XrdCl: Forward xrd.* parameters from the original to the redirection URL #364
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi Andy,
I put this as a pull request so that we can discuss if I misunderstood something related to the desired behaviour of the client.
The problem: the parameters included in the opaque part of a URL that deal with authentication (i.e. xrd.wantprot, xrd.krb5ccname etc) are not properly forwarded when redirections are followed.
The assumption I made is that if a client requests a certain type of authentication then this should be enforced with respect to all parties that it contacts during the transfer.
First of all, there is a clear inconsistency between the behaviour when the XrdSecPROTOCOL is used and when the
xrd.wantproto
is added to the URL. This comes from the fact that in https://github.com/xrootd/xrootd/blob/master/src/XrdSec/XrdSecPManager.cc#L153 the process env variable is always visible if set, while thexrd.wantprot
might not if it was not properly forwarded.The source of the problem is that when we get redirected a new channel needs to be opened to the new destination. At this point also the authentication takes place but the URL used by this step does not contain any opaque info at all. In the code below this is the
pUrl
variable.This patch saves any xrd.* parameters present in the initial url request and appends them to the new redirection url. In this way the behaviour is consistent with the XrdSecPROTOCOL approach.
I have tested this using a default instance of EOS where the load-balancer requires krb5 authentication and the data server accepts unix.
A. Without the patch
1. Use the
XrdSecPROTOCOL
and krb5 authenticationAs expected this fails since the data server only accepts unix. Data server is on the same machine but on a different port 2001 instead of the default 1094.
2. Enforce the authentication using the opaque info
This unexpectedly works because the opaque info is not forwarded to the data-server.
B. With the patch
1. The same behaviour as in A1.
2.
Now this matches the behaviour from A1 - which is what we expected.
And to have this transfer work properly we should also put
unix
in the list of protocols accepted by the client so that we can connect to the data server. And this indeed works:Is there any particular scenario in which one would not want to forward this info?
Thanks,
Elvin