URL:
<http://savannah.cern.ch/support/?135141>
Summary: xrootd access via authz
Project: XROOTD
Submitted by: boccali
Submitted on: 2013-01-17 11:02
Category: None
Priority: 5 - Normal
Severity: 4 - Important
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: GNU/Linux
_______________________________________________________
Details:
Ciao, I am facing an issue with authorization, and I would like to have
experts' opinions.
I am setting an xrootd server and I want only CMS users to be able and access
it.
I did (as instructed)
sec.protocol /usr/lib64 gsi -d:2 -certdir:/etc/grid-security/certificates
-cert:/etc/grid-security/xrd/hostcert.pem
-key:/etc/grid-security/xrd/hostkey.pem -crl:3 -moninfo
-authzfun:libXrdSecgsiAuthzVO.so -authzfunparms:valido=cms -gmapopt:10
-gmapto:0
and partially it is ok: if I do
voms-proxy-init -voms cms
I have the system working interactively (xrdcp ios the test). what does not
work is when the access comes via GRID jobs (CE == CREAM). It seems a partial
proxy is delivered, and the end message is something like
130116 14:21:27 15703 secgsi_ExtractVOMS: No VOMS attributes in proxy chain
130116 14:21:27 15703 secgsi_Authenticate: VOMS: Entity.vorg: <none>
130116 14:21:27 15703 secgsi_Authenticate: VOMS: Entity.grps: <none>
130116 14:21:27 15703 secgsi_Authenticate: VOMS: Entity.role: <none>
130116 14:21:27 15703 secgsi_Authenticate: VOMS: Entity.endorsements: <none>
130116 14:21:27 15703 cryptossl_X509ExportChain: Encountered CA in chain;
breaking. Subject: /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
130116 14:21:27 15703 cryptossl_X509ExportChain: BIO data: 14901 bytes at
0x0x8d0e670
130116 14:21:27 15703 cryptossl_X509ExportChain: result of serialization:
14901 bytes
AuthzVO: Invalid cert; vo missing
130116 14:21:27 15703 secgsi_Authenticate: ERROR: the authorization plug-in
reported a failure for this handshake
now, I am not sure whether
- is cream stripping the voms part of the certificate (why? never heard of
it)
- there is something xrootd/authz does not like
As a second test, I tried doing interactively xrdcp .... with no proxy.
I am prompted for the cert password, and then it does not work with the same
message, having created a proxy like
-bash-3.2$ voms-proxy-info -all
subject : /DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=boccali/CN=447815/CN=Tommaso Boccali/CN=1486443782
issuer : /DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=boccali/CN=447815/CN=Tommaso Boccali
identity : /DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=boccali/CN=447815/CN=Tommaso Boccali
type : GT3-style proxy
strength : 512 bits
path : /tmp/x509up_u1534
timeleft : 11:59:58
so again w/o the voms part... so the problems seems consistently with reduced
proxies ....
Any idea?
some LONG logs:
/afs/cern.ch/user/b/boccali/public/cms088.log : access from a GRID jobs,
authentication fails
/afs/cern.ch/user/b/boccali/public/boccali.log : access interactively from a
full fledged proxy - works
Thanks!
tommaso
_______________________________________________________
Reply to this item at:
<http://savannah.cern.ch/support/?135141>
_______________________________________________
Message sent via/by LCG Savannah
http://savannah.cern.ch/
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
