LISTSERV 16.5 - XROOTD-DEV Archives

Hi Al,

I know very little about the XRootD TPC protocol.  But, I'm back from vacation so I can at least speculate!

The problem is we need an authentication mechanism for the XRootD session before we can provide the rendezvous token to the remote server, right?  Further, using the host certificate as a client certificate is a pretty lousy option given some CAs (think: let's encrypt) issue host certificates that are only reasonably usable for TLS servers and not clients.

One nice thing about bearer tokens is they are supposed to be opaque -- there's no need to assume they are a JWT.  What if we used the rendezvous token for the ZTN authentication?

Brian

On Mar 25, 2022, at 1:30 PM, Albert Rossi <[log in to unmask]<mailto:[log in to unmask]>> wrote:

Hello all,

starting a fresh thread here in reference to TPC with tokens.

I believe I have fixed the dCache door to allow for TPC with JWT tokens by allowing the third-party client to pass through authentication if it has the correct rendezvous key/token and TLS is on.   It certainly works for dCache to dCache, and I am trying to confirm dCache to xrootd and vice versa, but I am struggling to get the xrootd server set up properly to authorize using the token issued here at Fermilab.

However, that is not the question I have.  What I am writing about here has to do with ZTN in this equation.   If your ZTN module is loaded, how does it know to allow the third-party client to get a "pass", since that client does not have any JWT token?

Or does it still get the ZTN token even though it does not provide a token for authorization to the source server?

Or do you have to turn ZTN off with TPC?

I am asking these questions because I have not figured out, for dCache, how to (a) specify ZTN as an authentication protocol, but (b) allow a specifically third-party connection not to have to present a ZTN token.   At authentication time, it does not seem to me the server knows enough about the client to be able to distinguish what it is.

Or does it?

Some guidance here would be very helpful,

Thanks, Al

________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023


________________________________
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1


########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1