LISTSERV 16.5 - XROOTD-L Archives

Well, not really. A rendezvous token is a special token used strictly for 
TPC transfers so a macaroon would not be considered a rendezvous token. 
That doesn't mean you can't use a Macaroon but you would have to supply it 
in one of the headers for http or on the url for xroot. It's actually 
immaterial whether or not gsi is used here.

On Tue, 21 Feb 2023, Marcus Lee wrote:

>
> Is it possible for the rendezvous token to be a macaroons token while using gsi for authentication between the client and the server?
>
>
> ________________________________
> From: Yang, Wei <[log in to unmask]>
> Sent: Wednesday, February 15, 2023 4:32:51 PM
> To: Marcus Lee; [log in to unmask]
> Subject: Re: Bearer tokens for the root protocol
>
> Hi Marcus,
>
> The short answer is yes. In Xrootd TPC (TPC via root protocol), there are two scenarios. They should be transparent to users:
>
> 1. if x509 authentication is used, we delegate the x509 proxy to the destination, which then pull the data from source
> 2. if other authentication methods are used, the client helps to establish a rendezvous token (a shared secret) exchange with both ends, to facilitate the transfer.
>
> in 1) the x09 security itself helps securing the delegation of x509 proxy. in 2), the rendezvous token exchange depends on the transport layer. So only when both ends use TLS (roots, available in 5.3.x+ I believe) can this process be secured.
>
> So with bearer token (ZTN), it should work but you need to make sure both end use TLS.
>
> --
> Wei
>
> ________________________________________
> From: [log in to unmask] <[log in to unmask]> on behalf of Marcus Lee <[log in to unmask]>
> Sent: Wednesday, February 15, 2023 1:00 PM
> To: [log in to unmask]
> Subject: Bearer tokens for the root protocol
>
> Hello,
>
>
> I am wondering if XRootD TPC supports authentication methods other than delegated x509 for the root protocol such as bearer tokens for example?
>
>
> I know for https you can load more libraries with http.exthandler such as macroons or scitokens library, but is there anything similar for root?
>
>
> Thanks
>
> ________________________________
>
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1