 |
 |
Hi Marcus, The issue here is that xroot tpc was configured to only use delegated proxy. That is not necessary. If it is configured to use rendezvous tokens no delegation is required. Presumably you still want to use gsi for client authentication. If so, configure the gsi security protocol without delegation. Then configure the tpc protocol without using gsi. It should be the case that gfal-copy will simply fallback to using a rendezvous token. Note that rendezvous tokens are not generated by gfal-copy itself but are part of libXrdCl.so that gfal-copy uses. Andy On Fri, 24 Feb 2023, Marcus Ebert wrote: > Hi Wei, > > What we are trying to configure is that a simple TPC, e.g. : > gfal-copy siteA/file siteB/file > works without the need to delegate the X.509 proxy to be used by siteA or > siteB for the TPC. > > When using "https://" for siteA and siteB, then the X.509 proxy does not > need to be delegated to be used by a site to contact the other one. > Instead the copy between the sites is based on a token issued by one site > and used by the other. That works as expected. > However, when using "root://" for siteA and siteB, then it does not work > without a delegated proxy. If it should, then probably some config options > are missing or wrong in the xrootd setup (on siteA and/or siteB) Maybe also > something in the TPC scripts need to be changed? I assume gfal-copy is able > to generate and use rendezvous token, but maybe not?. > > The current TPC part in the xrootd config looks like: > xrootd.seclib libXrdSec.so > sec.protocol gsi -dlgpxy:request -exppxy:=creds -ca:2 -crl:try > -gmapopt:nomap -vomsat:require -vomsfun:default > http.secxtractor libXrdHttpVOMS.so > ofs.authorize > acc.audit deny grant > acc.authdb /etc/xrootd/Authfile > > ofs.tpc fcreds ?gsi =X509_USER_PROXY > ofs.tpc require client gsi > ofs.tpc scan stderr > ofs.tpc echo > ofs.tpc ttl 300 600 > ofs.tpc xfr 100 > ofs.tpc autorm > ofs.tpc pgm /etc/xrootd/xrootd-tpc.sh > > http.exthandler xrdtpc libXrdHttpTPC.so > http.header2cgi Authorization authz > http.exthandler xrdmacaroons libXrdMacaroons.so > macaroons.secretkey /etc/xrootd/macaroon-secret > ofs.authlib libXrdMacaroons.so > > Cheers, > Marcus E. > > On Wed, Feb 22, 2023 at 11:06 PM Yang, Wei < > [log in to unmask]> wrote: > >> At some point, I was also interested in this. But at this moment I don't >> think we can use Macaroon token in xroot protocol. >> >> On the other hard, Xrootd TPC's rendezvous token is a similar concept to >> the Macaroon token though it is generated by a different mechanism. Is >> there a specific use case you are looking for that is not available in the >> rendezvous token but may be available in Macaroon token ? >> >> ?-- >> Wei? >> >> ________________________________________ >> From: Marcus Lee <[log in to unmask]> >> Sent: Wednesday, February 22, 2023 9:51 AM >> To: Hanushevsky, Andrew Bohdan >> Cc: Yang, Wei; [log in to unmask] >> Subject: Re: Bearer tokens for the root protocol >> >> What I am trying to do is configure xrootd such that when you do tpc over >> the root protocol it uses a macaroon token for authentication between the >> two endpoints similar to what happens over the http protocol when you use >> the libXrdMacaroons library. Does this functionality exist, and if so how >> can I configure xrootd to do this? >> >> >> Thanks, >> >> ________________________________ >> From: Andrew Hanushevsky <[log in to unmask]> >> Sent: Tuesday, February 21, 2023 6:28:40 PM >> To: Marcus Lee >> Cc: Yang, Wei; [log in to unmask] >> Subject: Re: Bearer tokens for the root protocol >> >> Well, not really. A rendezvous token is a special token used strictly for >> TPC transfers so a macaroon would not be considered a rendezvous token. >> That doesn't mean you can't use a Macaroon but you would have to supply it >> in one of the headers for http or on the url for xroot. It's actually >> immaterial whether or not gsi is used here. >> >> On Tue, 21 Feb 2023, Marcus Lee wrote: >> >>> >>> Is it possible for the rendezvous token to be a macaroons token while >> using gsi for authentication between the client and the server? >>> >>> >>> ________________________________ >>> From: Yang, Wei <[log in to unmask]> >>> Sent: Wednesday, February 15, 2023 4:32:51 PM >>> To: Marcus Lee; [log in to unmask] >>> Subject: Re: Bearer tokens for the root protocol >>> >>> Hi Marcus, >>> >>> The short answer is yes. In Xrootd TPC (TPC via root protocol), there >> are two scenarios. They should be transparent to users: >>> >>> 1. if x509 authentication is used, we delegate the x509 proxy to the >> destination, which then pull the data from source >>> 2. if other authentication methods are used, the client helps to >> establish a rendezvous token (a shared secret) exchange with both ends, to >> facilitate the transfer. >>> >>> in 1) the x09 security itself helps securing the delegation of x509 >> proxy. in 2), the rendezvous token exchange depends on the transport layer. >> So only when both ends use TLS (roots, available in 5.3.x+ I believe) can >> this process be secured. >>> >>> So with bearer token (ZTN), it should work but you need to make sure >> both end use TLS. >>> >>> -- >>> Wei >>> >>> ________________________________________ >>> From: [log in to unmask] <[log in to unmask]> on behalf >> of Marcus Lee <[log in to unmask]> >>> Sent: Wednesday, February 15, 2023 1:00 PM >>> To: [log in to unmask] >>> Subject: Bearer tokens for the root protocol >>> >>> Hello, >>> >>> >>> I am wondering if XRootD TPC supports authentication methods other than >> delegated x509 for the root protocol such as bearer tokens for example? >>> >>> >>> I know for https you can load more libraries with http.exthandler such >> as macroons or scitokens library, but is there anything similar for root? >>> >>> >>> Thanks >>> >>> ________________________________ >>> >>> Use REPLY-ALL to reply to list >>> >>> To unsubscribe from the XROOTD-L list, click the following link: >>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 >>> >>> ######################################################################## >>> Use REPLY-ALL to reply to list >>> >>> To unsubscribe from the XROOTD-L list, click the following link: >>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 >>> >> >> >> ######################################################################## >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 >> > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1