LISTSERV 16.5 - XROOTD-DEV Archives

On Mon, 4 May 2020, Brian P Bockelman wrote:

> @djw8605 - don't forget that the GSI authentication protocol for Xrootd
>_only_ works with proxies. It does not work with 'normal' client
>certificates and does not have the concept of anonymous sessions.
Well, not yet anyway. Once we replace TPC with get/putfile you will be
able to use get/putfile for third party transfers without logging in (i.e.
essentially an anonymous login). But yes, login requires some kind of
authentication even if it bogus (the default is bogus).

> @abh3 - is it possible to mix GSI auth'n and Unix auth'n when using the
>built-in authorization file mechanism? IIRC, there's no way to provide
>authorizations based upon the authentication protocol. That is, if I
>wanted to provide an authorization line like this:
>
> ```
> g /cms /store a
> ```
>
> is it possible that this only matches groups coming from GSI
>authentication but _not_ Unix authentication?
Yes. If you have a set of authorization plugins that are
authentication type sensitive, you can stack them. Then if the auth
protocol of the first in sequence is not handled, it simply calls the
next one in the chain and returns its result. In this way you can have
authentication sensitive authorization. That exists in R5.

I thougth that was what you will be doing anyway. So, you would stack
token authorization on top of the generic authorization. If the incomming
thing was token based you would handle it and if not you would pass it to
the next stacked plugin.

Andy

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1188#issuecomment-623796849", "url": "https://github.com/xrootd/xrootd/issues/1188#issuecomment-623796849", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1