 |
 |
Hi Andy, I tried fiddling with the security config ... and I suspect I'm totally confused now :) On 01/26/12 01:38, Andrew Hanushevsky wrote: > Hi Matevz, > > Your naive expectation was correct (though not particularly secure). You should > be able to run the proxy w/o authentication for its clients and use > authentication for the origin (assuming the origin has authentication enabled). Yes, the origin/redirector is GSI only. > The origin is typically a redirector and we recommend against enabling > authentication for that unless you are forwarding requests. Authentication for what? For proxy->origin, for client->proxy, or for client->origin? > Based on the log, it seems that the security shared libraries that the proxy > needed to use were not in the ld path for the proxy (common problem). But why would it need the libs if it doesn't do any authentication? The final result of my fiddling with configuration: http://uaf-2.t2.ucsd.edu/~matevz/tmp/proxy.cfg where I limit access to my desktop only, results in this on startup (even without anybody connecting to the proxy): http://uaf-2.t2.ucsd.edu/~matevz/tmp/proxy.log and the redirector simply says: 120126 12:53:22 4028 XrootdXeq: xrootd.2781:[log in to unmask] disc 0:00:01 So, it seems, proxy wants to authenticate itself to the redirector ... and as redirector only allows GSI authentication, it fails. Is this correct? My naive expectation from the first mail was that proxy will never authenticate itself to the redirector ... but always just pass auth requests/responses between its client ant the redirector. So ... should I be running the proxy with a valid certificate? (Or some other authentication, like sss and have it enabled on the redirector for proxy hosts only.) [ Strangely enough, when I connect to the proxy with a client I also get a line: 120126 13:06:17 3126 secgsi_InitProxy: cannot access private key file: /home/xrootd/.globus/userkey.pem in the log ... which wasn't there before. I didn't change LD_LIB_PATH, have /usr/local/lib64 in /etc/ld.so.conf.] Matevz > Andy > > On Wed, 25 Jan 2012, Matevz Tadel wrote: > >> Hi, >> >> How is security / authentication handled for simple proxy servers? I was, >> somewhat naively it seems now, expecting that I can have a proxy without >> authentication and let this be handled at the redirector where my proxy is >> pointing (which uses GSI). >> >> Here's my config for proxy: >> ofs.osslib /usr/local/lib64/libXrdPss.so >> all.export /store >> pss.origin xrootd.t2.ucsd.edu:1094 >> pss.memcache debug 3 logstats pagesize 64k sfiles .root size 2g >> >> And output from a login attempt (with valid cert-proxy): >> a) proxy >> 120125 19:41:19 3567 XrootdXeq: matevz.3965:21@desire login >> Cache: Attached 1/1 8000 >> root:[log in to unmask]:1094//store/data/Run2011B/DoubleMu/AOD/30Nov2011-v1/0000/A01348BE-9F1D-E111-88BB-003048FFCB84.root?oss.lcl=1 >> >> XrdSec: No authentication protocols are available. >> Cache: 0 att; rel 0 slots; 0 Faults; 8000 -ì >> Cache: Stats: 0 Read; 0 Get; 0 Pass; 0 Write; 0 Put; 0 Hits; 0 Miss; 0 pead; 0 >> HitsPR; 0 MissPR; Path P >> 120125 19:41:19 3567 ofs_open: matevz.3965:21@desire Unable to open >> /store/data/Run2011B/DoubleMu/AOD/30Nov2011-v1/0000/A01348BE-9F1D-E111-88BB-003048FFCB84.root; >> Permission denied >> 120125 19:41:19 3567 XrootdXeq: matevz.3965:21@desire disc 0:00:00 >> >> b) redirector >> 120125 19:41:20 4028 XrootdXeq: 21.3567:[log in to unmask] disc 0:00:01 >> >> So, all I see on the manager/redirector is a disconnect :) >> >> In any case, even if I configure authentication on the proxy, how will this >> get propagated to the redirector? And anyway ... why would the redirector >> trust my proxy? >> >> Best, >> Matevz >> >> ######################################################################## >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-DEV list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 >> > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-DEV list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1