xrootd: authentication

[sbinet]

protocol version 4

The xrootd specs have a number of things to say about authentication:

• kXR_auth
• kXR_authmore
• Authentication & Access Control Configuration Reference

xrdsec supports 6 authentication protocols:

• host: authenticates a user by originating host name only,
• gsi: authenticates a user using GSI protocol,
• krb5: authenticates a user using Kerberos V protocol, and
• pwd: authenticates a user using a password-based protocol
• sss: authenticates a user using a simple shared secret protocol
• unix: authenticates using the Unix login name and group name

For kerberos, we might use:

• https://github.com/jcmturner/gokrb5

For GSI, something on top of crypto/x509+crypto/tls might be used/developed.
Current specs:

• https://en.wikipedia.org/wiki/Grid_Security_Infrastructure
• http://toolkit.globus.org/ftppub/globus/papers/security.pdf
• gsi-msg-specs.pdf (retrieved from http://toolkit.globus.org/toolkit/docs/6.0/gsic/developer/index.html#gsic-protocol)
• GSI: blocked by specification of the GSI auth xrootd/xrootd#757
  • https://xrootd.slac.stanford.edu/doc/gsidocs/XRootD-GSI-Protocol-Specifications.pdf
  • XRootD-GSI-Protocol-Specifications.pdf

3rd-party authentication:

• scitokens:
  • https://github.com/xrootd/xrootd-scitokens
  • https://github.com/scitokens/scitokens-go

protocol version 5

The v5 specs also support a ztn protocol (based on tokens):

• ztn: https://xrootd.slac.stanford.edu/doc/dev50/sec_config.htm#_Toc64492252