The compatible (=1) level for xrootd security requires
signed hash verification on open only if it is for write.
Currently, the server is requiring it for all open
calls, including read only (the TPC client, on the
other hand, only does read only opens and thus
will behave correctly against the source).
Modification:
Modify the SecurityLevel processing to account
for the difference between open read-write and
open read.
The security level settings in general are reviewed
and updated/corrected where needed.
Result:
dCache will not erroneously force the xroot client
(esp. TPC client) to send signed hashes on open
for read only when it advertises its security level
as "compatible".
Motivation:
The compatible (=1) level for xrootd security requires signed hash verification on open only if it is for write. Currently, the server is requiring it for all open calls, including read only (the TPC client, on the other hand, only does read only opens and thus will behave correctly against the source).
Modification:
Modify the SecurityLevel processing to account for the difference between open read-write and open read.
The security level settings in general are reviewed and updated/corrected where needed.
Result:
dCache will not erroneously force the xroot client (esp. TPC client) to send signed hashes on open for read only when it advertises its security level as "compatible".
Target: master Request: 4.0 Request: 3.5 Request: 3.4 ? Patch: https://rb.dcache.org/r/12321/ Requires-notes: yes Requires-book: no Acked-by: Tigran