URL: <http://savannah.cern.ch/support/?135141> Summary: xrootd access via authz Project: XROOTD Submitted by: boccali Submitted on: 2013-01-17 11:02 Category: None Priority: 5 - Normal Severity: 4 - Important Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Operating System: GNU/Linux _______________________________________________________ Details: Ciao, I am facing an issue with authorization, and I would like to have experts' opinions. I am setting an xrootd server and I want only CMS users to be able and access it. I did (as instructed) sec.protocol /usr/lib64 gsi -d:2 -certdir:/etc/grid-security/certificates -cert:/etc/grid-security/xrd/hostcert.pem -key:/etc/grid-security/xrd/hostkey.pem -crl:3 -moninfo -authzfun:libXrdSecgsiAuthzVO.so -authzfunparms:valido=cms -gmapopt:10 -gmapto:0 and partially it is ok: if I do voms-proxy-init -voms cms I have the system working interactively (xrdcp ios the test). what does not work is when the access comes via GRID jobs (CE == CREAM). It seems a partial proxy is delivered, and the end message is something like 130116 14:21:27 15703 secgsi_ExtractVOMS: No VOMS attributes in proxy chain 130116 14:21:27 15703 secgsi_Authenticate: VOMS: Entity.vorg: <none> 130116 14:21:27 15703 secgsi_Authenticate: VOMS: Entity.grps: <none> 130116 14:21:27 15703 secgsi_Authenticate: VOMS: Entity.role: <none> 130116 14:21:27 15703 secgsi_Authenticate: VOMS: Entity.endorsements: <none> 130116 14:21:27 15703 cryptossl_X509ExportChain: Encountered CA in chain; breaking. Subject: /DC=ch/DC=cern/CN=CERN Trusted Certification Authority 130116 14:21:27 15703 cryptossl_X509ExportChain: BIO data: 14901 bytes at 0x0x8d0e670 130116 14:21:27 15703 cryptossl_X509ExportChain: result of serialization: 14901 bytes AuthzVO: Invalid cert; vo missing 130116 14:21:27 15703 secgsi_Authenticate: ERROR: the authorization plug-in reported a failure for this handshake now, I am not sure whether - is cream stripping the voms part of the certificate (why? never heard of it) - there is something xrootd/authz does not like As a second test, I tried doing interactively xrdcp .... with no proxy. I am prompted for the cert password, and then it does not work with the same message, having created a proxy like -bash-3.2$ voms-proxy-info -all subject : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=boccali/CN=447815/CN=Tommaso Boccali/CN=1486443782 issuer : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=boccali/CN=447815/CN=Tommaso Boccali identity : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=boccali/CN=447815/CN=Tommaso Boccali type : GT3-style proxy strength : 512 bits path : /tmp/x509up_u1534 timeleft : 11:59:58 so again w/o the voms part... so the problems seems consistently with reduced proxies .... Any idea? some LONG logs: /afs/cern.ch/user/b/boccali/public/cms088.log : access from a GRID jobs, authentication fails /afs/cern.ch/user/b/boccali/public/boccali.log : access interactively from a full fledged proxy - works Thanks! tommaso _______________________________________________________ Reply to this item at: <http://savannah.cern.ch/support/?135141> _______________________________________________ Message sent via/by LCG Savannah http://savannah.cern.ch/ ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1