 |
 |
Hi Marcus, I think Xrootd TPC is currently hardwired to use x509 token delegation when X509 authentication is used, and use rendezvous token when other authentication methods are in use. This dates back the pre-TLS days in xroot protocol (and X509 authentication can securely delegate x509 proxy without TLS). We still do this because there are still old clients and servers out there that do not support TLS. This can be changed, and also (in my view) Macaroon token has quite use cases in xroot protocol as well (for example, something similar to "signed URL"). But someone needs to put in effort, though I think it is only a moderate amount of work. -- Wei ________________________________________ From: [log in to unmask] <[log in to unmask]> on behalf of Marcus Ebert <[log in to unmask]> Sent: Friday, February 24, 2023 9:40 AM To: Yang, Wei Cc: [log in to unmask] Subject: Re: Bearer tokens for the root protocol Hi Wei, What we are trying to configure is that a simple TPC, e.g. : gfal-copy siteA/file siteB/file works without the need to delegate the X.509 proxy to be used by siteA or siteB for the TPC. When using "https://" for siteA and siteB, then the X.509 proxy does not need to be delegated to be used by a site to contact the other one. Instead the copy between the sites is based on a token issued by one site and used by the other. That works as expected. However, when using "root://" for siteA and siteB, then it does not work without a delegated proxy. If it should, then probably some config options are missing or wrong in the xrootd setup (on siteA and/or siteB) Maybe also something in the TPC scripts need to be changed? I assume gfal-copy is able to generate and use rendezvous token, but maybe not?. The current TPC part in the xrootd config looks like: xrootd.seclib libXrdSec.so sec.protocol gsi -dlgpxy:request -exppxy:=creds -ca:2 -crl:try -gmapopt:nomap -vomsat:require -vomsfun:default http.secxtractor libXrdHttpVOMS.so ofs.authorize acc.audit deny grant acc.authdb /etc/xrootd/Authfile ofs.tpc fcreds ?gsi =X509_USER_PROXY ofs.tpc require client gsi ofs.tpc scan stderr ofs.tpc echo ofs.tpc ttl 300 600 ofs.tpc xfr 100 ofs.tpc autorm ofs.tpc pgm /etc/xrootd/xrootd-tpc.sh http.exthandler xrdtpc libXrdHttpTPC.so http.header2cgi Authorization authz http.exthandler xrdmacaroons libXrdMacaroons.so macaroons.secretkey /etc/xrootd/macaroon-secret ofs.authlib libXrdMacaroons.so Cheers, Marcus E. On Wed, Feb 22, 2023 at 11:06 PM Yang, Wei <[log in to unmask]<mailto:[log in to unmask]>> wrote: At some point, I was also interested in this. But at this moment I don't think we can use Macaroon token in xroot protocol. On the other hard, Xrootd TPC's rendezvous token is a similar concept to the Macaroon token though it is generated by a different mechanism. Is there a specific use case you are looking for that is not available in the rendezvous token but may be available in Macaroon token ? -- Wei ________________________________________ From: Marcus Lee <[log in to unmask]<mailto:[log in to unmask]>> Sent: Wednesday, February 22, 2023 9:51 AM To: Hanushevsky, Andrew Bohdan Cc: Yang, Wei; [log in to unmask]<mailto:[log in to unmask]> Subject: Re: Bearer tokens for the root protocol What I am trying to do is configure xrootd such that when you do tpc over the root protocol it uses a macaroon token for authentication between the two endpoints similar to what happens over the http protocol when you use the libXrdMacaroons library. Does this functionality exist, and if so how can I configure xrootd to do this? Thanks, ________________________________ From: Andrew Hanushevsky <[log in to unmask]<mailto:[log in to unmask]>> Sent: Tuesday, February 21, 2023 6:28:40 PM To: Marcus Lee Cc: Yang, Wei; [log in to unmask]<mailto:[log in to unmask]> Subject: Re: Bearer tokens for the root protocol Well, not really. A rendezvous token is a special token used strictly for TPC transfers so a macaroon would not be considered a rendezvous token. That doesn't mean you can't use a Macaroon but you would have to supply it in one of the headers for http or on the url for xroot. It's actually immaterial whether or not gsi is used here. On Tue, 21 Feb 2023, Marcus Lee wrote: > > Is it possible for the rendezvous token to be a macaroons token while using gsi for authentication between the client and the server? > > > ________________________________ > From: Yang, Wei <[log in to unmask]<mailto:[log in to unmask]>> > Sent: Wednesday, February 15, 2023 4:32:51 PM > To: Marcus Lee; [log in to unmask]<mailto:[log in to unmask]> > Subject: Re: Bearer tokens for the root protocol > > Hi Marcus, > > The short answer is yes. In Xrootd TPC (TPC via root protocol), there are two scenarios. They should be transparent to users: > > 1. if x509 authentication is used, we delegate the x509 proxy to the destination, which then pull the data from source > 2. if other authentication methods are used, the client helps to establish a rendezvous token (a shared secret) exchange with both ends, to facilitate the transfer. > > in 1) the x09 security itself helps securing the delegation of x509 proxy. in 2), the rendezvous token exchange depends on the transport layer. So only when both ends use TLS (roots, available in 5.3.x+ I believe) can this process be secured. > > So with bearer token (ZTN), it should work but you need to make sure both end use TLS. > > -- > Wei > > ________________________________________ > From: [log in to unmask]<mailto:[log in to unmask]> <[log in to unmask]<mailto:[log in to unmask]>> on behalf of Marcus Lee <[log in to unmask]<mailto:[log in to unmask]>> > Sent: Wednesday, February 15, 2023 1:00 PM > To: [log in to unmask]<mailto:[log in to unmask]> > Subject: Bearer tokens for the root protocol > > Hello, > > > I am wondering if XRootD TPC supports authentication methods other than delegated x509 for the root protocol such as bearer tokens for example? > > > I know for https you can load more libraries with http.exthandler such as macroons or scitokens library, but is there anything similar for root? > > > Thanks > > ________________________________ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 ________________________________ Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1