Hi Wei,
Thanks for the feedback.
About your question.
The module fills the XrdSecEntity structure which is the analysed by
the authorization module.
Another option is to specify the group (or groups) you want to
authorize with the 'grps=grp1[,grp2,...]'
configuration option: if the group is not found, authentication
fails. This functionality was not correctly
implemented in the binary you tested, but I have just fixed it, so
you can try it now taking the latest
version.
Cheers, Gerri
On 2/6/13 8:53 AM, Yang, Wei wrote:
> Hi Gerri,
>
> It turns out that the .so I tried wasn't the latest. I just tried the latest one (slc5-gcc4.3) and it can extract the VO info correctly from various types of limited proxy used at ATLAS sites. I will try again with slc5-gcc4.1 and slc6 platforms. I have another question. With this module, how to do map a VO to a specific group (and then grant this group access in oss.authdb)?
>
> regards,
> Wei Yang | [log in to unmask] | 650-926-3338(O)
>
>
>
>
> On Feb 5, 2013, at 1:21 AM, Gerardo Ganis wrote:
>
>> Hi Wei,
>>
>> It does not look as loading the right plug-in .
>> Are there any related messages at xrootd startup?
>> Could you post the full startup log?
>>
>> You should get something like this at a certain point:
>>
>> 130205 10:20:13 4689 secgsiVOMS_VOMSInit: ++++++++++++++++++ VOMS
>> plugi-in ++++++++++++++++++++++++++++++
>> 130205 10:20:13 4689 secgsiVOMS_VOMSInit: +++ proxy fmt: raw
>> 130205 10:20:13 4689 secgsiVOMS_VOMSInit: +++ group option: last of all
>> 130205 10:20:13 4689 secgsiVOMS_VOMSInit:
>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> 130205 10:20:13 4689 secgsi_LoadVOMSFun: using 'XrdSecgsiVOMSFun()' from
>> libXrdSecgsiVOMS.so
>> =====> sec.protocol gsi -cert:~/.globus/usercert.pem
>> -key:~/.globus/userkey.pem
>> -certdir:/afs/cern.ch/user/g/ganis/.globus/certificates -ca:2 -crl:3
>> -crldir:/afs/cern.ch/user/g/ganis/.globus/certificates
>> Config 2 authentication directives processed in xrd.voms.cf
>> ------ Authentication system initialization completed.
>>
>> Gerri
>>
>>
>> On 2/4/13 8:15 PM, Yang, Wei wrote:
>>> [Adding David Smith since he may want to know this ...]
>>>
>>> Hi Gerri,
>>>
>>> I am having trouble getting it to work. On RHEL5-64, I compiled xrootd git head with gcc 4.3 and use the .so you compiled. Here is my config file:
>>>
>>> all.export /xrootd/atlas r/o
>>> all.role server
>>> xrootd.async off
>>> xrootd.seclib /afs/slac.stanford.edu/package/xrootd/githead/amd64_rhel50/src/libXrdSec.so
>>> sec.protparm gsi -vomsfun:/etc/xrootd/libXrdSecgsiVOMS.so.1 -vomsfunparms:grpopt=0|certfmt=raw|vos=atlas|dbg
>>> sec.protocol /afs/slac.stanford.edu/package/xrootd/githead/amd64_rhel50/src gsi -ca:1 -crl:3
>>> acc.authdb /etc/xrootd/auth_file
>>> acc.authrefresh 60
>>> ofs.authorize
>>>
>>> here is my proxy info (I tried a proxy created locally using VOMS 1.8.8 and a proxy created at CERN using VOMS 2.0.8).
>>>
>>> subject : /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203/CN=proxy
>>> issuer : /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203
>>> identity : /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203
>>> type : proxy
>>> strength : 1024 bits
>>> path : /tmp/x509up_u2353
>>> timeleft : 11:58:22
>>> === VO atlas extension information ===
>>> VO : atlas
>>> subject : /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203
>>> issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
>>> attribute : /atlas/Role=NULL/Capability=NULL
>>> attribute : /atlas/lcg1/Role=NULL/Capability=NULL
>>> attribute : /atlas/usatlas/Role=NULL/Capability=NULL
>>> attribute : nickname = yangw (atlas)
>>> timeleft : 11:58:22
>>> uri : lcg-voms.cern.ch:15001
>>>
>>> Here is the $X509_VOMS_DIR
>>>
>>> [yangw@atl-prod08 xrootd]$ ls -l $X509_VOMS_DIR
>>> total 68
>>> -rw-r--r-- 1 yangw sf 69 Feb 16 2010 README
>>> drwxr-xr-x 2 yangw sf 2048 Nov 25 2011 atlas/
>>> -rw-r--r-- 1 yangw sf 1440 Feb 2 2010 cert-voms-01.cnaf.infn.it.pem
>>> -rw-r--r-- 1 yangw sf 1440 Feb 2 2010 cert-voms-01.cnaf.infn.it.pem.1
>>> -rw-r--r-- 1 yangw sf 1424 Feb 2 2010 cert-voms-01.cnaf.infn.it.pem.2
>>> -rw-r--r-- 1 yangw sf 1436 Feb 2 2010 grid12.lal.in2p3.fr.pem
>>> -rw-r--r-- 1 yangw sf 5154 Feb 2 2010 mu4.matrix.sara.nl.pem
>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms-01.pd.infn.it.pem
>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms-01.pd.infn.it.pem.1
>>> -rw-r--r-- 1 yangw sf 1420 Feb 2 2010 voms-01.pd.infn.it.pem.2
>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms-02.pd.infn.it.pem
>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms-02.pd.infn.it.pem.1
>>> -rw-r--r-- 1 yangw sf 1420 Feb 2 2010 voms-02.pd.infn.it.pem.2
>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms.cnaf.infn.it.pem
>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms.cnaf.infn.it.pem.1
>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms.cnaf.infn.it.pem.2
>>> -rw-r--r-- 1 yangw sf 1399 Feb 2 2010 voms.cnaf.infn.it.pem.3
>>> -rw-r--r-- 1 yangw sf 1484 Feb 2 2010 voms.fnal.gov.pem
>>> -rw-r--r-- 1 yangw sf 1298 Feb 2 2010 voms.fnal.gov.pem.1
>>> -rw-r--r-- 1 yangw sf 1651 Feb 2 2010 voms.grid.sara.nl.pem
>>> -rw-r--r-- 1 yangw sf 5152 Feb 2 2010 voms.grid.sara.nl.pem.1
>>> -rw-r--r-- 1 yangw sf 1793 Feb 2 2010 voms.grid.sinica.edu.tw.pem
>>> -rw-r--r-- 1 yangw sf 1842 Feb 2 2010 voms.gridpp.ac.uk.pem
>>> -rw-r--r-- 1 yangw sf 1843 Feb 2 2010 voms.gridpp.ac.uk.pem.1
>>> -rw-r--r-- 1 yangw sf 2138 Feb 2 2010 voms.gridpp.ac.uk.pem.2
>>> -rw-r--r-- 1 yangw sf 1472 Feb 2 2010 voms.research-infrastructures.eu.pem
>>> -rw-r--r-- 1 yangw sf 1472 Feb 2 2010 voms.research-infrastructures.eu.pem.1
>>> -rw-r--r-- 1 yangw sf 1424 Feb 2 2010 voms2.cnaf.infn.it.pem
>>> -rw-r--r-- 1 yangw sf 1424 Feb 2 2010 voms2.cnaf.infn.it.pem.1
>>> -rw-r--r-- 1 yangw sf 1404 Feb 2 2010 voms2.cnaf.infn.it.pem.2
>>>
>>> And here is the log file:
>>>
>>> X509Chain::Dump://------------------Dumping X509 chain content ------------------//
>>> X509Chain::Dump://
>>> X509Chain::Dump:// Chain instance: 0x8eeb7d0
>>> X509Chain::Dump://
>>> X509Chain::Dump:// Number of certificates: 3
>>> X509Chain::Dump://
>>> X509Chain::Dump:// CA: /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
>>> X509Chain::Dump:// EEC: /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203
>>> X509Chain::Dump://
>>> X509Chain::Dump:// Issuer: d1b603c3.0 Subject: 1c3f2ca8.0 Type: CA
>>> X509Chain::Dump:// Issuer: 1c3f2ca8.0 Subject: 684536c7.0 Type: EEC
>>> X509Chain::Dump:// Issuer: 684536c7.0 Subject: f81adb11.0 Type: Proxy
>>> X509Chain::Dump://
>>> X509Chain::Dump://---------------------------- END ------------------------------//
>>> 130204 11:02:36 14262 crypto_X509::Dump: +++++++++++++++ X509 dump +++++++++++++++++++++++
>>> 130204 11:02:36 14262 crypto_X509::Dump: +
>>> 130204 11:02:36 14262 crypto_X509::Dump: + File:
>>> 130204 11:02:36 14262 crypto_X509::Dump: +
>>> 130204 11:02:36 14262 crypto_X509::Dump: + Type: Proxy
>>> 130204 11:02:36 14262 crypto_X509::Dump: + Serial Number: 283485584
>>> 130204 11:02:36 14262 crypto_X509::Dump: + Subject: /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203/CN=proxy
>>> 130204 11:02:36 14262 crypto_X509::Dump: + Subject hash: f81adb11.0
>>> 130204 11:02:36 14262 crypto_X509::Dump: + Issuer: /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203
>>> 130204 11:02:36 14262 crypto_X509::Dump: + Issuer hash: 684536c7.0
>>> 130204 11:02:36 14262 crypto_X509::Dump: + Validity:
>>> 130204 11:02:36 14262 crypto_X509::Dump: + NotBefore: 1360032944 UTC - Mon Feb 4 18:55:44 2013
>>> 130204 11:02:36 14262 crypto_X509::Dump: + NotAfter: 1360076444 UTC - Tue Feb 5 07:00:44 2013
>>> 130204 11:02:36 14262 crypto_X509::Dump: +
>>> 130204 11:02:36 14262 crypto_X509::Dump: + PKI: Public
>>> 130204 11:02:36 14262 crypto_X509::Dump: +
>>> 130204 11:02:36 14262 crypto_X509::Dump: +++++++++++++++++++++++++++++++++++++++++++++++++
>>> 130204 11:02:36 14262 secgsi_VOMSFun: xrc: 1
>>> 130204 11:02:36 14262 secgsi_VOMSFun: NOT OK: Cannot discover holder from certificate chain!
