LISTSERV 16.5 - XROOTD-DEV Archives

Simply establish a GSI connection but consider the client side unauthenticated?

I'm not sure I understand the suggestion - this ticket has been about xrdcp executed on a server after being told by a client to perform a third-party-copy.
If the server has a robot cert, everything already works fine. My initial question was if things can work without a robot cert (and then, naturally, GSI can not be used), since the tpc key is available. However, the tpc key only grants authorization after an initial authentication.
The two solutions to get servers authenticated to other servers using GSI are:

Get a robot cert, so the server can do GSI. That works fine.
Implement proxy delegation. This is under way.

What exactly is your proposal?
To allow unauthorized clients to proceed to the authorization stage?
My expectation is that is unsafe, since also unix auth is regarded as unsafe.

On a side note, xrootd's HTTP implementation is still not suitable for WLCG, e.g. due to #691 , so it's not useful for WLCG replication anyways right now.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"@context":"http://schema.org","@type":"EmailMessage","potentialAction":{"@type":"ViewAction","target":"https://github.com/xrootd/xrootd/issues/694#issuecomment-390500272","url":"https://github.com/xrootd/xrootd/issues/694#issuecomment-390500272","name":"View Issue"},"description":"View this Issue on GitHub","publisher":{"@type":"Organization","name":"GitHub","url":"https://github.com"}} {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@olifre in #694: \u003e Simply establish a GSI connection but consider the client side unauthenticated?\r\n\r\nI'm not sure I understand the suggestion - this ticket has been about xrdcp executed on a server after being told by a client to perform a third-party-copy. \r\nIf the server has a robot cert, everything already works fine. My initial question was if things can work without a robot cert (and then, naturally, GSI can not be used), since the tpc key is available. However, the tpc key only grants authorization after an initial authentication. \r\nThe two solutions to get servers authenticated to other servers using GSI are:\r\n- Get a robot cert, so the server can do GSI. That works fine. \r\n- Implement proxy delegation. This is under way. \r\n\r\nWhat exactly is your proposal? \r\nTo allow unauthorized clients to proceed to the authorization stage? \r\nMy expectation is that is unsafe, since also unix auth is regarded as unsafe. \r\n\r\nOn a side note, xrootd's HTTP implementation is still not suitable for WLCG, e.g. due to https://github.com/xrootd/xrootd/issues/691 , so it's not useful for WLCG replication anyways right now. "}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/694#issuecomment-390500272"}}} { "@type": "MessageCard", "@context": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "37567f93-e2a7-4e2a-ad37-a9160fc62647", "title": "Re: [xrootd/xrootd] TPC requires server-to-server XRootDTransport authentication (#694)", "sections": [ { "text": "", "activityTitle": "**Oliver Freyermuth**", "activityImage": "https://avatars2.githubusercontent.com/u/166759?s=160\u0026v=4", "activitySubtitle": "@olifre", "facts": [ ] } ], "potentialAction": [ { "name": "Add a comment", "@type": "ActionCard", "inputs": [ { "isMultiLine": true, "@type": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 694,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "name": "Close issue", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 694\n}" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/issues/694#issuecomment-390500272" } ], "@type": "OpenUri", "name": "View on GitHub" }, { "name": "Unsubscribe", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 328188433\n}" } ], "themeColor": "26292E" }

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1