search

dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
288 stars 136 forks source link

xrootd door in proxy mode optional encryption door to pool #7574

Closed cfgamboa closed 4 months ago

cfgamboa commented 4 months ago

Dear all,

Currently, WebDAV doors are implemented with a configuration flag property to enforce encryption between the door and the pool for read and write transfers. The encryption is done between the client and the door, but it is optional for the door and the pool when the WebDAV door is enabled in proxy mode.

I do not think this property or flag is implemented for XRootD door.

Could you please advise?

All the best, Carlos

DmitryLitvintsev commented 4 months ago

From doc (https://www.dcache.org/manuals/Book-9.2/config-xrootd.shtml#proxying-transfers-through-the-door):

If the door uses proxying, then when an open request arrives, a proxy instance will be launched on a new port and the client redirected to it as if it were the pool endpoint. The proxy serves as both façade and client to the pool by intercepting requests from the initiating client and passing them on to the pool transfer service, and similarly relaying responses from the pool back to the client. The connections between client and proxy on the one hand and proxy and pool on the other are independently established (this is necessary to support TLS, should that be requested or required), but after login is complete, all subsequent requests and replies are passed through the proxy without further interpretation.

My ubderstanding of this is the following - if TLS is enabled it is TLS all the way through. And there is no way to turn it off for door / pool communication.

What is your concern? Why do you want this disabled?

cfgamboa commented 4 months ago

An optional configuration set might reduce resources (i.e cpu) if the pool and door are located in the same LAN. I am just trying to understand if this can be done, we have it enabled for webdav.

On May 15, 2024, at 3:16 PM, Dmitry Litvintsev @.***> wrote:

From doc (https://www.dcache.org/manuals/Book-9.2/config-xrootd.shtml#proxying-transfers-through-the-door):

If the door uses proxying, then when an open request arrives, a proxy instance will be launched on a new port and the client redirected to it as if it were the pool endpoint. The proxy serves as both façade and client to the pool by intercepting requests from the initiating client and passing them on to the pool transfer service, and similarly relaying responses from the pool back to the client. The connections between client and proxy on the one hand and proxy and pool on the other are independently established (this is necessary to support TLS, should that be requested or required), but after login is complete, all subsequent requests and replies are passed through the proxy without further interpretation. My ubderstanding of this is the following - if TLS is enabled it is TLS all the way through. And there is no way to turn it off for door / pool communication.

What is your concern? Why do you want this disabled?

— Reply to this email directly, view it on GitHub https://github.com/dCache/dcache/issues/7574#issuecomment-2113291590, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIHMOZ3T5Y5DWAM7FZ5UF3ZCOYBFAVCNFSM6AAAAABHYWF55GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJTGI4TCNJZGA. You are receiving this because you authored the thread.

DmitryLitvintsev commented 4 months ago

might or you are actually impacted?

cfgamboa commented 4 months ago

xroots was not enabled due to issue reported in [www.dcache.org #10562]

On May 15, 2024, at 4:36 PM, Dmitry Litvintsev @.***> wrote:

might or you are actually impacted?

— Reply to this email directly, view it on GitHub https://github.com/dCache/dcache/issues/7574#issuecomment-2113413101, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIHMO343F5PMGOGXKTF4C3ZCPBNNAVCNFSM6AAAAABHYWF55GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJTGQYTGMJQGE. You are receiving this because you authored the thread.

DmitryLitvintsev commented 4 months ago

So, since issue RT issue #10562 is closed, this here is not the issue as well?

cfgamboa commented 4 months ago

The question here is different. And you have answered before, currently the only encryption workflow supported is enforcing the encryption all the way client->xrootdoor-> pool.

This ticket can be closed.

Carlos

On May 15, 2024, at 7:24 PM, Dmitry Litvintsev @.***> wrote:

So, since issue RT issue #10562 is closed, this is not here the issue as well? \

— Reply to this email directly, view it on GitHub https://github.com/dCache/dcache/issues/7574#issuecomment-2113643943, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIHMO7ANLCDGGXIJAHJ77DZCPVBRAVCNFSM6AAAAABHYWF55GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJTGY2DGOJUGM. You are receiving this because you authored the thread.