The TPC protocol is independent of any particular authentication. That is
why you can use any authentication you wish -- even different methods for
the source and destination. Being independent of the authentication method
being used does *not* mean it does not require authentication. All sites
typically configure their servers to requires some kind of authentication
irrespective of what is being sent on the wire (e.g. TPC). If that is the
case, then clearly, server to server cmmunications need to authenticate as
well. The TPC protocol spec merely specifies the exchanges *after* any
required authentication occurs.
Andy
On Wed, 25 Apr 2018, Oliver Freyermuth wrote:
> As documented http://xrootd.org/doc/dev4/tpc_protocol.htm , it seems no separate authentication between the servers is needed.
>
> However, this seems to be actually required. Consider the following setup:
> - Source: Server A with sec.protocol gsi
> - Destination: Server B with sec.protocol gsi
> - Client able to authenticate to both
>
> Then, I observe the following when looking at the debug logs of the `xrdcp` started by Server B to pull from Server A:
> ```
> [Debug ][TaskMgr ] Registering task: "TickGeneratorTask for: ServerA.example.com:1094" to be run at: [2018-04-25 00:03:37 +0200]
> [Dump ][PostMaster ] [ServerA.example.com:1094 #0] Sending message kXR_open (file: /some/source/file?tpc.key=XXXXXX&tpc.org=XXXXXX, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ) (0xb1bfc0) through substream 0 expecting answer at 0
> [Debug ][PostMaster ] [ServerA.example.com:1094] Found 1 address(es): [::ffff:SOMEIP]:1094
> [Debug ][AsyncSock ] [ServerA.example.com:1094 #0.0] Attempting connection to [::ffff:SOMEIP]:1094
> [Debug ][Poller ] Adding socket 0xb20710 to the poller
> [Debug ][AsyncSock ] [ServerA.example.com:1094 #0.0] Async connection call returned
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending out the initial hand shake + kXR_protocol
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xe0000950), 44 bytes
> [Dump ][XRootDTransport ] [msg: 0xe0000950] Expecting 8 bytes of message body
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 16 bytes
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Got the server hand shake response (type: server [], protocol version 310)
> [Dump ][XRootDTransport ] [msg: 0xe0000950] Expecting 8 bytes of message body
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 16 bytes
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] kXR_protocol successful (type: server [], protocol version 310)
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending out kXR_login request, username: xrootd, cgi: ?xrd.cc=de&xrd.tz=1&xrd.appname=xrdcp.orig&xrd.info=&xrd.hostname=ServerB.example.com&xrd.rn=v4.8.2, dual-stack: false, private IPv4: true, private IPv6: false
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xe0000bd0), 133 bytes
> [Dump ][XRootDTransport ] [msg: 0xe0000950] Expecting 61 bytes of message body
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 69 bytes
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Logged in, session: 02000000591900001800000082000000
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Authentication is required: &P=gsi,v:10300,c:ssl,ca:XXXXXX.0|XXXXXX.0
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending authentication data
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Trying to authenticate using gsi
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init
> [Error ][XRootDTransport ] [ServerA.example.com:1094 #0.0] No protocols left to try
> [Error ][AsyncSock ] [ServerA.example.com:1094 #0.0] Socket error while handshaking: [FATAL] Auth failed
> [Debug ][AsyncSock ] [ServerA.example.com:1094 #0.0] Closing the socket
> ```
> Finally, I see `[FATAL] Auth failed.` and TPC does not take place.
>
> However, it works just fine if the Source-server has the unsafe "unix" authentication enabled on ServerA:
> ```
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xc000bd0), 133 bytes
> [Dump ][XRootDTransport ] [msg: 0xc000950] Expecting 68 bytes of message body
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 76 bytes
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Logged in, session: 020000004d5b00001800000003000000
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Authentication is required: &P=gsi,v:10300,c:ssl,ca:XXXXXX.0|XXXXXX.0&P=unix
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending authentication data
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Trying to authenticate using gsi
> [Dump ][TaskMgr ] Running task: "FileTimer task"
> [Dump ][TaskMgr ] Will rerun task "FileTimer task" at [2018-04-25 00:35:04 +0200]
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Trying to authenticate using unix
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xc0faa50), 43 bytes
> [Dump ][XRootDTransport ] [msg: 0xc0faa50] Expecting 0 bytes of message body
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8
> [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 8 bytes
> [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Authenticated with unix.
> [Debug ][PostMaster ] [ServerA.example.com:1094 #0] Stream 0 connected.
> ```
> It seems login happens as user `xrootd`, even though this user is not listed in `acc.authdb`.
>
>
> Now, there are two issues here:
> - TPC does not seem to work unless the security protocol settings allow authentication of ServerB to ServerA.
> - I don't think this security is needed, since the `tpc.key` is already shared with both servers at this point. It's also not obvious from http://xrootd.org/doc/dev4/tpc_protocol.htm that this is to be expected.
> - In the common Grid DDM usecase with GSI authentication, cross-server authentication is not really foreseen....
> - The only "easy" hack appears to be to enable user authentication. It seems some endpoints, e.g. eosatlas, are doing that...
>
>
> Is there another configuration "trick" one could use to have TPC working in a safe configuration?
