-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xrootd: authentication #250
Comments
Updates go-hep#170. Updates go-hep#250.
Updates go-hep#170. Updates go-hep#250.
Updates go-hep#170. Updates go-hep#250.
Updates go-hep#170. Updates go-hep#250.
Updates go-hep#170. Updates go-hep#250.
Updates go-hep#170. Updates go-hep#250.
Updates go-hep#170. Updates go-hep#250.
Updates go-hep#170. Updates go-hep#250.
According to gsi-msg-specs, p.3:
However, the problem is that the payload of Also, the server response, which should be Any thoughts? |
I guess at this point it's best to ask the |
feel free to push your WIP branch so I can have a look as well. |
done. :)
There is not much of the code in WIP branch yet. I tried to use I suppose, that I'll start working on FUSE interface while waiting for the answer then. Is it ok? |
SGTM. |
gentle bump asking about I've heard there's a token-based auth: https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/xrootd/ is this easier to support? Edit: yes, it is trivial to support, it's just HTTP GET with auth in header of every request |
yeah, the token-based auth might be easier (as there's already a Go package to handle SciTokens), but it's still work :) the good news is that a hackathon is coming up, so there might be some activity on this front. |
Thanks, I will keep an eye out for gsi, meanwhile, the token (which is HTTP) is literally trivial and I have implemented HTTP GET based stuff in UnROOT.jl directly. Looks like they're moving to HTTP ( should have never reinvented HTTP GET in the first place), it's so much easier for me haha |
got a PR to that Julia implementation? |
yeah, the auth payload is not in yet, but it's just HTTP the main thing to be worked on on Julia side is chunking logic, and to handle in case server doesn't support Multipart GET |
ah, ok.
|
AFAICT it's just a string in header, |
protocol version 4
The
xrootd
specs have a number of things to say about authentication:xrdsec
supports 6 authentication protocols:host
: authenticates a user by originating host name only,gsi
: authenticates a user using GSI protocol,krb5
: authenticates a user using Kerberos V protocol, andpwd
: authenticates a user using a password-based protocolsss
: authenticates a user using a simple shared secret protocolunix
: authenticates using the Unix login name and group nameFor kerberos, we might use:
For GSI, something on top of crypto/x509+crypto/tls might be used/developed.
Current specs:
blocked by specification of the GSI auth xrootd/xrootd#7573rd-party authentication:
scitokens
:protocol version 5
The
v5
specs also support aztn
protocol (based on tokens):ztn
: https://xrootd.slac.stanford.edu/doc/dev50/sec_config.htm#_Toc64492252The text was updated successfully, but these errors were encountered: