WLCG DOMA BDT Meeting

Europe/Zurich
Brian Paul Bockelman (University of Wisconsin Madison (US)), Maria Arsuaga Rios (CERN), Petr Vokac (Czech Technical University in Prague (CZ))
Description

Topic: WLCG DOMA BDT Meeting (twiki)

Videoconference
WLCG DOMA BDT Meeting
Zoom Meeting ID
69074333781
Host
Petr Vokac
Useful links
Join via phone
Zoom URL
    • 1
      News

      Third meeting in November, because there'll be DOMA General first week in December.

       

      Added email alias wlcg-doma-bdt at cern.ch for original TPC mailing list to make more consistent / expected email address.

    • 2
      Transfers with tokens
      Speaker: Francesco Giacomini (INFN CNAF)

      WLCG JWT profile storage.* scope improvements (issue#21)

      •  

      Audience and global XRootD redirector (CMS AAA)

      StoRM config documentation for WLCG compliance tests

      TLS configuration for xroots protocol

      • Support for xroots:// protocol should be included in our configuration examples
        • Become ready not only for DC24 HTTP-TPC with tokens but also SE should be ready for tests with jobs
      • XRootD
        • XRootD client receives from storage - Authentication is required: &P=gsi,v:10600,c:ssl,ca:8d33f237.0|dec71a0b.0&P=ztn,0:4096:
        • XRootD client asks for X.509 proxy even with BEARER_TOKEN set in the environment
          • no proxy & token => access denied
        • Even more weird behavior with gfal2 => more operations => more X.509 cert+key password questions
        • Fixed by changing order of sec.protocol configuration (ztn, gsi)
          • XRootD client receives from storage: Authentication is required: &P=ztn,0:4096:&P=gsi,v:10600,c:ssl,ca:8d33f237.0|dec71a0b.0
      • dCache (host certificate required for all xroot doors)
        • 7.x - can be configured on dedicated port
          • xrootd.plugins=gplazma:ztn,authz:scitokens
        • 8.x - available with default configuration
          • xrootd.plugins=gplazma:gsi,gplazma:ztn,gplazma:none,authz:scitokens
            • XRootD client receives from storage - Authentication is required: &P=ztn,0:4096:&P=unix&P=gsi,v:10400,c:ssl,ca:dec71a0b
            • XRootD client asks for X.509 proxy even with BEARER_TOKEN set in the environment
            • operation than succeeds even without X.509 proxy and token (or bad token)
          • better configuration xrootd.plugins=gplazma:ztn,gplazma:gsi,authz:scitokens for X.509 to tokens transition
            • Authentication is required: &P=ztn,0:4096:&P=gsi,v:10400,c:ssl,ca:dec71a0b
            • Try WLCG JWT token first with fallback to X.509 proxy
              • fallback works when there is no token and also for bad token
            • gplazma:none is necessary for third-party-copy
            • There is environment variable for XRootD client not to ask for password for missing X.509 proxy
              • export XrdSecGSICREATEPROXY=0
          • dCache team is going to discuss if token should be first in the default dCache configuration
            • WLCG prefers token first with fallback to X.509
      • gfal2 currently reject roots:// scheme
        • we can't rely on root:// protocol and just hope TLS was negotiated before sending token
          • enforcing TLS for token is not yet enforced in XRootD client, details in xrootd#1842
        • fixed in develop branch & testing repo
      • EOS is not currently implementing ZTN protocol (EOS-5460)
    • 3
      Tape REST access
      Speaker: Mihai PATRASCOIU (CERN)
    • 4
      Packet marking
      Speakers: Marian Babik (CERN), Shawn Mc Kee (University of Michigan (US))
      • Successfully run all demos and achieved all the objectives that we had in the SC22 NRE. 
        • Demonstrated packet marking at 200Gbps using flowd (both with xrootd and iperf3)
        • SCInet and ESnet have setup packet collectors via sflow and have shown they can show it in real-time (transfers per experiment/activity; more details at https://blog.sflow.com/2022/11/scientific-network-tags-scitags.html )
        • We also run demo with SC22 booth, KIT, UVic and CERN running xroot transfers and showing the real time throughput using P4 switch at CERN
      • Submitted abstracts for CHEP23 and TNC
      • Plan to have the next WG meeting in Dec (main topic will be SC22 follow up)






         
    • 5
      WebDAV Error Message Improvement Project

      Discuss with experts improvements in the error messages produced by failed transfers.

      Speaker: Stephan Lammel (Fermi National Accelerator Lab. (US))
    • 6
      AOB

      HTTP-TPC Update#4 - LocalConnection perf marker

      • It's very useful for debugging to have final IP addresses of TPC transfer source and destination
      • Currently we have only RemoteConnections and because dCache doesn't redirect TPC client to the pool with files we don't know transfer address of active party
      • Proposed LocalConnection is not sufficiently generic
      • We decided it would be useful to have both (source + destination) addresses Perf Marker as a pair
        • Use new name not to break existing software (e.g. FTS/gfal/davix)
        • Same address format as in case of RemoteConnections
          • e.g. following pair "tcp:129.93.3.4:1234,tcp:[2600:900:6:1301:268a:7ff:fef6:a590]:2345"