LISTSERV mailing list manager LISTSERV 16.5

Help for XROOTD-L Archives


XROOTD-L Archives

XROOTD-L Archives


XROOTD-L@LISTSERV.SLAC.STANFORD.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

XROOTD-L Home

XROOTD-L Home

XROOTD-L  December 2020

XROOTD-L December 2020

Subject:

Re: HTTP configuration with VOMS authentication

From:

Fabrizio Furano <[log in to unmask]>

Reply-To:

Support use of xrootd by HEP experiments <[log in to unmask]>

Date:

Tue, 8 Dec 2020 12:13:47 +0100

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (114 lines)

Hi,

 you should try with "https" for the certificates to be processed. Could
you please try that?

Cheers
Fabrizio

Il 08/12/20 09:25, [log in to unmask] ha scritto:
> Hi,
> 
> I am a bit puzzled concerning the configuration of my XRootD server running v4.11.2-1 when I try to enable http with voms authentication. The following packages are installed:
> 
> xrootd-4.11.2-1.el7.x86_64
> xrootd-client-4.11.2-1.el7.x86_64
> xrootd-client-libs-4.11.2-1.el7.x86_64
> xrootd-libs-4.11.2-1.el7.x86_64
> xrootd-selinux-4.11.2-1.el7.noarch
> xrootd-server-4.11.2-1.el7.x86_64
> xrootd-server-libs-4.11.2-1.el7.x86_64
> voms-2.0.15-1.el7.x86_64
> voms-clients-cpp-2.0.15-1.el7.x86_64
> vomsxrd-0.3.0-1.el7.cern.x86_64
> xrdhttpvoms-0.2.5-2.el7.x86_64
> 
> and I have the following configuration files: 
> 
> =================================================
> $ cat xrootd_server_grid.cfg
> xrd.port 1094
> xrd.protocol xrootd *
> [...]
> 
> all.export /xrootd/in2p3.fr/disk/juno nolock r/w
> 
> if exec xrootd
>   xrd.protocol http:1094 /usr/lib64/libXrdHttp.so
>   http.exthandler xrdtpc /usr/lib64/libXrdHttpTPC.so
>   http.secxtractor /usr/lib64/libXrdHttpVOMS.so
>   http.header2cgi Authorization authz
>   http.cadir /etc/grid-security/certificates
>   http.cert /etc/grid-security/xrd/xrdcert.pem
>   http.key /etc/grid-security/xrd/xrdkey.pem
>   http.listingdeny yes
>   http.trace all
> fi
> 
> ofs.tpc fcreds gsi =X509_USER_PROXY ttl 60 70 xfr 20 autorm pgm /usr/share/xrootd/utils/xrdcp-tpc.sh
> xrootd.chksum adler32 /usr/share/xrootd/utils/xrdadler32-tpc.sh
> 
> xrootd.seclib /usr/lib64/libXrdSec.so
> sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS-4.so -vomsfunparms:certfmt=pem|vos=juno|grps=/juno|grpopt=10|dbg
> sec.protocol /usr/lib64 gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/dev/null
> acc.audit deny
> acc.authdb /etc/xrootd/auth_file
> acc.authrefresh 60
> ofs.authorize
> [...]
> 
> $ cat auth_file
> g /juno /xrootd/in2p3.fr/disk/juno rwild /xrootd/in2p3.fr/tape/juno rwild
> =================================================
> 
> With my Juno proxy, I am able to read a file using xrdcp. However, using gfal-copy with the http protocol, it fails with: 
> 
> $ gfal-copy http://ccxrdli284.in2p3.fr:1094//xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt ti)
> 
> gfal-copy error: 1 (Operation not permitted) - Could not stat the source: HTTP 403 : Permission refused
> 
> 
> It seems that the mapping is not done correctly (login as "nobody" user) as shown below. I wonder what is the tricky part to modify in my XRootD configuration file... 
> 
> =================================================
> 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp: received dlen: 16
> 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp: received dump: 72 69 65 68 32 47 47 120 114 111 111 116 100 47 105 00
> 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp: Protocol matched. https: 0
> 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp:  Process. lp:0x7fdfe80010d8 reqstate: 0
> 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp:  Setting host: [xxx.xxx.xxx.xxx]
> 201207 21:42:49 190911 sysXrdHttp: getDataOneShot BuffAvailable: 1048576 maxread: 1048576
> 201207 21:42:49 190911 sysXrdHttp: read 237 of 1048576 bytes
> 201207 21:42:49 190911 sysXrdHttp:  rc:96 got hdr line: HEAD //xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt HTTP/1.1
> 201207 21:42:49 190911 sysXrdHttp:  Parsing first line: HEAD //xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt HTTP/1.1
> 201207 21:42:49 190911 sysXrdHttp:  rc:55 got hdr line: User-Agent: gfal2-util/1.5.3 gfal2/2.18.1 neon/0.0.29
> 201207 21:42:49 190911 sysXrdHttp:  rc:14 got hdr line: Keep-Alive:
> 201207 21:42:49 190911 sysXrdHttp:  rc:24 got hdr line: Connection: Keep-Alive
> 201207 21:42:49 190911 sysXrdHttp:  rc:14 got hdr line: TE: trailers
> 201207 21:42:49 190911 sysXrdHttp:  rc:32 got hdr line: Host: yyyyyy.zzzz.fr:1094
> 201207 21:42:49 190911 sysXrdHttp:  rc:2 got hdr line:
> 01207 21:42:49 190911 sysXrdHttp:  rc:2 detected header end.
> 201207 21:42:49 190911 XrootdBridge: unknown.7:27@[xxx.xxx.xxx.xxx] login as nobody
> 201207 21:42:49 190911 unknown.7:27@[xxx.xxx.xxx.xxx] sysXrdHttp:  Process. lp:0x7fdfe80010d8 reqstate: 0
> 201207 21:42:49 190911 unknown.7:27@[xxx.xxx.xxx.xxx] sysXrdHttp: Process is exiting rc:0
> 201207 21:42:49 190911 acc_Audit: http deny  *@[xxx.xxx.xxx.xxx] stat /xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt
> 201207 21:42:49 190911 ofs_stat: unknown.7:27@[xxx.xxx.xxx.xxx] Unable to locate /xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt; permission denied
> =================================================
> 
> Any idea? 
> 
> Thanks,
> 
> Yvan
> ########################################################################
> Use REPLY-ALL to reply to list
> 
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
> 

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

Top of Message | Previous Page | Permalink

Advanced Options