 |
 |
I am using xrootd 4.6.1 with xrdhttpvoms 0.2.4 from EPEL on a CentOS 7 system. While normal VOMS authentication via xRootD protocol works fine, it does not work for HTTPS / WebDAV. Here some details from a verbose log: ``` 170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: Entering SSL_accept... 170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: SSL_accept returned :1 170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: SSL_get_verify_result returned :0 170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: Extracting auth info. 170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: SSL_get_peer_certificate returned :0x7f50a4014300 170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: Setting link name: 'eyermuth' 170818 15:52:44 18556 eyermuth.0:25@atlas-get4 SSL_get_peer_certificate returned :0x7f50a4014300 170818 15:52:44 18556 eyermuth.0:25@atlas-get4 SSL_get_verify_result returned :0 170818 15:52:44 18556 eyermuth.0:25@atlas-get4 SSL_get_peer_cert_chain :0x7f50a4013b30 170818 15:52:44 18556 eyermuth.0:25@atlas-get4 fqan :/atlas/Role=NULL/Capability=NULL 170818 15:52:44 18556 eyermuth.0:25@atlas-get4 fqan :/atlas/de/Role=NULL/Capability=NULL 170818 15:52:44 18556 eyermuth.0:25@atlas-get4 Setting VO: atlas roles :/atlas/Role=NULL/Capability=NULL 170818 15:52:44 18556 sysXrdHttp: getDataOneShot BuffAvailable: 1048576 maxread: 1048576 170818 15:52:44 18556 sysXrdHttp: getDataOneShot sslavail: 1048576 170818 15:52:44 18556 sysXrdHttp: read 225 of 1048576 bytes 170818 15:52:44 18556 sysXrdHttp: rc:59 got hdr line: PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk/ HTTP/1.1 170818 15:52:44 18556 sysXrdHttp: rc:40 got hdr line: User-Agent: libdavix/0.6.4 neon/0.0.29 170818 15:52:44 18556 sysXrdHttp: rc:14 got hdr line: Keep-Alive: 170818 15:52:44 18556 sysXrdHttp: rc:24 got hdr line: Connection: Keep-Alive 170818 15:52:44 18556 sysXrdHttp: rc:14 got hdr line: TE: trailers 170818 15:52:44 18556 sysXrdHttp: rc:41 got hdr line: Host: xrootd001.physik.uni-bonn.de:1094 170818 15:52:44 18556 sysXrdHttp: rc:10 got hdr line: Depth: 1 170818 15:52:44 18556 sysXrdHttp: rc:21 got hdr line: Content-Length: 303 170818 15:52:44 18556 sysXrdHttp: rc:2 got hdr line: 170818 15:52:44 18556 sysXrdHttp: rc:2 detected header end. 170818 15:52:44 18556 XrootdBridge: Oliver F.1:25@atlas-get4 login as Oliver Freyermuth 170818 15:52:44 18556 Oliver F.1:25@atlas-get4 sysXrdHttp: Process. lp:0x7f50a4000ca8 reqstate: 0 170818 15:52:44 18556 sysXrdHttp: Reading request body 303 bytes. 170818 15:52:44 18556 sysXrdHttp: BuffgetData: need to read 303 bytes 170818 15:52:44 18556 sysXrdHttp: getDataOneShot BuffAvailable: 1048576 maxread: 303 170818 15:52:44 18556 sysXrdHttp: getDataOneShot sslavail: 303 170818 15:52:44 18556 sysXrdHttp: read 303 of 303 bytes 170818 15:52:44 18556 Oliver F.1:25@atlas-get4 sysXrdHttp: Process is exiting rc:0 170818 15:52:44 18556 ofs_stat: Oliver F.1:25@atlas-get4 Unable to locate /beegfs/grid/atlas/atlaslocalgroupdisk/; permission denied 170818 15:52:44 18556 sysXrdHttp: XrdHttpReq::Error 170818 15:52:44 18556 Oliver F.1:25@atlas-get4 sysXrdHttp: PostProcessHTTPReq req: 8 reqstate: 0 170818 15:52:44 18556 Oliver F.1:25@atlas-get4 sysXrdHttp: Sending resp: 404 len:75 170818 15:52:44 18556 sysXrdHttp: Sending 46 bytes 170818 15:52:44 18556 sysXrdHttp: Sending 75 bytes 170818 15:52:44 18556 sysXrdHttp: XrdHttpReq request ended. 170818 15:52:44 18556 sysXrdHttp: Cleanup 170818 15:52:44 18556 sysXrdHttp: SSL_shutdown failed 170818 15:52:44 18556 sysXrdHttp: Reset 170818 15:52:44 18556 sysXrdHttp: XrdHttpReq request ended. 170818 15:52:44 18556 XrootdXeq: Oliver F.1:25@atlas-get4 disc 0:00:00 (send failure) ``` From that I deduce, that extraction works fine, since: ``` 170818 15:52:44 18556 eyermuth.0:25@atlas-get4 Setting VO: atlas roles :/atlas/Role=NULL/Capability=NULL ``` However, in the end I see a 404 on the client, and as you can see above, a permission denied on the server. The auth_file contains: ``` g /atlas /beegfs/grid/atlas/atlaslocalgroupdisk ``` Changing that to: ``` u * /beegfs/grid/atlas/atlaslocalgroupdisk ``` let's things work fine, but of course I do not want that. The authentication rule works perfectly fine via the xrootd protocol. My configuration is: ``` acc.authdb /etc/xrootd/auth_file-grid acc.authrefresh 60 all.export /beegfs/grid/atlas/atlaslocalgroupdisk r/w all.role server all.sitename XXX cms.allow localhost desthttps yes http.cadir /etc/grid-security/certificates http.cert /etc/grid-security/hostcert.pem http.key /etc/grid-security/hostkey.pem http.secxtractor /usr/lib64/libXrdHttpVOMS.so http.selfhttps2http no http.trace all http.secretkey someverylongthingiwillnotincludehereasyoumayguess http.embeddedstatic yes if exec xrootd xrd.protocol XrdHttp /usr/lib64/libXrdHttp.so fi ofs.authorize sec.protocol /usr/lib64 gsi -ca:1 -crl:3 -gridmap:/dev/null -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem -certdir:/etc/grid-security/certificates sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=raw|vos=atlas,ops|grps=/atlas,/ops xrd.port 1094 xrootd.seclib /usr/lib64/libXrdSec.so ``` Any ideas? Also, where's the source code of xrdhttpvoms available? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/566 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1