Choose timezone
Your profile timezone:
DOMA / TPC Meeting
→
Europe/Zurich
XRootD TPC
• Andrea and Oliver were running tests of TPC
• TPC DPM to DPM, and DPM to EOS.
• DPM to DPM: Transfers longer than 30 seconds fail with message from XRootD server: Delegation Expired. To be debugged - hopefully resolved next meeting.
• Hope to do more tests via Rucio
• X509 delegation (or GSI protocol in general) in XRootD is not externally understood or documented. Viewed as critical.
• BrianB - Start conversation with Gerri on creating documentation.
• Storm & CEPH do not offer XRootD implementation, so confusion on the first slide showing table of compatible.
• Possibly just meant as the underlying storage type, with XRootD TPC
• Possibly naming it “XRootD + Storm”. BrianB: From experience with HDFS, there may be config issues one has to tackle when going from read-only Xrootd to read-write.
• Brian: HDFS + XRootD probably doesn’t work with HDFS as write destination
• Action item (Wei or Andy). Can we label "To" & "From" as appropriate on the table. Confusion over the axis
• Difficult to have authentication discussion without XRootD devs; some questions delayed until next meeting.
• Paul: dCache TPC
• Credential used for TPC was mistakenly hardcoded as host cert.
• Fixed, now can be a voms-proxy from robot cert, default is still host cert.
• Preferred solution is to drop GSI authentication and directly use rendezvous token
• Note: After GSI handshake, subsequent traffic in XRootD is not encrypted unless use signing extension (recently added)
• rendezvous token is sent in the clear over the network, since after GSI handshake
• Discussion of what GSI handshake is, TLS handshake… with delegation? Unclear. As discussed earlier, documented protocol would be useful.
• Brian: I believe it is a binary custom protocol with inspiration from TLS, but not TLS
• DPM XRootD Checksum support will be released in Autumn. Going through release process.
HTTP Protocol Update
• (see slides)
• Andrea: Storm update
• Added Storm endpoint: Doesn’t support TPC, but can be destination
• Curious about connectivity matrix. Storm doesn’t understand COPY command, so is the connectivity the server that “starts” the transfer (understands COPY command)?
• Brian: FTS transfer from one endpoint to another. FTS is smart about pull / push COPY (when one fails, try the other) and authentication setup.
• EOS to EOS can’t work because EOS doesn’t understand TPC. Will have similar issues with Storm for current version.
• Working on COPY support, available soon (weeks, not months)
• Storm does not support GSI delegation, but will understand token based auth. GSI delegation support not planned.
• When Storm is source of copy, VOMS + HTTPS already works, but will add token
• Storm will have OAuth2 token generator for access to storage.
• And add OpenID Connect support, but support will come later than COPY support.
• Brian: Token acquisition discussion is needed. DPM / Xrootd / dCache use a common mechanism but something standards-based would be an improvement.
• Macaroon acquisition: FTS has a GSI proxy, it will get a Macaroon at transfer startup, bootstrapping with the GSI proxy. Important to do this at start time, not a queue time - transfer request may be queued for a long time but token lifetime is short.
• Discussion of further Macaroon delegation / attenuation is needed
• The connectivity matrix will have all the pull / push when it is easier to automate test with Rucio. Probably won't get much more complex while updates are going in by hand.
Rucio Progress Update (Thomas)
• Rucio instance is up and running (also mentioned in email to mailing list)
• Test cluster only understands user/pass, GSI is coming
• Thomas can create users for those who want them
• Thomas will write wiki page about the Rucio setup. Will also investigate the best way to monitor.
• Brian is looking for volunteers to help maintain / use this Rucio instance.
Requirements discussion delayed next meeting - out of time.
There are minutes attached to this event.
Show them.
