Hi Marcus,
This appears to be a problem with the way the http plugin constructs the
security context from the certificate. I will discuss this with Fabrizio
next week and straighten it out.
Andy
On Thu, 16 Mar 2017, Marcus Ebert wrote:
> Hi all,
>
> I tried to update to the latest xrootd version from epel-testing and the
> latest version of xrdhttpvoms. However, there is no change in the result:
>
>
> xrdcp xroot://gridpp09.ecdf.ed.ac.uk:1094//lsst/testfile .
> ----------------------------------------------------------
> works
>
>
>
> davix-get -P grid https://gridpp09.ecdf.ed.ac.uk:1094/lsst/testfile
> ---------------------------------------------------------------------
> 170316 16:15:13 7211 ?:[log in to unmask] sysXrdHttp: Setting
> host: 92.40.249.75.threembb.co.uk
> 170316 16:15:13 7211 ?:[log in to unmask] sysXrdHttp: Entering
> SSL_accept...
> 170316 16:15:13 7210 XrdSched: running main accept inq=0
> 170316 16:15:13 7211 ?:[log in to unmask] sysXrdHttp: SSL_accept
> returned :1
> 170316 16:15:13 7211 ?:[log in to unmask] sysXrdHttp:
> SSL_get_verify_result returned :0
> 170316 16:15:13 7211 ?:[log in to unmask] sysXrdHttp: Extracting
> auth info.
> 170316 16:15:13 7211 ?:[log in to unmask] sysXrdHttp:
> SSL_get_peer_certificate returned :0x7f414400cb70
> 170316 16:15:13 7211 ?:[log in to unmask] sysXrdHttp: Setting
> link name: /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus
> ebert/CN=proxy/CN=proxy
> 170316 16:15:13 7211 [log in to unmask]
> SSL_get_peer_certificate returned :0x7f414400cb70
> 170316 16:15:13 7211 [log in to unmask]
> SSL_get_verify_result returned :0
> 170316 16:15:13 7211 [log in to unmask]
> SSL_get_peer_cert_chain :0x7f414400e930
> 170316 16:15:13 7211 [log in to unmask]
> fqan :/lsst/Role=NULL/Capability=NULL
> 170316 16:15:13 7211 [log in to unmask]
> Setting VO: lsst roles :/lsst/Role=NULL/Capability=NULL
> 170316 16:15:13 7211 sysXrdHttp: getDataOneShot BuffAvailable: 1048576
> maxread: 1048576
> 170316 16:15:13 7211 sysXrdHttp: getDataOneShot sslavail: 1048576
> 170316 16:15:13 7211 sysXrdHttp: read 195 of 1048576 bytes
> 170316 16:15:13 7211 sysXrdHttp: rc:31 got hdr line: HEAD //lsst/testfile
> HTTP/1.1
>
> 170316 16:15:13 7211 sysXrdHttp: rc:40 got hdr line: User-Agent:
> libdavix/0.6.0 neon/0.0.29
>
> 170316 16:15:13 7211 sysXrdHttp: rc:14 got hdr line: Keep-Alive:
>
> 170316 16:15:13 7211 sysXrdHttp: rc:24 got hdr line: Connection: Keep-Alive
>
> 170316 16:15:13 7211 sysXrdHttp: rc:14 got hdr line: TE: trailers
>
> 170316 16:15:13 7211 sysXrdHttp: rc:35 got hdr line: Host:
> gridpp09.ecdf.ed.ac.uk:1094
>
> 170316 16:15:13 7211 sysXrdHttp: rc:35 got hdr line: Accept:
> application/metalink4+xml
>
> 170316 16:15:13 7211 sysXrdHttp: rc:2 got hdr line:
>
> 170316 16:15:13 7211 sysXrdHttp: rc:2 detected header end.
