WLCG DOMA BDT Meeting

Wednesday 30 Nov 2022, 16:30 → 17:30 Europe/Zurich

Brian Paul Bockelman (University of Wisconsin Madison (US)), Maria Arsuaga Rios (CERN), Petr Vokac (Czech Technical University in Prague (CZ))

Topic: WLCG DOMA BDT Meeting (twiki)

16:30 → 16:40 News

Third meeting in November, because there'll be DOMA General first week in December.

 

Added email alias wlcg-doma-bdt at cern.ch for original TPC mailing list to make more consistent / expected email address.

16:40 → 16:55 Transfers with tokens

Speaker: Francesco Giacomini (INFN CNAF)

WLCG JWT profile storage.* scope improvements (issue#21)

•  

Audience and global XRootD redirector (CMS AAA)

• Did CMS decided not to use audience at all / use just one "CMS" in aud claim for services hosted by different providers?
  • No "CMS" specific audience - plan to use generic https://wlcg.cern.ch/jwt/v1/any
    • useful for reading together with storage.read:/ scope in token
    • write tokens should always use precise audience scheme://fqdn:port
  • Policy for audiences on IAM side in future - issue with not very high priority
  • Use generic https://wlcg.cern.ch/jwt/v1/any - not optional for service (WLCG JWT profile)
    • missing audience is implicitly https://wlcg.cern.ch/jwt/v1/any

StoRM config documentation for WLCG compliance tests

• Recently updated

TLS configuration for xroots protocol

• Support for xroots:// protocol should be included in our configuration examples
  • Become ready not only for DC24 HTTP-TPC with tokens but also SE should be ready for tests with jobs
• XRootD
  • XRootD client receives from storage - Authentication is required: &P=gsi,v:10600,c:ssl,ca:8d33f237.0|dec71a0b.0&P=ztn,0:4096:
  • XRootD client asks for X.509 proxy even with BEARER_TOKEN set in the environment
    • no proxy & token => access denied
  • Even more weird behavior with gfal2 => more operations => more X.509 cert+key password questions
  • Fixed by changing order of sec.protocol configuration (ztn, gsi)
    • XRootD client receives from storage: Authentication is required: &P=ztn,0:4096:&P=gsi,v:10600,c:ssl,ca:8d33f237.0|dec71a0b.0
• dCache (host certificate required for all xroot doors)
  • 7.x - can be configured on dedicated port
    • xrootd.plugins=gplazma:ztn,authz:scitokens
  • 8.x - available with default configuration
    • xrootd.plugins=gplazma:gsi,gplazma:ztn,gplazma:none,authz:scitokens
      • XRootD client receives from storage - Authentication is required: &P=ztn,0:4096:&P=unix&P=gsi,v:10400,c:ssl,ca:dec71a0b
      • XRootD client asks for X.509 proxy even with BEARER_TOKEN set in the environment
      • operation than succeeds even without X.509 proxy and token (or bad token)
    • better configuration xrootd.plugins=gplazma:ztn,gplazma:gsi,authz:scitokens for X.509 to tokens transition
      • Authentication is required: &P=ztn,0:4096:&P=gsi,v:10400,c:ssl,ca:dec71a0b
      • Try WLCG JWT token first with fallback to X.509 proxy
        • fallback works when there is no token and also for bad token
      • gplazma:none is necessary for third-party-copy
      • There is environment variable for XRootD client not to ask for password for missing X.509 proxy
        • export XrdSecGSICREATEPROXY=0
    • dCache team is going to discuss if token should be first in the default dCache configuration
      • WLCG prefers token first with fallback to X.509
• gfal2 currently reject roots:// scheme
  • we can't rely on root:// protocol and just hope TLS was negotiated before sending token
    • enforcing TLS for token is not yet enforced in XRootD client, details in xrootd#1842
  • fixed in develop branch & testing repo
• EOS is not currently implementing ZTN protocol (EOS-5460)

16:55 → 17:05 Tape REST access

Speaker: Mihai PATRASCOIU (CERN)

17:05 → 17:15 Packet marking

Speakers: Marian Babik (CERN), Shawn Mc Kee (University of Michigan (US))

• Successfully run all demos and achieved all the objectives that we had in the SC22 NRE. 
  • Demonstrated packet marking at 200Gbps using flowd (both with xrootd and iperf3)
  • SCInet and ESnet have setup packet collectors via sflow and have shown they can show it in real-time (transfers per experiment/activity; more details at https://blog.sflow.com/2022/11/scientific-network-tags-scitags.html )
  • We also run demo with SC22 booth, KIT, UVic and CERN running xroot transfers and showing the real time throughput using P4 switch at CERN
• Submitted abstracts for CHEP23 and TNC
• Plan to have the next WG meeting in Dec (main topic will be SC22 follow up)
  
  
  
  
  
  
   

17:15 → 17:25 WebDAV Error Message Improvement Project

Discuss with experts improvements in the error messages produced by failed transfers.

Speaker: Stephan Lammel (Fermi National Accelerator Lab. (US))

WLCG DOMA, WebDAV Error Message Improvement Project

17:25 → 17:30 AOB

HTTP-TPC Update#4 - LocalConnection perf marker

• It's very useful for debugging to have final IP addresses of TPC transfer source and destination
• Currently we have only RemoteConnections and because dCache doesn't redirect TPC client to the pool with files we don't know transfer address of active party
• Proposed LocalConnection is not sufficiently generic
• We decided it would be useful to have both (source + destination) addresses Perf Marker as a pair
  • Use new name not to break existing software (e.g. FTS/gfal/davix)
  • Same address format as in case of RemoteConnections
    • e.g. following pair "tcp:129.93.3.4:1234,tcp:[2600:900:6:1301:268a:7ff:fef6:a590]:2345"