 |
 |
Hi Fabrizio, On 10/17/2014 07:00 AM, Fabrizio Furano wrote: > Hi Patrick, > > > >> Is it true that the sec gsi module would not have any affect on the >> authentication of the http calls? > > I don't understand this question. Could you please be more specific ? > Tied to the problem below. Without libXrdHttpVOMS proxy certs aren't understood by the https code. The intention of the question was to verify that configuring the gsi security module in xrootd would have no effect on the https authentication. >> >> After configuring a basic test system, my first attempt at access using >> a command line client failed and the xrootd log showed: >> -Error with certificate at depth: 0 >> issuer = /DC=com/DC=DigiCert-Grid/O=Open Science >> Grid/OU=People/CN=Patrick McGuigan 55 >> subject = /DC=com/DC=DigiCert-Grid/O=Open Science >> Grid/OU=People/CN=Patrick McGuigan 55/CN=proxy >> err 20:unable to get local issuer certificate >> >> >> I am guessing that the HTTP interface does not understand grid proxy >> certificates yet. Will this be added? > > It already supports grid proxy certs, you have to use the VOMS extractor lib. > It could also be that your capath was not configured properly, > or that that directory misses the needed CA certificate. > The same cert works through a browser and the certs/ca/crl infrastructure works fine for other grid services. I would be interested in testing with the VOMS library, can you give me a pointer to where I can get a precompiled version? I am running with xrootd4-4.0.3-1.slc6.x86_64. Is there any documentation on any options/parameters to the module? Do you know if there is any functionality to limit particular HTTP methods (DEL, MKCOL, COPY, MOVE) to particular VOMS attributes? >> I see that the documentation for >> v4.1 is showing support for grid mapfiles. Does this imply proxies will >> be supported in that version? >> > > Proxy support is already there. You can play with it in our test > server: littlexrdhttp.cern.ch:1094 > > ---------------- here's an example with my ATLAS proxy > $davix-get -k -E /tmp/x509up_u28317 https://littlexrdhttp.cern.ch:1094/ > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" ... > > ... blah blah HTML stuff, and then the relevant part: > > <span id="requestby">Request by unnamed.73810:25@lxplus0027 (VO: atlas Role: > /atlas/Role=NULL/Capability=NULL ) ( [::ffff:188.184.28.34]:41365 )</span></p> > <p>Powered by XrdHTTP v20140918-cf01cb4 (CERN IT-SDC)</p> > ---------------- > > > Name translation has been added later, and it's independent from proxy support. > > The grid mapfile feature is still not yet in the main codebase AFAIK, > I'm waiting as well for it to be kindly inserted. Time passes. > >> Will the libXrdHttpVOMS.so security extractor remain an independent >> software relrease, or will this be merged into the Xrootd release? >> > > Officially it will be put into the WLCG repo when there is an EPEL release of > xrootd4. > For having rpm pkgs that work with the current trunk releases, > just let me know, you can get them from the DPM trunk repo. > > Cheers > Fabrizio > >> Regards, >> >> Patrick >> >> ######################################################################## >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1