> 170316 16:15:13 7211 XrootdBridge: /C=UK/O=.16:[log in to unmask]
> login as /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus
> ebert/CN=proxy/CN=proxy
> 170316 16:15:13 7211 /C=UK/O=.16:[log in to unmask] sysXrdHttp:
> Process. lp:0x7f4150001d68 reqstate: 0
> 170316 16:15:13 7211 /C=UK/O=.16:[log in to unmask]
> XrootdProtocol: 0000 Bridge req=3017 dlen=15 blen=15
> 170316 16:15:13 7211 /C=UK/O=.16:[log in to unmask] sysXrdHttp:
> Process is exiting rc:1
> 170316 16:15:13 7211 /C=UK/O=.16:[log in to unmask] ofs_stat:
> fn=/lsst/testfile
> 170316 16:15:13 7211 ofs_stat: /C=UK/O=.16:[log in to unmask]
> Unable to locate /lsst/testfile; permission denied
> 170316 16:15:13 7211 /C=UK/O=.16:[log in to unmask]
> XrootdProtocol: 0000 rc=-1 stat /lsst/testfile
> 170316 16:15:13 7211 /C=UK/O=.16:[log in to unmask]
> XrootdResponse: 0000 sending err 3010: Unable to locate /lsst/testfile;
> permission denied
> 170316 16:15:13 7211 sysXrdHttp: XrdHttpReq::Error
> 170316 16:15:13 7211 /C=UK/O=.16:[log in to unmask] sysXrdHttp:
> PostProcessHTTPReq req: 3 reqstate: 0
> 170316 16:15:13 7211 /C=UK/O=.16:[log in to unmask] sysXrdHttp:
> Sending resp: 404 len:10
> 170316 16:15:13 7211 sysXrdHttp: Sending 46 bytes
> 170316 16:15:13 7211 sysXrdHttp: Sending 10 bytes
> 170316 16:15:13 7211 sysXrdHttp: XrdHttpReq request ended.
> 170316 16:15:13 7211 sysXrdHttp: Cleanup
> 170316 16:15:13 7211 sysXrdHttp: SSL_shutdown failed
> 170316 16:15:13 7211 sysXrdHttp: Reset
> 170316 16:15:13 7211 sysXrdHttp: XrdHttpReq request ended.
> 170316 16:15:13 7211 XrootdXeq: /C=UK/O=.16:[log in to unmask]
> disc 0:00:00 (send failure)
> 170316 16:15:13 7211 /C=UK/O=.16:[log in to unmask] XrdPoll: FD 7
> detached from poller 0; num=0
>
>
> Anyone any ideas what could be the reason that it doesn't work through
> davix-get?
> In the config I have for http:
> if exec xrootd
> xrd.protocol http /usr/lib64/libXrdHttp.so
> fi
> http.cadir /etc/grid-security/certificates
> http.cert /etc/grid-security/xrd/xrdcert.pem
> http.key /etc/grid-security/xrd/xrdkey.pem
> http.secxtractor /usr/lib64/libXrdHttpVOMS.so
> http.listingdeny no
> http.desthttps no
>
> (gridpp09 is just a single server, not going through a redirector for now to
> have a simple situation until it works)
>
> Cheers,
> Marcus
>
>
> On Fri, 10 Mar 2017, Marcus Ebert wrote:
>
>> Hi,
>>
>> Ah right, http needs it's own debug. I now enabled
>> http.trace all
>>
>> And at least it shows now that the VO is detected:
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> received dlen: 16
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> received dump: 22 03 01 01 20 01 00 01 16 03 03 88 -62 -29 -126 00
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp: This
>> does not look like http at pos 0
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp: This
>> may look like https
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> Protocol matched. https: 1
>> 170310 17:33:53 14501 XrdProtocol: matched protocol http
>> 170310 17:33:53 14501 ?:[log in to unmask] XrdPoll: FD 7
>> attached to poller 0; num=1
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> Process. lp:0x7fba5c001c68 reqstate: 0
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> Setting host: 94.197.120.127.threembb.co.uk
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> Entering SSL_accept...
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> SSL_accept returned :1
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> Extracting auth info.
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> SSL_get_peer_certificate returned :0x7fba60034dd0
>> 170310 17:33:53 14501 ?:[log in to unmask] sysXrdHttp:
>> Setting link name: /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus
>> ebert/CN=3266599870
>> 170310 17:33:53 14501 [log in to unmask]
>> SSL_get_peer_certificate returned :0x7fba60034dd0
>> 170310 17:33:53 14501 [log in to unmask]
>> SSL_get_verify_result returned :0
>> 170310 17:33:53 14501 [log in to unmask]
>> SSL_get_peer_cert_chain :0x7fba6003a0e0
>> 170310 17:33:53 14501 [log in to unmask]
>> fqan :/lsst/Role=NULL/Capability=NULL
>> 170310 17:33:53 14501 [log in to unmask]
>> Setting VO: lsst roles :/lsst/Role=NULL/Capability=NULL
>> 170310 17:33:53 14501 [log in to unmask]
>> sysXrdHttp: SSL_get_verify_result returned :0
>>
>> but then later it says:
>> 170310 17:33:53 14501 XrootdBridge:
>> /C=UK/O=.17:[log in to unmask] login as
>> /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert/CN=3266599870
>> 170310 17:33:53 14501 /C=UK/O=.17:[log in to unmask]
>> sysXrdHttp: Process. lp:0x7fba5c001c68 reqstate: 0
>> 170310 17:33:53 14501 /C=UK/O=.17:[log in to unmask]
>> XrootdProtocol: 0000 Bridge req=3017 dlen=15 blen=15
>> 170310 17:33:53 14501 /C=UK/O=.17:[log in to unmask]
>> sysXrdHttp: Process is exiting rc:0
>> 170310 17:33:53 14501 /C=UK/O=.17:[log in to unmask] ofs_stat:
>> fn=/lsst/testfile
>> 170310 17:33:53 14501 ofs_stat: /C=UK/O=.17:[log in to unmask]
>> Unable to locate /lsst/testfile; permission denied
>> 170310 17:33:53 14501 /C=UK/O=.17:[log in to unmask]
>> XrootdProtocol: 0000 rc=-1 stat /lsst/testfile
>> 170310 17:33:53 14501 /C=UK/O=.17:[log in to unmask]
>> XrootdResponse: 0000 sending err 3010: Unable to locate /lsst/testfile;
>> permission denied
>> 170310 17:33:53 14501 sysXrdHttp: XrdHttpReq::Error
>> 170310 17:33:53 14501 /C=UK/O=.17:[log in to unmask]
>> sysXrdHttp: PostProcessHTTPReq req: 2 reqstate: 0
>> 170310 17:33:53 14501 /C=UK/O=.17:[log in to unmask]
>> sysXrdHttp: Sending resp: 404 len:15
>> 170310 17:33:53 14501 sysXrdHttp: Sending 46 bytes
>> 170310 17:33:53 14501 sysXrdHttp: Sending 15 bytes
>> 170310 17:33:53 14501 sysXrdHttp: XrdHttpReq request ended.
>> 170310 17:33:53 14501 sysXrdHttp: Cleanup
>> 170310 17:33:53 14501 sysXrdHttp: SSL_shutdown failed
>> 170310 17:33:53 14501 sysXrdHttp: Reset
>> 170310 17:33:53 14501 sysXrdHttp: XrdHttpReq request ended.
>> 170310 17:33:53 14501 XrootdXeq:
>> /C=UK/O=.17:[log in to unmask] disc 0:00:00 (send failure)
>>
>>
>> So it find's the VO but still shows a permission denied. Or can it not find
>> the file?
>> filename that
>> works : root://dev2.gridpp.ecdf.ed.ac.uk:1094//lsst/testfile
>> doesn't work : https://dev2.gridpp.ecdf.ed.ac.uk:1094/lsst/tesfile
>>
>> (you probably can also access /atlas/testfile through xrdcp)
>>
>> Cheers,
>> Marcus
>>
>> On Fri, 10 Mar 2017, Fabrizio Furano wrote:
>>
>>> Hi,
>>>
>>> > > > - Was your server (the machine, not xrootd) configured to recognize
>>> > > gridpp or lsst proxies ?
>>> > > [ it's the stuff in /etc/grid-security/vomsdir plus the > >
>>> ca-policy-egi-core package ]
>>> > > > Yes, it was configured for atlas, gridpp, lsst, lhcb, dteam. This
>>> also > works when using xrdcp/xrdfs.
>>> > When going through xrdcp, I see in my logs:
>>> > 170310 15:04:14 21760 secgsiVOMS_Fun: proxy: >
>>> /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert/CN=3266599870
>>> > 170310 15:04:14 21760 secgsiVOMS_Fun: adding cert: >
>>> /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert
>>> > 170310 15:04:15 21760 secgsiVOMS_Fun: retrieval successful
>>> > 170310 15:04:15 21760 secgsiVOMS_Fun: found VO: lsst
>>> > 170310 15:04:15 21760 secgsiVOMS_Fun: ---> group: '/lsst', role: >
>>> 'NULL', cap: 'NULL'
>>> > 170310 15:04:15 21760 secgsiVOMS_Fun: ---> fqan: >
>>> '/lsst/Role=NULL/Capability=NULL'
>>> > > Something similar is not in the log files when going through https.
>>>
>>>
>>> This is what you should look for in the logs when running xrootd in debug
>>> mode. What do you get ?
>>>
>>> 170310 16:15:52 22616 ?:[log in to unmask] sysXrdHttp: Extracting
>>> auth
>>> info.
>>> 170310 16:15:52 22616 ?:[log in to unmask] sysXrdHttp:
>>> SSL_get_peer_certificate returned :0x7f7cf403c150
>>> 170310 16:15:52 22616 ?:[log in to unmask] sysXrdHttp: Setting link
>>> name: /DC=ch/DC=cern/OU=Organic
>>> Units/OU=Users/CN=furano/CN=644746/CN=Fabrizio Furano/CN=172241399
>>> 170310 16:15:52 22616 [log in to unmask]
>>> SSL_get_peer_certificate returned :0x7f7cf403c150
>>> 170310 16:15:52 22616 [log in to unmask]
>>> SSL_get_verify_result returned :0
>>> 170310 16:15:52 22616 [log in to unmask]
>>> SSL_get_peer_cert_chain :0x7f7cf403bc30
>>> 170310 16:15:52 22616 [log in to unmask] fqan
>>> :/atlas/Role=NULL/Capability=NULL
>>> 170310 16:15:52 22616 [log in to unmask] fqan
>>> :/atlas/lcg1/Role=NULL/Capability=NULL
>>> 170310 16:15:52 22616 [log in to unmask] Setting
>>> VO: atlas roles :/atlas/Role=NULL/Capability=NULL
>>>
>>>
>>>
>>>
>>>
>>>
>>> > > BTW:I think when you tried the error was because I had on the server
>>> > still denied listing. It's allowed now and I also put
>>> > atlas/testfile which should work to get?
>>>
>>>
>>> Ehm no, still 404.
>>>
>>> Cheers
>>> f
>>>
>>>
>>>
>>>
>>>
>>> > > Cheers,
>>> > Marcus
>>> > > > Cheers
>>> > > Fabrizio
>>> > > > > > > > > On 03/10/2017 02:36 PM, Marcus Ebert wrote:
>>> > > > Ok, getting the davix-tools was easier than I thought. They are > >
>>> > available through a GridPP CernVM.
>>> > > > However, doing so I get the output:
>>> > > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" > > >
>>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
>>> > > > <html xmlns="http://www.w3.org/1999/xhtml">
>>> > > > <head>
>>> > > > <meta http-equiv="content-type" content="text/html;charset=utf-8"/>
>>> > > > <link rel="stylesheet" type="text/css" > > >
>>> href="/static/css/xrdhttp.css"/>
>>> > > > <link rel="icon" type="image/png"
>>> href="/static/icons/xrdhttp.ico"/>
>>> > > > <title>/</title>
>>> > > > </head>
>>> > > > <body>
>>> > > > <h1>Listing of: /</h1>
>>> > > > <div id="header"><table id="ft">
>>> > > > <thead><tr>
>>> > > > <th class="mode">Mode</th><th class="flags">Flags</th><th > > >
>>> class="size">Size</th><th class="datetime">Modified</th><th
>>> > > > class="name">Name</th></tr></thead>
>>> > > > <tr><td class="mode">d--rwx</td><td class="mode">51</td><td > > >
>>> class="size">4096</td><td class="datetime">Wed, 26 Nov 2014 15:28:25
>>> > > > GMT</td><td class="name"><a href="atlas">atlas</a></td></tr><tr><td
>>> > > > class="mode">d--rwx</td><td class="mode">51</td><td
>>> > > > class="size">4096</td><td class="datetime">Thu, 27 Nov 2014
>>> 16:34:50 > > > GMT</td><td class="name"><a
>>> > > > href="dynafeds_demo">dynafeds_demo</a></td></tr><tr><td > > >
>>> class="mode">d--rwx</td><td class="mode">51</td><td
>>> > > > class="size">167936</td><td class="datetime">Tue, 28 Feb 2017 > > >
>>> 16:44:54 GMT</td><td class="name"><a
>>> > > >
>>> href="georgios_test">georgios_test</a></td></tr></table></div><br><br><hr
>>> > > > size=1><p><span id="requestby">Request by
>>> > > > /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert/CN=157025827 (
>>> > > > DN: /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus
>>> > > > ebert/CN=157025827 ) ( 94.197.120.22.threembb.co.uk )</span></p>
>>> > > > <p>Powered by XrdHTTP v20170305-55a66d2 (CERN IT-SDC)</p>
>>> > > > > > > > > > Which doesn't say anything about the VO. I tried with
>>> an LSST and > > > GridPP proxy.
