LISTSERV 16.5 - XROOTD-DEV Archives

Hello again,

I'm reviewing the state of our code with respect to the rendezvous key.

We support it on open because it was what was needed before TPC Lite, although it is currently not protected by TLS, since this was with x509 originally.

The issue here is that before, the third-party client was being told to authenticate to the door (the source server).  I am unsure whether dCache as it is right now would be able to allow an override of authentication in the case of a rendezvous key being present.

Would this be done, for example, by giving to the open by the third-party client the same permissions given to the initiating client when it authorizes via JWT to the source (on open)?  Is that the idea?

Thanks, Al

________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023

________________________________
From: Andrew Hanushevsky ***@***.***>
Sent: Wednesday, March 9, 2022 4:15 PM
To: xrootd/xrootd ***@***.***>
Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)


Hi Albert,

Here is where to start:

https://xrootd.slac.stanford.edu/doc/dev49/tpc_protocol.htm<https://urldefense.proofpoint.com/v2/url?u=https-3A__xrootd.slac.stanford.edu_doc_dev49_tpc-5Fprotocol.htm&d=DwQCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=WEnct5h4K8P0HMVTvg5n4P15Vwuu3gmV9FY2KXhv7xQ&e=>

Andy

On Wed, 9 Mar 2022, Albert Rossi wrote:

> Well yes, then, we need to discuss this. I will need to know how to pass the secret key through from the destination server to the client on the destination side initiating the TPC with the source server.
>
> This is new to me.
>
> Al
>
> ________________________________________________
> Albert L. Rossi
> Senior Software Developer
> Scientific Computing Division, Scientific Data Services, Distributed Data Development
> FCC 229A
> Mail Station 369 (FCC 2W)
> Fermi National Accelerator Laboratory
> Batavia, IL 60510
> (630) 840-3023
>
> ________________________________
> From: Wei Yang ***@***.***>
> Sent: Wednesday, March 9, 2022 1:59 PM
> To: xrootd/xrootd ***@***.***>
> Cc: Albert Rossi ***@***.***>; Mention ***@***.***>
> Subject: Re: [xrootd/xrootd] ZTN and Scitokens auth (Issue #1584)
>
>
> robocert is not rendezvous key. It is something prior to x509 delegation so we no longer need robocert. rendezvous key is a time limited shared secret sent by the client to both endpoints, to facilitate TPC. It needs TLS.
> Whether dCache want to support rendezvous key is something to be discussed. The primary TPC in HEP is http though not exclusive. The rendezvous key in xrootd is used where x509 infrastructure is not available (and likely the token infrastructure is also not available, somewhere outside of HEP).
> When x509 goes away, in principle, we can use token for authentication and then use rendezvous key for TPC (to avoid a more complexed token chain reaction), though someone will say that token is only for authorization :-)
>
> ?
> Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1063312302&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=79dpk7QdguWHXF7Uf7JIbMQP1_j937XmHhMzSX6m0rY&e=%3E, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHHPKMGMGN645IRDVD3U7D7KPANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=59RGVJA1GM6PYPjx7_1S8OHv3J05wt03Gy8LywWIktM&e=%3E.
> Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=G8ij4cqcygzzIj9YrbnpNy90wtxmM-s7pt-CceXXNPM&e=%3E or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9AJtCfH_GWBV-ISAUdgyoVCaVKkkAEMxEf1UiYHdGygxOsUYV-le4OHN1IX0EYr8&s=wiDsyodE6mxPHCjER1rxypxKLt51SNgeEjgBACvIRxI&e=%3E.
> You are receiving this because you were mentioned.Message ID: ***@***.***>
>
>
> --
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/issues/1584#issuecomment-1063346075<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1063346075&d=DwQCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=sNJjZ7J42vDdoqCAHfs2ytmON2PNXg81AYMV_SW2Abk&e=>
> You are receiving this because you were assigned.
>
> Message ID: ***@***.***>

—
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xrootd_xrootd_issues_1584-23issuecomment-2D1063426347&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=Me9fOE6TM92ZmUHa0AjRWMBUn_ikXftt3D9WcbGLzh8&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AA6NBHCVMMKIGHGZTHK6W4TU7EPGTANCNFSM5LUMRMZQ&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=m9J1o6b_8klgv59mdXp9wfehT2utQL4PdZAvr3MJ2HQ&e=>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=3tyKgTdRhPXo53BkjGlmi1ne-0X6tOOnh33mYsJullw&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=sa-nDlgj9VIXJllzJi1loYdmz8em5yXuLoUF-5rMz3UeeS5Fewi6UN8Cc9wXM2tG&s=C4et26N70WmdUI-SFT32zhc18CkfNJKYjiFUIj6oals&e=>.
You are receiving this because you were mentioned.Message ID: ***@***.***>


-- 
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1584#issuecomment-1076500704
You are receiving this because you commented.

Message ID: <[log in to unmask]>
########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1