Hi Matevz,
Your naive expectation was correct (though not particularly secure). You
should be able to run the proxy w/o authentication for its clients and use
authentication for the origin (assuming the origin has authentication
enabled). The origin is typically a redirector and we recommend against
enabling authentication for that unless you are forwarding requests.
Based on the log, it seems that the security shared libraries that the
proxy needed to use were not in the ld path for the proxy (common
problem).
Andy
On Wed, 25 Jan 2012, Matevz Tadel wrote:
> Hi,
>
> How is security / authentication handled for simple proxy servers? I was, somewhat naively it seems now, expecting that I can have a proxy without authentication and let this be handled at the redirector where my proxy is pointing (which uses GSI).
>
> Here's my config for proxy:
> ofs.osslib /usr/local/lib64/libXrdPss.so
> all.export /store
> pss.origin xrootd.t2.ucsd.edu:1094
> pss.memcache debug 3 logstats pagesize 64k sfiles .root size 2g
>
> And output from a login attempt (with valid cert-proxy):
> a) proxy
> 120125 19:41:19 3567 XrootdXeq: matevz.3965:21@desire login
> Cache: Attached 1/1 8000 root:[log in to unmask]:1094//store/data/Run2011B/DoubleMu/AOD/30Nov2011-v1/0000/A01348BE-9F1D-E111-88BB-003048FFCB84.root?oss.lcl=1
> XrdSec: No authentication protocols are available.
> Cache: 0 att; rel 0 slots; 0 Faults; 8000 -ì
> Cache: Stats: 0 Read; 0 Get; 0 Pass; 0 Write; 0 Put; 0 Hits; 0 Miss; 0 pead; 0 HitsPR; 0 MissPR; Path P
> 120125 19:41:19 3567 ofs_open: matevz.3965:21@desire Unable to open /store/data/Run2011B/DoubleMu/AOD/30Nov2011-v1/0000/A01348BE-9F1D-E111-88BB-003048FFCB84.root; Permission denied
> 120125 19:41:19 3567 XrootdXeq: matevz.3965:21@desire disc 0:00:00
>
> b) redirector
> 120125 19:41:20 4028 XrootdXeq: 21.3567:[log in to unmask] disc 0:00:01
>
> So, all I see on the manager/redirector is a disconnect :)
>
> In any case, even if I configure authentication on the proxy, how will this get propagated to the redirector? And anyway ... why would the redirector trust my proxy?
>
> Best,
> Matevz
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-DEV list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|