>
> --
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/issues/694
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@abh3 in #694: The TPC protocol is independent of any particular authentication. That is \nwhy you can use any authentication you wish -- even different methods for \nthe source and destination. Being independent of the authentication method \nbeing used does *not* mean it does not require authentication. All sites \ntypically configure their servers to requires some kind of authentication \nirrespective of what is being sent on the wire (e.g. TPC). If that is the \ncase, then clearly, server to server cmmunications need to authenticate as \nwell. The TPC protocol spec merely specifies the exchanges *after* any \nrequired authentication occurs.\n\nAndy\n\nOn Wed, 25 Apr 2018, Oliver Freyermuth wrote:\n\n\u003e As documented http://xrootd.org/doc/dev4/tpc_protocol.htm , it seems no separate authentication between the servers is needed.\n\u003e\n\u003e However, this seems to be actually required. Consider the following setup:\n\u003e - Source: Server A with sec.protocol gsi\n\u003e - Destination: Server B with sec.protocol gsi\n\u003e - Client able to authenticate to both\n\u003e\n\u003e Then, I observe the following when looking at the debug logs of the `xrdcp` started by Server B to pull from Server A:\n\u003e ```\n\u003e [Debug ][TaskMgr ] Registering task: \"TickGeneratorTask for: ServerA.example.com:1094\" to be run at: [2018-04-25 00:03:37 +0200]\n\u003e [Dump ][PostMaster ] [ServerA.example.com:1094 #0] Sending message kXR_open (file: /some/source/file?tpc.key=XXXXXX\u0026tpc.org=XXXXXX, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ) (0xb1bfc0) through substream 0 expecting answer at 0\n\u003e [Debug ][PostMaster ] [ServerA.example.com:1094] Found 1 address(es): [::ffff:SOMEIP]:1094\n\u003e [Debug ][AsyncSock ] [ServerA.example.com:1094 #0.0] Attempting connection to [::ffff:SOMEIP]:1094\n\u003e [Debug ][Poller ] Adding socket 0xb20710 to the poller\n\u003e [Debug ][AsyncSock ] [ServerA.example.com:1094 #0.0] Async connection call returned\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending out the initial hand shake + kXR_protocol\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xe0000950), 44 bytes\n\u003e [Dump ][XRootDTransport ] [msg: 0xe0000950] Expecting 8 bytes of message body\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 16 bytes\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Got the server hand shake response (type: server [], protocol version 310)\n\u003e [Dump ][XRootDTransport ] [msg: 0xe0000950] Expecting 8 bytes of message body\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 16 bytes\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] kXR_protocol successful (type: server [], protocol version 310)\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending out kXR_login request, username: xrootd, cgi: ?xrd.cc=de\u0026xrd.tz=1\u0026xrd.appname=xrdcp.orig\u0026xrd.info=\u0026xrd.hostname=ServerB.example.com\u0026xrd.rn=v4.8.2, dual-stack: false, private IPv4: true, private IPv6: false\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xe0000bd0), 133 bytes\n\u003e [Dump ][XRootDTransport ] [msg: 0xe0000950] Expecting 61 bytes of message body\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 69 bytes\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Logged in, session: 02000000591900001800000082000000\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Authentication is required: \u0026P=gsi,v:10300,c:ssl,ca:XXXXXX.0|XXXXXX.0\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending authentication data\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Trying to authenticate using gsi\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init\n\u003e [Error ][XRootDTransport ] [ServerA.example.com:1094 #0.0] No protocols left to try\n\u003e [Error ][AsyncSock ] [ServerA.example.com:1094 #0.0] Socket error while handshaking: [FATAL] Auth failed\n\u003e [Debug ][AsyncSock ] [ServerA.example.com:1094 #0.0] Closing the socket\n\u003e ```\n\u003e Finally, I see `[FATAL] Auth failed.` and TPC does not take place.\n\u003e\n\u003e However, it works just fine if the Source-server has the unsafe \"unix\" authentication enabled on ServerA:\n\u003e ```\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xc000bd0), 133 bytes\n\u003e [Dump ][XRootDTransport ] [msg: 0xc000950] Expecting 68 bytes of message body\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 76 bytes\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Logged in, session: 020000004d5b00001800000003000000\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Authentication is required: \u0026P=gsi,v:10300,c:ssl,ca:XXXXXX.0|XXXXXX.0\u0026P=unix\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Sending authentication data\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Trying to authenticate using gsi\n\u003e [Dump ][TaskMgr ] Running task: \"FileTimer task\"\n\u003e [Dump ][TaskMgr ] Will rerun task \"FileTimer task\" at [2018-04-25 00:35:04 +0200]\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Trying to authenticate using unix\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Wrote a message: (0xc0faa50), 43 bytes\n\u003e [Dump ][XRootDTransport ] [msg: 0xc0faa50] Expecting 0 bytes of message body\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received message header, size: 8\n\u003e [Dump ][AsyncSock ] [ServerA.example.com:1094 #0.0] Received a message of 8 bytes\n\u003e [Debug ][XRootDTransport ] [ServerA.example.com:1094 #0.0] Authenticated with unix.\n\u003e [Debug ][PostMaster ] [ServerA.example.com:1094 #0] Stream 0 connected.\n\u003e ```\n\u003e It seems login happens as user `xrootd`, even though this user is not listed in `acc.authdb`.\n\u003e\n\u003e\n\u003e Now, there are two issues here:\n\u003e - TPC does not seem to work unless the security protocol settings allow authentication of ServerB to ServerA.\n\u003e - I don't think this security is needed, since the `tpc.key` is already shared with both servers at this point. It's also not obvious from http://xrootd.org/doc/dev4/tpc_protocol.htm that this is to be expected.\n\u003e - In the common Grid DDM usecase with GSI authentication, cross-server authentication is not really foreseen....\n\u003e - The only \"easy\" hack appears to be to enable user authentication. It seems some endpoints, e.g. eosatlas, are doing that...\n\u003e\n\u003e\n\u003e Is there another configuration \"trick\" one could use to have TPC working in a safe configuration?\n\u003e\n\u003e -- \n\u003e You are receiving this because you are subscribed to this thread.\n\u003e Reply to this email directly or view it on GitHub:\n\u003e https://github.com/xrootd/xrootd/issues/694\n"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/694#issuecomment-384419665"}}}
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1