Print

Print


I am not sure now what the issue is.


As the protocol spec says, the protocol version 4.0.0 should look like this:


0x00 00 04 00

Protocol version 4.0.0 (2018)



That is, hex 400.


The logging for the tpc client request:


22 Aug 2019 08:15:38 (dmsdca19-2) [] sendProtocolRequestForClient to fndcatemp2:1095, channel 6cf1918c, stream 1.
22 Aug 2019 08:15:38 (dmsdca19-2) [] sendProtocolRequestForClient to (stream 1)(version 400)  <<<<<<<<<<<<<<
22 Aug 2019 08:15:38 (dmsdca19-2) [] Decoder fndcatemp2:1095, channel 6cf1918c: adding protocol response.
22 Aug 2019 08:15:38 (dmsdca19-2) [] responseReceived, channel 6cf1918c, stream 1, requestId = kXR_protocol.
22 Aug 2019 08:15:38 (dmsdca19-2) [] Protocol response on fndcatemp2:1095, channel 6cf1918c, stream 1, received, signing policy (secLvl 0)(overrides {})(force false); status 0.

where version is printed out in hex.  The server is still returning no security level info.


There must be something else wrong?


----------

To verify:  the java-ese dCache constant is 

int  PROTOCOL_VERSION       = 0x00000400;    <<<<<<<<<<<
and the Request is constructed with it:
OutboundProtocolRequest request = new OutboundProtocolRequest(client.getStreamId(),
                                                              PROTOCOL_VERSION);

then serialized:


ByteBuf buffer = ctx.alloc().buffer(24);
try {
buffer.writeShort(streamId);
buffer.writeShort(kXR_protocol);
buffer.writeInt(version); <<<<<<<<<<<<<<<<<<<
buffer.writeBytes(RESERVED);
buffer.writeByte(kXR_secreqs);
buffer.writeInt(0);
} catch (Error | RuntimeException t) {
promise.setFailure(t);
buffer.release();
return;
}
----------

________________________________________________
Albert L. Rossi
Application Developer & Systems Analyst III
Scientific Computing Division, Data Movement Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023

From: [log in to unmask] <[log in to unmask]> on behalf of Albert Rossi <[log in to unmask]>
Sent: Wednesday, August 21, 2019 1:21:05 PM
To: xrootd-dev <[log in to unmask]>; [log in to unmask] <[log in to unmask]>
Subject: Xrootd server does not communicate security level using ProtocolResponse
 

Hi again,


With the server (4.10) set to 

sec.level all pedantic

it requires all post-authentication requests to be signed, as it should.

However, in order to do so, the third-party-copy client must know about this.

It was my understanding that this was conveyed by the Protocol Request.

Yet, when logging on to that server, the dCache TPC client finds:

sendProtocolRequestForClient to fndcatemp2:1095, channel 5c8a91fe, stream 1.
21 Aug 2019 12:54:55 (dmsdca19-2) [] Decoder fndcatemp2:1095, channel 5c8a91fe: adding protocol response.
21 Aug 2019 12:54:55 (dmsdca19-2) [] responseReceived, channel 5c8a91fe, stream 1, requestId = kXR_protocol.
21 Aug 2019 12:54:55 (dmsdca19-2) [] Protocol response on fndcatemp2:1095, channel 5c8a91fe, stream 1, received, signing policy (secLvl 0)(overrides {})(force false); status 0.
21 Aug 2019 12:54:55 (dmsdca19-2) [] Protocol request to fndcatemp2:1095, channel 5c8a91fe, stream 1, succeeded; sending login request.

That is, the ProtocolResponse header info does not convey this back.

Subsequently, when the open request is sent to the source server (xrootd), it complains that the request was not signed:

sendOpenRequest to fndcatemp2:1095, channel 5c8a91fe, stream 1, path [log in to unmask]&org.dcache.uuid=d4776fc5-cd78-41ac-99ba-983975fcf2a4.
21 Aug 2019 12:54:55 (dmsdca19-2) [] Decoder fndcatemp2:1095, channel 5c8a91fe: adding error response.
21 Aug 2019 12:54:55 (dmsdca19-2) [] Exception caught on channel 5c8a91fe: org.dcache.xrootd.core.XrootdException: Request not [log in to unmask]


Note that the dCache server does send back the correct secLvl and force values:


sendProtocolRequestForClient to fndcatemp1:1095, channel f387d5b6, stream 1.
21 Aug 2019 13:18:40 (dmsdca19-1.1) [] Decoder fndcatemp1:1095, channel f387d5b6: adding protocol response.
21 Aug 2019 13:18:40 (dmsdca19-1.1) [] responseReceived, channel f387d5b6, stream 1, requestId = kXR_protocol.
21 Aug 2019 13:18:40 (dmsdca19-1.1) [] Protocol response on fndcatemp1:1095, channel f387d5b6, stream 1, received, signing policy (secLvl 4)(overrides {})(force true); status 0.
21 Aug 2019 13:18:40 (dmsdca19-1.1) [] Protocol request to fndcatemp1:1095, channel f387d5b6, stream 1, succeeded; sending login request.


If the ProtocolResponse is not the place to look for this information, where should the client go to find out about the security level?


Al


________________________________________________
Albert L. Rossi
Application Developer & Systems Analyst III
Scientific Computing Division, Data Movement Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023


Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1



Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1