This is not an urgent issue, but does generate a little unexpected noise from the xrdcp client.
In dCache, we have continued to support STRICT
vs OPTIONAL
TLS on an xroot door or pool. If the endpoint is STRICT
, the client will get a goToTLS
from the protocol request; otherwise, it is up to the client to request TLS using xroots
.
Now, here is a Two-Party read authenticating to a dCache door which is OPTIONAL
. If I use xroots
, all is fine:
arossi@fndcatemp1 ~]$ xrdcp5x -f xroots://fndcatemp2.fnal.gov:1095//pnfs/fs/usr/fermilab/users/arossi/volatile/data_1b /dev/null
[1B/1B][100%][==================================================][1B/s]
However, when I use that door (on 1095) as the source of a native xroot TPC, I see:
[arossi@fndcatemp1 ~]$ xrdcp5x --tpc only xroots://fndcatemp2.fnal.gov:1095//pnfs/fs/usr/fermilab/users/arossi/volatile/data_1b xroots://fndcatemp2.fnal.gov:1094//pnfs/fs/usr/fermilab/users/arossi/volatile/data-`suffix`
security protocol 'ztn' disallowed for non-TLS connections.
[1B/1B][100%][==================================================][0B/s]
The TPC succeeds. The warning, in fact, is not generated by the transfer logins, but by the kXR_query
against the source: `
2-09 10:11:54.324893 -0600][Dump ][PostMaster ] [fndcatemp2.fnal.gov:1095] Sending message kXR_query (code: kXR_Qconfig, arg length: 4) (0x1740020) through substream 0 expecting answer at 0
[2023-02-09 10:11:54.325701 -0600][Debug ][PostMaster ] [fndcatemp2.fnal.gov:1095] Found 1 address(es): [::ffff:131.225.240.93]:1095
[2023-02-09 10:11:54.325791 -0600][Debug ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Attempting connection to [::ffff:131.225.240.93]:1095
[2023-02-09 10:11:54.325866 -0600][Debug ][Poller ] Adding socket 0x173e610 to the poller
[2023-02-09 10:11:54.326058 -0600][Debug ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Async connection call returned
[2023-02-09 10:11:54.326117 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Sending out the initial hand shake + kXR_protocol
[2023-02-09 10:11:54.326168 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Wrote a message: (0x740010d0), 44 bytes
[2023-02-09 10:11:54.332918 -0600][Dump ][XRootDTransport ] [msg: 0x74079a40] Expecting 8 bytes of message body
[2023-02-09 10:11:54.332964 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received message header, size: 8
[2023-02-09 10:11:54.332986 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received a message of 16 bytes
[2023-02-09 10:11:54.333006 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Got the server hand shake response (type: manager [], protocol version 500)
[2023-02-09 10:11:54.334823 -0600][Dump ][XRootDTransport ] [msg: 0x7408b9c0] Expecting 8 bytes of message body
[2023-02-09 10:11:54.334869 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received message header, size: 8
[2023-02-09 10:11:54.334891 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received a message of 16 bytes
[2023-02-09 10:11:54.334915 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] kXR_protocol successful (type: manager [], protocol version 500)
[2023-02-09 10:11:54.335121 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Sending out kXR_login request, username: arossi, cgi: xrd.cc=us&xrd.tz=-6&xrd.appname=xrdcp&xrd.info=&xrd.hostname=fndcatemp1.fnal.gov&xrd.rn=v20220328-b5f279d, dual-stack: false, private IPv4: false, private IPv6: false
[2023-02-09 10:11:54.335180 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Wrote a message: (0x74079a40), 129 bytes
[2023-02-09 10:11:54.336716 -0600][Dump ][XRootDTransport ] [msg: 0x740010d0] Expecting 70 bytes of message body
[2023-02-09 10:11:54.336761 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received message header, size: 8
[2023-02-09 10:11:54.336784 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received a message of 78 bytes
[2023-02-09 10:11:54.336806 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Logged in, session: 60c82f6d4de883a7f1824946bde8e7ce
[2023-02-09 10:11:54.336821 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Authentication is required: &P=gsi,v:10400,c:ssl,ca:f5f0dfc2&P=ztn,0:4096:&P=unix
[2023-02-09 10:11:54.336836 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Sending authentication data
[2023-02-09 10:11:54.336880 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Trying to authenticate using gsi
[2023-02-09 10:11:54.337234 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init
security protocol 'ztn' disallowed for non-TLS connections.
[2023-02-09 10:11:54.337608 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Trying to authenticate using unix
[2023-02-09 10:11:54.337858 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Wrote a message: (0x74077ce0), 40 bytes
[2023-02-09 10:11:54.340539 -0600][Dump ][XRootDTransport ] [msg: 0x740010d0] Expecting 0 bytes of message body
[2023-02-09 10:11:54.340585 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received message header, size: 8
[2023-02-09 10:11:54.340601 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received a message of 8 bytes
[2023-02-09 10:11:54.340627 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Authenticated with unix.
If we weren't allowing anonymous reads (using the unix
protocol), this query would fail.
I was wondering what your rationale was for not applying the client-requested protocol (in this case, xroots
) to all requests to that endpoint?
Thanks, Al
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1