Is it possible for the rendezvous token to be a macaroons token while using gsi for authentication between the client and the server?


From: Yang, Wei <[log in to unmask]>
Sent: Wednesday, February 15, 2023 4:32:51 PM
To: Marcus Lee; [log in to unmask]
Subject: Re: Bearer tokens for the root protocol
 
Hi Marcus,

The short answer is yes. In Xrootd TPC (TPC via root protocol), there are two scenarios. They should be transparent to users:

1. if x509 authentication is used, we delegate the x509 proxy to the destination, which then pull the data from source
2. if other authentication methods are used, the client helps to establish a rendezvous token (a shared secret) exchange with both ends, to facilitate the transfer.

in 1) the x09 security itself helps securing the delegation of x509 proxy. in 2), the rendezvous token exchange depends on the transport layer. So only when both ends use TLS (roots, available in 5.3.x+ I believe) can this process be secured.

So with bearer token (ZTN), it should work but you need to make sure both end use TLS.

--
Wei

________________________________________
From: [log in to unmask] <[log in to unmask]> on behalf of Marcus Lee <[log in to unmask]>
Sent: Wednesday, February 15, 2023 1:00 PM
To: [log in to unmask]
Subject: Bearer tokens for the root protocol

Hello,


I am wondering if XRootD TPC supports authentication methods other than delegated x509 for the root protocol such as bearer tokens for example?


I know for https you can load more libraries with http.exthandler such as macroons or scitokens library, but is there anything similar for root?


Thanks

________________________________

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1