You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
I am using xrootd 4.6.1 with xrdhttpvoms 0.2.4 from EPEL on a CentOS 7 system.
While normal VOMS authentication via xRootD protocol works fine, it does not work for HTTPS / WebDAV.
Here some details from a verbose log:
170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: Entering SSL_accept...
170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: SSL_accept returned :1
170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: SSL_get_verify_result returned :0
170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: Extracting auth info.
170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: SSL_get_peer_certificate returned :0x7f50a4014300
170818 15:52:44 18556 ?:25@atlas-get4 sysXrdHttp: Setting link name: 'eyermuth'
170818 15:52:44 18556 eyermuth.0:25@atlas-get4 SSL_get_peer_certificate returned :0x7f50a4014300
170818 15:52:44 18556 eyermuth.0:25@atlas-get4 SSL_get_verify_result returned :0
170818 15:52:44 18556 eyermuth.0:25@atlas-get4 SSL_get_peer_cert_chain :0x7f50a4013b30
170818 15:52:44 18556 eyermuth.0:25@atlas-get4 fqan :/atlas/Role=NULL/Capability=NULL
170818 15:52:44 18556 eyermuth.0:25@atlas-get4 fqan :/atlas/de/Role=NULL/Capability=NULL
170818 15:52:44 18556 eyermuth.0:25@atlas-get4 Setting VO: atlas roles :/atlas/Role=NULL/Capability=NULL
170818 15:52:44 18556 sysXrdHttp: getDataOneShot BuffAvailable: 1048576 maxread: 1048576
170818 15:52:44 18556 sysXrdHttp: getDataOneShot sslavail: 1048576
170818 15:52:44 18556 sysXrdHttp: read 225 of 1048576 bytes
170818 15:52:44 18556 sysXrdHttp: rc:59 got hdr line: PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk/ HTTP/1.1
170818 15:52:44 18556 sysXrdHttp: rc:40 got hdr line: User-Agent: libdavix/0.6.4 neon/0.0.29
170818 15:52:44 18556 sysXrdHttp: rc:14 got hdr line: Keep-Alive:
170818 15:52:44 18556 sysXrdHttp: rc:24 got hdr line: Connection: Keep-Alive
170818 15:52:44 18556 sysXrdHttp: rc:14 got hdr line: TE: trailers
170818 15:52:44 18556 sysXrdHttp: rc:41 got hdr line: Host: xrootd001.physik.uni-bonn.de:1094
170818 15:52:44 18556 sysXrdHttp: rc:10 got hdr line: Depth: 1
170818 15:52:44 18556 sysXrdHttp: rc:21 got hdr line: Content-Length: 303
170818 15:52:44 18556 sysXrdHttp: rc:2 got hdr line:
170818 15:52:44 18556 sysXrdHttp: rc:2 detected header end.
170818 15:52:44 18556 XrootdBridge: Oliver F.1:25@atlas-get4 login as Oliver Freyermuth
170818 15:52:44 18556 Oliver F.1:25@atlas-get4 sysXrdHttp: Process. lp:0x7f50a4000ca8 reqstate: 0
170818 15:52:44 18556 sysXrdHttp: Reading request body 303 bytes.
170818 15:52:44 18556 sysXrdHttp: BuffgetData: need to read 303 bytes
170818 15:52:44 18556 sysXrdHttp: getDataOneShot BuffAvailable: 1048576 maxread: 303
170818 15:52:44 18556 sysXrdHttp: getDataOneShot sslavail: 303
170818 15:52:44 18556 sysXrdHttp: read 303 of 303 bytes
170818 15:52:44 18556 Oliver F.1:25@atlas-get4 sysXrdHttp: Process is exiting rc:0
170818 15:52:44 18556 ofs_stat: Oliver F.1:25@atlas-get4 Unable to locate /beegfs/grid/atlas/atlaslocalgroupdisk/; permission denied
170818 15:52:44 18556 sysXrdHttp: XrdHttpReq::Error
170818 15:52:44 18556 Oliver F.1:25@atlas-get4 sysXrdHttp: PostProcessHTTPReq req: 8 reqstate: 0
170818 15:52:44 18556 Oliver F.1:25@atlas-get4 sysXrdHttp: Sending resp: 404 len:75
170818 15:52:44 18556 sysXrdHttp: Sending 46 bytes
170818 15:52:44 18556 sysXrdHttp: Sending 75 bytes
170818 15:52:44 18556 sysXrdHttp: XrdHttpReq request ended.
170818 15:52:44 18556 sysXrdHttp: Cleanup
170818 15:52:44 18556 sysXrdHttp: SSL_shutdown failed
170818 15:52:44 18556 sysXrdHttp: Reset
170818 15:52:44 18556 sysXrdHttp: XrdHttpReq request ended.
170818 15:52:44 18556 XrootdXeq: Oliver F.1:25@atlas-get4 disc 0:00:00 (send failure)
From that I deduce, that extraction works fine, since:
170818 15:52:44 18556 eyermuth.0:25@atlas-get4 Setting VO: atlas roles :/atlas/Role=NULL/Capability=NULL
However, in the end I see a 404 on the client, and as you can see above, a permission denied on the server.
The auth_file contains:
g /atlas /beegfs/grid/atlas/atlaslocalgroupdisk
Changing that to:
u * /beegfs/grid/atlas/atlaslocalgroupdisk
let's things work fine, but of course I do not want that.
The authentication rule works perfectly fine via the xrootd protocol.
My configuration is:
acc.authdb /etc/xrootd/auth_file-grid
acc.authrefresh 60
all.export /beegfs/grid/atlas/atlaslocalgroupdisk r/w
all.role server
all.sitename XXX
cms.allow localhost
desthttps yes
http.cadir /etc/grid-security/certificates
http.cert /etc/grid-security/hostcert.pem
http.key /etc/grid-security/hostkey.pem
http.secxtractor /usr/lib64/libXrdHttpVOMS.so
http.selfhttps2http no
http.trace all
http.secretkey someverylongthingiwillnotincludehereasyoumayguess
http.embeddedstatic yes
if exec xrootd
xrd.protocol XrdHttp /usr/lib64/libXrdHttp.so
fi
ofs.authorize
sec.protocol /usr/lib64 gsi -ca:1 -crl:3 -gridmap:/dev/null -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem -certdir:/etc/grid-security/certificates
sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=raw|vos=atlas,ops|grps=/atlas,/ops
xrd.port 1094
xrootd.seclib /usr/lib64/libXrdSec.so
Any ideas?
Also, where's the source code of xrdhttpvoms available?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1