>>> 130204 11:02:36 14262 secgsi_VOMSFun: WARNING: no VO found! (VOMS attributes: '')
>>> 130204 11:02:36 14262 XrootdXeq: yangw.27906:22@atlint01 login as 684536c7.0
>>> 130204 11:02:41 14262 XrootdXeq: yangw.27906:22@atlint01 disc 0:00:05
>>>
>>> I am not sure what the 4th line from the bottom mean.
>>>
>>> regards,
>>> Wei Yang | [log in to unmask] | 650-926-3338(O)
>>>
>>>
>>> On Feb 4, 2013, at 9:42 AM, Gerardo Ganis wrote:
>>>
>>>> Hi,
>>>>
>>>> This is the status of things:
>>>>
>>>> The plug-in is available for test at
>>>> 'https://github.com/gganis/voms.git' from where you can download
>>>> the sources. Binaries for SLC5 (x86_64, gcc-4.1, gcc 4.3) and SLC6
>>>> (x86_64, gcc-4.6) are available under
>>>>
>>>> /afs/cern.ch/work/g/ganis/public/vomsxrd/vomsxrd-0.0.1
>>>>
>>>> (README and examples under /afs/cern.ch/work/g/ganis/public/vomsxrd).
>>>>
>>>> With the following caveats:
>>>>
>>>> 1. The builds require VOMS 2.0.8 which, if I understand
>>>> correctly, is a not (yet?) available in OSG
>>>> 2. Unfortunately the backport of the vomsfun functionality was
>>>> not complete in the 3.2.x stable branch,
>>>> so to use the plug-in you have either to use the HEAD of the
>>>> 'stable' branch or 3.3.x-rc1 .
>>>> RPMs for the stable branch are available from the Teamcity
>>>> portal:
>>>>
>>>> https://teamcity-dss.cern.ch:8443/project.html?projectId=project13&tab=projectOverview
>>>>
>>>> Can you please let me know if you can try this out or what you miss
>>>> to be able to try?
>>>>
>>>> Gerri
>>>>
>>>>
>>>>
>>>>
>>>> On 1/31/13 7:19 PM, Yang, Wei wrote:
>>>>> I haven't get it to work yet. I am communicating with the developer.
>>>>>
>>>>> regards,
>>>>> Wei Yang | [log in to unmask] | 650-926-3338(O)
>>>>>
>>>>>
>>>>> On Jan 31, 2013, at 2:28 AM, Tommaso Boccali wrote:
>>>>>
>>>>>> Follow-up Comment #2, sr #135141 (project xrootd):
>>>>>>
>>>>>> ciao, news on that plugin?
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>> tom
>>>>>>
>>>>>> _______________________________________________________
>>>>>>
>>>>>> Reply to this item at:
>>>>>>
>>>>>> <http://savannah.cern.ch/support/?135141>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Message sent via/by LCG Savannah
>>>>>> http://savannah.cern.ch/
>>>>>>
>>>> --
>>>> +--------------------------------------------------------------------------+
>>>> Gerardo GANIS CERN, PH Dept, SFT group, CH 1211 Geneve 23
>>>> room: 32-RC-006, tel: +41 22 7676439
>>>> email: [log in to unmask], fax: +41 22 7669133
>>>> +--------------------------------------------------------------------------+
>>>>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
