-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kXR_query not issued with original protocol during TPC #1903
Comments
We have an identical situation in xrootd. TLS can be required (i.e., STRICT) or optional (in xrootd it's required or optional by request category so a bit more complicated). The same issue arose when TLS was not required. We solved it by making TLS required the moment you enable any security protocol that requires the use of TLS; in this case ztn. Then, as you have noted, making it required avoids the whole issue. |
Thanks for the reply, Andy. I have another question which is not on the same topic. I don't want to open another issue, because it's not something I think xrootd needs to do; it's just about whether xrootd does handle a particular situation and how it does so. Perhaps I could email you instead? Cheers, Al |
Hi Albert,
Sure, not a problem!
Andy
…On Thu, 9 Feb 2023, Albert Rossi wrote:
Thanks for the reply, Andy.
I have another question which is not on the same topic. I don't want to open another issue, because it's not something I think xrootd needs to do; it's just about whether xrootd does handle a particular situation and how it does so. Perhaps I could email you instead?
Cheers, Al
--
Reply to this email directly or view it on GitHub:
#1903 (comment)
You are receiving this because you are subscribed to this thread.
Message ID: ***@***.***>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|
I think we have gone as far as we can with this, so I am closing this discussion. |
This is not an urgent issue, but does generate a little unexpected noise from the xrdcp client.
In dCache, we have continued to support
STRICT
vsOPTIONAL
TLS on an xroot door or pool. If the endpoint isSTRICT
, the client will get agoToTLS
from the protocol request; otherwise, it is up to the client to request TLS usingxroots
.Now, here is a Two-Party read authenticating to a dCache door which is
OPTIONAL
. If I usexroots
, all is fine (I am using a ZTN token):However, when I use that door (on 1095) as the source of a native xroot TPC, I see:
The TPC succeeds. The warning, in fact, is not generated by the transfer logins, but by the
kXR_query
against the source: `If we weren't allowing anonymous reads (using the
unix
protocol), this query would fail.I was wondering what your rationale was for not applying the client-requested protocol (in this case,
xroots
) to all requests to that endpoint?Thanks, Al
The text was updated successfully, but these errors were encountered: