Hi Wei,

thanks for your detailed explanation. I think i got it working with the 
following config file.
It seems that the Authorization stuff has to go with the server role. I 
always assumed it would be the redirector who does the authorization.

But if face an error message when deleting files. For that i like to 
open up a new thread.
May it is an idea to place a working example in the docs.

Regards
Heiko


xrootd.cf:

xrd.timeout hail 30 idle 0 kill 3 read 5

all.export /xrootd

set xrdr=REDIRECTOR
set inventory=/var/log/xrootd/inventory
all.manager $(xrdr):3121

cms.allow host *.our.local.doamin

if $(xrdr) && named cns
       all.export $(inventory)
       xrd.port 1095
else if $(xrdr)
       all.role manager
       oss.defaults rw
       ofs.forward 3way $(xrdr):1095 closew create mkdir mv rm rmdir trunc
       xrd.port 1094
else
       all.role server
       ofs.notify closew create mkdir mv rm rmdir trunc | 
/usr/bin/XrdCnsd -d -D 2 -i 90 -b $(xrdr):1095:$(inventory)
       ofs.notifymsg create $TID create $FMODE $LFN?$CGI
       ofs.notifymsg closew $TID closew $LFN $FSIZE

       xrootd.seclib /usr/lib/libXrdSec.so
       sec.protocol /usr/lib unix
       acc.authdb /etc/xrootd/Authfile
       acc.authrefresh 60
       ofs.authorize
       cms.space min 100g 110g
fi




Am 11.04.2018 um 18:53 schrieb Yang, Wei:
> Hi Heiko,
>
>  From the authorization prospect (after Xrootd authenticates the users), Xrootd does not have the concept of file ownership. If you go to the data servers, you will see that all files will be owned the process running the xrootd process. Xrootd uses ACL rules (as specified in your AuthFile) to control who has want control.
>
> Now, in authentication, Xrootd depends on various authentication module to tell who the clients are. “unix” being one of these modules (the weakest one). There are many others like “sss”, kerberos, GSI, etc. With XrootdFS, it may run as a user (lets say user “abc”) that have access all access privileges to the Xrootd cluster. So when you do a “rm” via XrootdFS, Xrootd cluster see user “abc” deleting the file. This probably explain what you see. This behavior can be change if you use XrootdFS with the “sss” security module (and use a special type of “sss” key, see the xrootdfs man page).
>
> Your commnets on XrdCNSd is correct. That was one of the initial intends. This function (you mentioned) can _mostly_ be archived by using oss.space setup in the xrootd cluster configuration. There are pros and cons in either way. In my view XrdCNSd is better than using oss.space. XrdCNSd is also reliable. But it is an extra service that I don’t need.
>
> regards,
> --
> Wei Yang  |  [log in to unmask]  |  650-926-3338(O)
>
>
>
>
>
>
>
> On 4/6/18, 1:55 AM, "[log in to unmask] on behalf of Heiko Schröter" <[log in to unmask] on behalf of [log in to unmask]> wrote:
>
>> Am 06.04.2018 um 10:35 schrieb Yang, Wei:
>>> It is a bit surprise. Here is what I have:
>>>
>>> xrootd.seclib /usr/lib64/libXrdSec.so
>>>     sec.protocol /usr/lib64 unix
>>>     acc.authdb $(scriptspath)/auth_file
>>>     acc.authrefresh 300
>>>     ofs.authorize
>>>
>>>
>>> and with your AuthFile
>>>
>>> u * /xrootd lr
>>> u root /xrootd a
>>>
>>> Everyone (every remote user) should be able to read from /xrootd and only (remote) root can read-write. BTW, Xrootd use access control list. The above AuthFile reflect ACL rules.
>> Update: This seems works with the xrootd tools i.e.:
>>
>> schroete@pc1 # xrdfs REDIRECTOR chmod /xrootd/myTestDir/willi "rwxrwxrwx"
>> [ERROR] Server responded with an error: [3010] Unable to chmod
>> /xrootd/myTestDir/willi; permission denied
>>
>> But using the xrootd fuse mount i'am able to create/delete files in
>> /xrootd as everyone.
>>
>> /etc/fstab:
>> xrootdfs  /mnt/xrootd fuse
>> rdr=xroot://REDIRECTOR:1094//xrootd/,fsname=xrootdfs,max_write=131072,attr_timeout=10,entry_timeout=10,rw,noatime
>> 0  0
>>
>> cd /mnt/xrootd; echo "laura" > willi; rm willi --> no error
>>
>> Is this intended with the FUSE module ?
>>
>>
>>> The CNSd (composed name space, along with ofs.forward) is essentially a DB of what files are in an xrootd storage cluster.
>> As far as i understood the docs it might be used as an inventory in case
>> of a desaster loss of an raid system. So we would have at least an index
>> of the files. This is very good to have for us.
>>
>>
>>
>> Regards
>> Heiko
>>
>>> -----Original Message-----
>>> From: <[log in to unmask]> on behalf of Heiko Schröter <[log in to unmask]>
>>> Date: Friday, April 6, 2018 at 1:11 AM
>>> To: xrootd-l <[log in to unmask]>
>>> Subject: Re: read write permissions
>>>
>>>> Hello,
>>>>
>>>>>> --> sec.protocol /usr/lib/xrootd unix
>>>>> This is wrong. It should be something like:
>>>>>
>>>>> xrootd.seclib /usr/lib64/libXrdSec.so
>>>>>      sec.protocol /usr/lib64 unix
>>>> Tried it, but it does not change a thing. Any user has r/w access to the
>>>> file system.
>>>> So i it would be nice when there would be a pointer to some docs or such
>>>> how i can achieve the r/w permissions.
>>>> I don't get it how xrootd decides between access to the "storage pool",
>>>> or access permissions for a file/directory.
>>>>
>>>>> Also, I am curious, we used the following lines a long time ago but stopped using since. Are you sure you need them?
>>>>>>          ofs.notify closew create mkdir mv rm rmdir trunc |
>>>>>> /usr/bin/XrdCnsd -d -D 2 -i 90 -b $(xrdr):1095:$(inventory)
>>>>>>          ofs.notifymsg create $TID create $FMODE $LFN?$CGI
>>>>>>          ofs.notifymsg closew $TID closew $LFN $FSIZE
>>>> I got this from a tutorial for setting up an Inventory. The inventory
>>>> works. But i have to admit that i don't fully understand all the bits
>>>> and pieces in the docs.
>>>>
>>>> Heiko
>>>>
>>>> ########################################################################
>>>> Use REPLY-ALL to reply to list
>>>>
>>>> To unsubscribe from the XROOTD-L list, click the following link:
>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>>> ########################################################################
>>> Use REPLY-ALL to reply to list
>>>
>>> To unsubscribe from the XROOTD-L list, click the following link:
>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>>>
>> -- 
>> -----------------------------------------------------------------------
>> Dipl.-Ing. Heiko Schröter
>> Institute of Environmental Physics (IUP)   phone: ++49-(0)421-218-62092
>> Institute of Remote Sensing (IFE)          fax:   ++49-(0)421-218-62070
>> University of Bremen (FB1)
>> P.O. Box 330440               email:  [log in to unmask]
>> Otto-Hahn-Allee 1
>> 28359 Bremen
>> Germany
>> -----------------------------------------------------------------------
>>
>> ########################################################################
>> Use REPLY-ALL to reply to list
>>
>> To unsubscribe from the XROOTD-L list, click the following link:
>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1


-- 
-----------------------------------------------------------------------
Dipl.-Ing. Heiko Schröter
Institute of Environmental Physics (IUP)   phone: ++49-(0)421-218-62092
Institute of Remote Sensing (IFE)          fax:   ++49-(0)421-218-62070
University of Bremen (FB1)
P.O. Box 330440               email:  [log in to unmask]
Otto-Hahn-Allee 1
28359 Bremen
Germany
-----------------------------------------------------------------------

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1