Hi Wei, What we are trying to configure is that a simple TPC, e.g. : gfal-copy siteA/file siteB/file works without the need to delegate the X.509 proxy to be used by siteA or siteB for the TPC. When using "https://" for siteA and siteB, then the X.509 proxy does not need to be delegated to be used by a site to contact the other one. Instead the copy between the sites is based on a token issued by one site and used by the other. That works as expected. However, when using "root://" for siteA and siteB, then it does not work without a delegated proxy. If it should, then probably some config options are missing or wrong in the xrootd setup (on siteA and/or siteB) Maybe also something in the TPC scripts need to be changed? I assume gfal-copy is able to generate and use rendezvous token, but maybe not?. The current TPC part in the xrootd config looks like: xrootd.seclib libXrdSec.so sec.protocol gsi -dlgpxy:request -exppxy:=creds -ca:2 -crl:try -gmapopt:nomap -vomsat:require -vomsfun:default http.secxtractor libXrdHttpVOMS.so ofs.authorize acc.audit deny grant acc.authdb /etc/xrootd/Authfile ofs.tpc fcreds ?gsi =X509_USER_PROXY ofs.tpc require client gsi ofs.tpc scan stderr ofs.tpc echo ofs.tpc ttl 300 600 ofs.tpc xfr 100 ofs.tpc autorm ofs.tpc pgm /etc/xrootd/xrootd-tpc.sh http.exthandler xrdtpc libXrdHttpTPC.so http.header2cgi Authorization authz http.exthandler xrdmacaroons libXrdMacaroons.so macaroons.secretkey /etc/xrootd/macaroon-secret ofs.authlib libXrdMacaroons.so Cheers, Marcus E. On Wed, Feb 22, 2023 at 11:06 PM Yang, Wei < [log in to unmask]> wrote: > At some point, I was also interested in this. But at this moment I don't > think we can use Macaroon token in xroot protocol. > > On the other hard, Xrootd TPC's rendezvous token is a similar concept to > the Macaroon token though it is generated by a different mechanism. Is > there a specific use case you are looking for that is not available in the > rendezvous token but may be available in Macaroon token ? > > -- > Wei > > ________________________________________ > From: Marcus Lee <[log in to unmask]> > Sent: Wednesday, February 22, 2023 9:51 AM > To: Hanushevsky, Andrew Bohdan > Cc: Yang, Wei; [log in to unmask] > Subject: Re: Bearer tokens for the root protocol > > What I am trying to do is configure xrootd such that when you do tpc over > the root protocol it uses a macaroon token for authentication between the > two endpoints similar to what happens over the http protocol when you use > the libXrdMacaroons library. Does this functionality exist, and if so how > can I configure xrootd to do this? > > > Thanks, > > ________________________________ > From: Andrew Hanushevsky <[log in to unmask]> > Sent: Tuesday, February 21, 2023 6:28:40 PM > To: Marcus Lee > Cc: Yang, Wei; [log in to unmask] > Subject: Re: Bearer tokens for the root protocol > > Well, not really. A rendezvous token is a special token used strictly for > TPC transfers so a macaroon would not be considered a rendezvous token. > That doesn't mean you can't use a Macaroon but you would have to supply it > in one of the headers for http or on the url for xroot. It's actually > immaterial whether or not gsi is used here. > > On Tue, 21 Feb 2023, Marcus Lee wrote: > > > > > Is it possible for the rendezvous token to be a macaroons token while > using gsi for authentication between the client and the server? > > > > > > ________________________________ > > From: Yang, Wei <[log in to unmask]> > > Sent: Wednesday, February 15, 2023 4:32:51 PM > > To: Marcus Lee; [log in to unmask] > > Subject: Re: Bearer tokens for the root protocol > > > > Hi Marcus, > > > > The short answer is yes. In Xrootd TPC (TPC via root protocol), there > are two scenarios. They should be transparent to users: > > > > 1. if x509 authentication is used, we delegate the x509 proxy to the > destination, which then pull the data from source > > 2. if other authentication methods are used, the client helps to > establish a rendezvous token (a shared secret) exchange with both ends, to > facilitate the transfer. > > > > in 1) the x09 security itself helps securing the delegation of x509 > proxy. in 2), the rendezvous token exchange depends on the transport layer. > So only when both ends use TLS (roots, available in 5.3.x+ I believe) can > this process be secured. > > > > So with bearer token (ZTN), it should work but you need to make sure > both end use TLS. > > > > -- > > Wei > > > > ________________________________________ > > From: [log in to unmask] <[log in to unmask]> on behalf > of Marcus Lee <[log in to unmask]> > > Sent: Wednesday, February 15, 2023 1:00 PM > > To: [log in to unmask] > > Subject: Bearer tokens for the root protocol > > > > Hello, > > > > > > I am wondering if XRootD TPC supports authentication methods other than > delegated x509 for the root protocol such as bearer tokens for example? > > > > > > I know for https you can load more libraries with http.exthandler such > as macroons or scitokens library, but is there anything similar for root? > > > > > > Thanks > > > > ________________________________ > > > > Use REPLY-ALL to reply to list > > > > To unsubscribe from the XROOTD-L list, click the following link: > > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > > > > ######################################################################## > > Use REPLY-ALL to reply to list > > > > To unsubscribe from the XROOTD-L list, click the following link: > > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > > > > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1