Hi Andy,

I understand the points you are making below. So it is my fault for not making my concerns clearer.

dCache can indeed accept scitokens for authorization without authentication.  That is what I fixed.  But that is not the problem.

I was just trying to look at this from the standpoint of the client, and what Brian was originally worried about -- unless I've misunderstood that.

So, let me re-ask the question in another way.

I am an xrootd client.  I want to do TPC.

But my user does not want to expose a token on the path query as a CGI element.  After the changes you have made/are making, authorization can fall back to the ZTN token, provided that token has expressed subject and claims as well as issuer and audience.

But the server I am talking to does not have ZTN turned on; it only has enabled scitoken authorization.

There is a token at XDG_RUNTIME_DIR in the env in which I initiate the transfer.

Am I going to succeed in getting authorized?

Al
________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
FCC 229A
Mail Station 369 (FCC 2W)
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023

From: Andrew Hanushevsky <[log in to unmask]>
Sent: Tuesday, March 29, 2022 1:17 AM
To: Albert Rossi <[log in to unmask]>
Cc: xrootd-dev <[log in to unmask]>
Subject: Re: ZTN and TPC
 
Hi Albert,

Lots of questions here. OK, so let me frst say what is going on here.

a) When enabled, ztn simply asks the connecting client (irrespective of
what it is going to do) to provide a valid token. This token may or may
not be used for future authorization purposes. That decision is totally
independent. Why? Because at the point we ask for a ztn token all we want
to know is that the client has or can obtain a valid token. That is all we
care about. So, the following points must keep this in mind.

On Fri, 25 Mar 2022, Albert Rossi wrote:

> However, that is not the question I have.  What I am writing about here
>has to do with ZTN in this equation.   If your ZTN module is loaded, how
>does it know to allow the third-party client to get a "pass", since that
>client does not have any JWT token?
Totally independent decision points. Consider this:
a) Client logs in and at that point we have no idea what the purpose is
but we ask for a ztn token.
b) Client supplies one and we check if it is valid, if so, client is
allowed to proceed.
c) Client wants to do a TPC. Perfectly acceptable. Does the ztn token have
anything to do with that? Not necessarily. In fact, we really don't know
and wish Brian would weigh on this but alas no word.

> Or does it still get the ZTN token even though it does not provide a
>token for authorization to the source server?
Again, please reread the beginning statement. When we ask for a zrtn token
we only wish to ascertain the client's ability to get one. It has nothing
to do with any future autrhorization. To the extend that the authorization
module may use the zn token is up to that module. We really don't care.

> Or do you have to turn ZTN off with TPC? >
Absolutely not! That is not what the primary purpose of ztn is. I think
you are really confusing the purpose of ztn and what redezvous TPC is
trying to accomplish. The problem here is that unlike xrootd where we can
easily suppress authorization when we know this is a rendezvous TPC dCache
appears not to be able to do this. So, it needs some kind of token in
addition to the rendezvous token to move forward. The question is which
token are we talking about. My asnwer is without Brian's weigh in I don't
know and there is silence at his end. So we are both out of luck.

> I am asking these questions because I have not figured out, for dCache,
>how to (a) specify ZTN as an authentication protocol, but (b) allow a
>specifically third-party connection not to have to present a ZTN token.
>At authentication time, it does not seem to me the server knows enough
>about the client to be able to distinguish what it is.
> Or does it?
No it does not matter. The problem here is that any server may ask for a
ztn token and you better be prepared to supply one or have another
authentication protocol you can fall back to. I would suggest the simplest
approach here. In the presence of a TPC should the target server ask for a
token then you supply the ztn token should you have it. If you do not then
you will need to fallback on some other authentication protocol that the
target server supports. If there is no other protcol then whole thing
simply fails and you live with that.

Andy

  > Some guidance here
would be very helpful, > > Thanks, Al
>
> ________________________________________________
> Albert L. Rossi
> Senior Software Developer
> Scientific Computing Division, Scientific Data Services, Distributed Data Development
> FCC 229A
> Mail Station 369 (FCC 2W)
> Fermi National Accelerator Laboratory
> Batavia, IL 60510
> (630) 840-3023
>
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-DEV list, click the following link:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DDEV-26A-3D1&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=9aahSq-wsU59ZSWZ00xk_zy5ZFU6hyg63E0HPoGzJQ8F6TWVj47l3nCukhbHNHEw&s=_VQWTuyj544srHCnttohyT1-ZjVHIbgM2r3_V-1H_Oo&e=
>

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1