXXXXX.0|XXXXXX.0 > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending authentication data > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Trying to authenticate using gsi > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init > [Error ][XRootDTransport ] [ServerA.example.com:1094 #0.0] No protocols left to try > [Error ][AsyncSock ] [ServerA.example.com:1094 #0.0] Socket error while handshaking: [FATAL] Auth failed > [Debug ][AsyncSock ] [ServerA.example.com:1094 #0.0] Closing the socket > ``` > Finally, I see `[FATAL] Auth failed.` and TPC does not take place. > > However, it works just fine if the Source-server has the unsafe "unix" authentication enabled on ServerA: > ``` > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xc000bd0), 133 bytes > [Dump ][XRootDTransport ] [msg: 0xc000950] Expecting 68 bytes of message body > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8 > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 76 bytes > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Logged in, session: 020000004d5b00001800000003000000 > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Authentication is required: &P=gsi,v:10300,c:ssl,ca:XXXXXX.0|XXXXXX.0&P=unix > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending authentication data > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Trying to authenticate using gsi > [Dump ][TaskMgr ] Running task: "FileTimer task" > [Dump ][TaskMgr ] Will rerun task "FileTimer task" at [2018-04-25 00:35:04 +0200] > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Trying to authenticate using unix > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xc0faa50), 43 bytes > [Dump ][XRootDTransport ] [msg: 0xc0faa50] Expecting 0 bytes of message body > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8 > [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 8 bytes > [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Authenticated with unix. > [Debug ][PostMaster ] [ServerA.example.com:1094 #0] Stream 0 connected. > ``` > It seems login happens as user `xrootd`, even though this user is not listed in `acc.authdb`. > > > Now, there are two issues here: > - TPC does not seem to work unless the security protocol settings allow authentication of ServerB to ServerA. > - I don't think this security is needed, since the `tpc.key` is already shared with both servers at this point. It's also not obvious from http://xrootd.org/doc/dev4/tpc_protocol.htm that this is to be expected. > - In the common Grid DDM usecase with GSI authentication, cross-server authentication is not really foreseen.... > - The only "easy" hack appears to be to enable user authentication. It seems some endpoints, e.g. eosatlas, are doing that... > > > Is there another configuration "trick" one could use to have TPC working in a safe configuration? > > -- > You are receiving this because you are subscribed to this thread. > Reply to this email directly or view it on GitHub: > https://github.com/xrootd/xrootd/issues/694 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/694#issuecomment-384419665 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1