If you don't have a SciToken and you expected one with, say, unix then you shouldn't forward the request. If you don't have it but it is GSI (or some other strong authentication mechanism you trust) then you can forward it.
Actually, I think Derek was considering the settings for the origin -- right @djw8605 ?
That said, it looks like, during the transition period, we have the following sequence:
- All caches will need registered host certificates, enabling GSI authentication between cache and origin.
- Start introducing the use of SciTokens chained to the default Authfile; because the SciToken plugin is listed first, authorization will be done preferentially with that.
- As each VO converts to SciToken authorization, you can remove their corresponding rules from the Authfile.
- Once all VOs have converted over to SciTokens, you can add the Unix authentication method to origins.
- Once all origins have updated then you can remove the requirement of host certificates for caches and start removing the GSI authentication method.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/1188#issuecomment-624118320",
"url": "https://github.com/xrootd/xrootd/issues/1188#issuecomment-624118320",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1