I think some kind of authentication based on shared secret/tpc.key is still useful.

As far as I understand, currently, when one server starts xrdcp to start up a TPC transfer, authentication happens before the TPC key is transferred to the other end. Hence, this needs to happen between the two servers, either via shared secret, GSI or something else. Only after that, authorization via the TPC key can step in.

Why ddmadmin used by FTS does not work is strange. Does the proxy has VOMS attribute?

No, the ddmadmin robot does not transfer any VOMS attrobutes, and that's exactly the problem. I only see the GSI certificate, but no VO or role.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@olifre in #694: \u003e I think some kind of authentication based on shared secret/tpc.key is still useful.\r\n\r\nAs far as I understand, currently, when one server starts xrdcp to start up a TPC transfer, **authentication** happens before the TPC key is transferred to the other end. Hence, this needs to happen between the two servers, either via shared secret, GSI or something else. Only after that, **authorization** via the TPC key can step in. \r\n\r\n\r\n\r\n\u003e Why ddmadmin used by FTS does not work is strange. Does the proxy has VOMS attribute?\r\n\r\nNo, the ddmadmin robot does not transfer any VOMS attrobutes, and that's exactly the problem. I only see the GSI certificate, but no VO or role. "}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/694#issuecomment-389679995"}}} {"@type":"MessageCard","@context":"http://schema.org/extensions","hideOriginalBody":"false","originator":"37567f93-e2a7-4e2a-ad37-a9160fc62647","title":"Re: [xrootd/xrootd] TPC requires server-to-server XRootDTransport authentication (#694)","sections":[{"text":"","activityTitle":"**Oliver Freyermuth**","activityImage":"https://avatars2.githubusercontent.com/u/166759?s=160\u0026v=4","activitySubtitle":"@olifre","facts":[]}],"potentialAction":[{"name":"Add a comment","@type":"ActionCard","inputs":[{"isMultiLine":true,"@type":"TextInput","id":"IssueComment","isRequired":false}],"actions":[{"name":"Comment","@type":"HttpPOST","target":"https://api.github.com","body":"{\"commandName\":\"IssueComment\",\"repositoryFullName\":\"xrootd/xrootd\",\"issueId\":694,\"IssueComment\":\"{{IssueComment.value}}\"}"}]},{"name":"Close issue","@type":"HttpPOST","target":"https://api.github.com","body":"{\"commandName\":\"IssueClose\",\"repositoryFullName\":\"xrootd/xrootd\",\"issueId\":694}"},{"targets":[{"os":"default","uri":"https://github.com/xrootd/xrootd/issues/694#issuecomment-389679995"}],"@type":"OpenUri","name":"View on GitHub"},{"name":"Unsubscribe","@type":"HttpPOST","target":"https://api.github.com","body":"{\"commandName\":\"MuteNotification\",\"threadId\":328188433}"}],"themeColor":"26292E"}

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1