Hi Wei,

What we are trying to configure is that a simple TPC, e.g. :
   gfal-copy siteA/file  siteB/file 
works without the need to delegate the X.509 proxy to be used by siteA or siteB for the TPC. 

When using "https://" for siteA and siteB, then the X.509 proxy does not need to be delegated to be used by a  site to contact the other one. Instead the copy between the sites is based on a token issued by one site and used by the other. That works as expected.
However, when using "root://" for siteA and siteB, then it does not work without a delegated proxy. If it should, then probably some config options are missing or wrong in the xrootd setup (on siteA and/or siteB) Maybe also something in the TPC scripts need to be changed? I assume gfal-copy is able to generate and use rendezvous token, but maybe not?.

The current TPC part in the xrootd config looks like:
xrootd.seclib libXrdSec.so
sec.protocol gsi -dlgpxy:request -exppxy:=creds -ca:2 -crl:try -gmapopt:nomap -vomsat:require -vomsfun:default
http.secxtractor libXrdHttpVOMS.so
ofs.authorize
acc.audit deny grant
acc.authdb /etc/xrootd/Authfile

ofs.tpc fcreds ?gsi =X509_USER_PROXY
ofs.tpc require client gsi
ofs.tpc scan stderr
ofs.tpc echo
ofs.tpc ttl 300 600
ofs.tpc xfr 100
ofs.tpc autorm
ofs.tpc pgm /etc/xrootd/xrootd-tpc.sh

http.exthandler xrdtpc libXrdHttpTPC.so
http.header2cgi Authorization authz
http.exthandler xrdmacaroons libXrdMacaroons.so
macaroons.secretkey /etc/xrootd/macaroon-secret
ofs.authlib libXrdMacaroons.so

Cheers,
 Marcus E.

On Wed, Feb 22, 2023 at 11:06 PM Yang, Wei <[log in to unmask]> wrote:
At some point, I was also interested in this. But at this moment I don't think we can use Macaroon token in xroot protocol.

On the other hard, Xrootd TPC's rendezvous token is a similar concept to the Macaroon token though it is generated by a different mechanism. Is there a specific use case you are looking for that is not available in the rendezvous token but may be available in Macaroon token ?

​--
Wei​

________________________________________
From: Marcus Lee <[log in to unmask]>
Sent: Wednesday, February 22, 2023 9:51 AM
To: Hanushevsky, Andrew Bohdan
Cc: Yang, Wei; [log in to unmask]
Subject: Re: Bearer tokens for the root protocol

What I am trying to do is configure xrootd such that when you do tpc over the root protocol it uses a macaroon token for authentication between the two endpoints similar to what happens over the http protocol when you use the libXrdMacaroons library. Does this functionality exist, and if so how can I configure xrootd to do this?


Thanks,

________________________________
From: Andrew Hanushevsky <[log in to unmask]>
Sent: Tuesday, February 21, 2023 6:28:40 PM
To: Marcus Lee
Cc: Yang, Wei; [log in to unmask]
Subject: Re: Bearer tokens for the root protocol

Well, not really. A rendezvous token is a special token used strictly for
TPC transfers so a macaroon would not be considered a rendezvous token.
That doesn't mean you can't use a Macaroon but you would have to supply it
in one of the headers for http or on the url for xroot. It's actually
immaterial whether or not gsi is used here.

On Tue, 21 Feb 2023, Marcus Lee wrote:

>
> Is it possible for the rendezvous token to be a macaroons token while using gsi for authentication between the client and the server?
>
>
> ________________________________
> From: Yang, Wei <[log in to unmask]>
> Sent: Wednesday, February 15, 2023 4:32:51 PM
> To: Marcus Lee; [log in to unmask]
> Subject: Re: Bearer tokens for the root protocol
>
> Hi Marcus,
>
> The short answer is yes. In Xrootd TPC (TPC via root protocol), there are two scenarios. They should be transparent to users:
>
> 1. if x509 authentication is used, we delegate the x509 proxy to the destination, which then pull the data from source
> 2. if other authentication methods are used, the client helps to establish a rendezvous token (a shared secret) exchange with both ends, to facilitate the transfer.
>
> in 1) the x09 security itself helps securing the delegation of x509 proxy. in 2), the rendezvous token exchange depends on the transport layer. So only when both ends use TLS (roots, available in 5.3.x+ I believe) can this process be secured.
>
> So with bearer token (ZTN), it should work but you need to make sure both end use TLS.
>
> --
> Wei
>
> ________________________________________
> From: [log in to unmask] <[log in to unmask]> on behalf of Marcus Lee <[log in to unmask]>
> Sent: Wednesday, February 15, 2023 1:00 PM
> To: [log in to unmask]
> Subject: Bearer tokens for the root protocol
>
> Hello,
>
>
> I am wondering if XRootD TPC supports authentication methods other than delegated x509 for the root protocol such as bearer tokens for example?
>
>
> I know for https you can load more libraries with http.exthandler such as macroons or scitokens library, but is there anything similar for root?
>
>
> Thanks
>
> ________________________________
>
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>


########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1