>>> > > > voms info gives for example for gridpp VO:
>>> > > > subject : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus > > >
>>> ebert/CN=157025827
>>> > > > issuer : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert
>>> > > > identity : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert
>>> > > > type : RFC compliant proxy
>>> > > > strength : 1024 bits
>>> > > > path : /tmp/x509up_u501
>>> > > > timeleft : 11:59:33
>>> > > > key usage : Digital Signature, Key Encipherment, Data Encipherment
>>> > > > === VO gridpp extension information ===
>>> > > > VO : gridpp
>>> > > > subject : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert
>>> > > > issuer : > > >
>>> /C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
>>> > > > attribute : /gridpp/Role=NULL/Capability=NULL
>>> > > > timeleft : 11:59:33
>>> > > > uri : voms.gridpp.ac.uk:15000
>>> > > > > > > > > > Cheers,
>>> > > > Marcus
>>> > > > > > > On Fri, 10 Mar 2017, Marcus Ebert wrote:
>>> > > > > > > > Thanks Fabrizio!
>>> > > > > > > > > I'll try to get the davix-tools made available first.
>>> > > > > > > > > Cheers,
>>> > > > > Marcus
>>> > > > > > > > > On Fri, 10 Mar 2017, Fabrizio Furano wrote:
>>> > > > > > > > > > Hi,
>>> > > > > > > > > > > sorry, I missed the other questions, here they
>>> are...
>>> > > > > > > > > > > On 03/10/2017 11:08 AM, Marcus Ebert wrote:
>>> > > > > > > Unfortunaely, I don't have davix-get available on the local
>>> > > > > > > desktop. Is > there any lsetup mode for Atlas to make that
>>> > > > > > available
>>> > > > > > > (or any other cvmfs path)?
>>> > > > > > > > > > > You can get davix from all the major Linux
>>> distributions with > > > > > their own
>>> > > > > > tools, apt, yum, ...
>>> > > > > > > > > > > cvmfs certainly has it because it's used, but I
>>> cannot help you > > > > > there, I
>>> > > > > > have no idea (others may chime in)
>>> > > > > > > > > > > > > Do you get any similar output if you do this
>>> with > > > > > > > > https://dev2.gridpp.ecdf.ed.ac.uk:1094 ?
>>> > > > > > > > > > > > It gives to me 404 on the root directory, which is
>>> a sign of > > > > > server
>>> > > > > > misconfiguration (despite xrootd or http)
>>> > > > > > > > > > > > > > > > > If I do so in a browser for your test
>>> server, it displays:
>>> > > > > > > Request by /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus >
>>> > > > > > ebert ( DN: > /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus
>>> > > > > > ebert ) (
>>> > > > > > > 94.197.120.22.threembb.co.uk )
>>> > > > > > > > Powered by XrdHTTP v20170305-55a66d2 (CERN IT-SDC)
>>> > > > > > > > but no VO identification (probably because there is no > >
>>> > > > > > voms-proxy > available to the browser and it doesn't do a > >
>>> > > > > > lockup in
>>> > > > > > > grid-mapfile?)
>>> > > > > > > > > > > Browsers do not support Grid proxies.
>>> > > > > > The historical workaround for that is the use of a mapfile, as
>>> > > > > > you cite.
>>> > > > > > Xrdhttp uses the same mapfile
>>> > > > > > of the rest of the xrootd framework, which is a bit original
>>> if > > > > > one is
>>> > > > > > used to the ones used e.g. by DPM.
>>> > > > > > > > > > > Anyway I would not go further that way until you
>>> have > > > > > troubleshoot your
>>> > > > > > client setup. You must be able
>>> > > > > > to get from my server the same kind of output that I get.
>>> > > > > > > > > > > You can use curl, but it's more complex and less
>>> reliable. > > > > > Please do an
>>> > > > > > attempt at getting davix.
>>> > > > > > > > > > > Please let me know
>>> > > > > > Fabrizio
>>> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
>>>
>>
>>
>
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
|