 |
 |
Yes. This issue is solved by leaving out the "ofs.forward" option. Am 17.04.2018 um 20:51 schrieb Yang, Wei: > Isn't this still the effect of ofs.forward ? > > -- > Wei Yang | [log in to unmask] | 650-926-3338 > > ________________________________________ > From: [log in to unmask] <[log in to unmask]> on behalf of Heiko Schröter <[log in to unmask]> > Sent: Friday, April 13, 2018 9:40 AM > To: xrootd-l > Subject: sss.keytab authorization is ignored when removing files > > Hello, > > i want to setup a simple security structure with xrootd. Any "root" with > a *valid* sss.keytab shall be able to have complete access to the xrootd > filesystem, whereas any root without shall only be able read and list as > everyone else. The basic security is working as expected. > > But "removing" a file always works for any root from any client machine. > There is no feedback on the command line or in the data server logs. > During the remove the log files are accessed only on the redirector. > When copying log access happens on the redirector and the data server. > This is a test setup with one redirector and one data server. > > xrootd Version 8.4.2 compiled from source on Lubuntu 16.04. > > root@REDIRECTOR build # cmake ../ -DCMAKE_INSTALL_PREFIX=/usr > -DCMAKE_BUILD_TYPE=release -DENABLE_KRB5=false -DENABLE_READLINE=true > -- Could NOT find ceph (missing: RADOS_INCLUDE_DIR RADOS_LIBS) > [I] No git repository info found. Trying to interpret VERSION_INFO > -- ---------------------------------------- > -- Installation path: /usr > -- C Compiler: /usr/bin/cc > -- C++ Compiler: /usr/bin/c++ > -- Build type: release > -- Plug-in version: 4 > -- > -- Readline support: yes > -- Fuse support: yes > -- Crypto support: yes > -- Kerberos5 support: disabled > -- XrdCl: yes > -- Tests: disabled > -- HTTP support: yes > -- CEPH support: disabled > -- Python support: yes > -- ---------------------------------------- > -- Configuring done > -- Generating done > -- Build files have been written to: /root/xrootd-4.8.2/build > > What do i miss ? > > Regards > Heiko > > > Authfile: > u * /xrootd lr > u root /xrootd lwrnid > > xrootd.cf: > > xrd.timeout hail 30 idle 0 kill 3 read 5 > all.export /xrootd > set xrdr=glogin1.iup.uni-bremen.de > set inventory=/var/log/xrootd/inventory > all.manager $(xrdr):3121 > cms.allow host *.iup.uni-bremen.de > > if $(xrdr) && named cns > all.export $(inventory) > xrd.port 1095 > else if $(xrdr) > all.role manager > oss.defaults rw > xrd.port 1094 > else > all.role server > ofs.notify closew create mkdir mv rm rmdir trunc | > /usr/bin/XrdCnsd -d -D 2 -i 90 -b $(xrdr):1095:$(inventory) > ofs.notifymsg create $TID create $FMODE $LFN?$CGI > ofs.notifymsg closew $TID closew $LFN $FSIZE > xrootd.seclib /usr/lib/libXrdSec.so > sec.protocol sss -s /etc/xrootd/sss.keytab > acc.authdb /etc/xrootd/Authfile > acc.authrefresh 60 > ofs.authorize > cms.space min 100g 110g > fi > > > Debug logs from the redirector: Removing always works for any root > account on any client machine: > xrdfs REDIRECTOR rm /xrootd/myTestDir/index.html > > 180413 08:57:31 17672 XrdSched: running main accept inq=0 > 180413 08:57:31 17760 XrdInet: Accepted connection from > [log in to unmask] > 180413 08:57:31 17760 XrdProtocol: matched protocol xrootd > 180413 08:57:31 17760 ?:7@anyMachine XrdPoll: FD 7 attached to poller 0; > num=1 > 180413 08:57:31 17760 ?:7@anyMachine XrootdProtocol: 0000 req=login dlen=97 > 180413 08:57:31 17760 root.16246:7@anyMachine XrootdResponse: 0000 > sending 16 data bytes > 180413 08:57:31 17760 XrootdXeq: root.16246:7@anyMachine pvt IPv4 login > 180413 08:57:31 17760 root.16246:7@anyMachine XrootdProtocol: 0100 > req=rm dlen=28 > 180413 08:57:31 17760 root.16246:7@anyMachine ofs_remove: f > fn=/xrootd/myTestDir/index.html > 180413 08:57:31 17760 root.16246:7@anyMachine XrootdProtocol: 0100 rc=0 > rm /xrootd/myTestDir/index.html > 180413 08:57:31 17760 root.16246:7@anyMachine XrootdResponse: 0100 > sending OK > 180413 08:57:31 17760 XrootdXeq: root.16246:7@anyMachine disc 0:00:00 > 180413 08:57:31 17760 root.16246:7@anyMachine XrdPoll: FD 7 detached > from poller 0; num=0 > > > > Whereas Copying: > XrdSecDEBUG=1 xrdcp index.html > root://REDIRECTOR//xrootd/myTestDir/index.html > > Without ~/.xrd/sss.keytab file copy is rejected: > > 180413 08:59:48 17672 XrdInet: Accepted connection from > [log in to unmask] > 180413 08:59:48 17672 XrdProtocol: matched protocol xrootd > 180413 08:59:48 17672 ?:19@anyMachine XrdPoll: FD 19 attached to poller > 0; num=1 > 180413 08:59:48 17672 ?:19@anyMachine XrootdProtocol: 0000 req=login dlen=97 > 180413 08:59:48 17672 root.16275:19@anyMachine XrootdResponse: 0000 > sending 16 data bytes > 180413 08:59:48 17672 XrootdXeq: root.16275:19@anyMachine pvt IPv4 login > 180413 08:59:48 17673 XrdSched: running main accept inq=0 > 180413 08:59:48 17672 root.16275:19@anyMachine XrootdProtocol: 0100 > req=stat dlen=28 > 180413 08:59:48 17672 root.16275:19@anyMachine ofs_stat: > fn=/xrootd/myTestDir/index.html > 180413 08:59:49 17681 Receive REDIRECTOR 4 bytes on 4095 > 180413 08:59:49 17681 Decode REDIRECTOR delays root.16275:19@anyMachine > 5 /xrootd/myTestDir/index.html > 180413 08:59:49 17672 root.16275:19@anyMachine XrootdProtocol: 0100 rc=5 > stat /xrootd/myTestDir/index.html > 180413 08:59:49 17672 root.16275:19@anyMachine XrootdProtocol: 0100 > stalling client for 5 sec > 180413 08:59:49 17672 root.16275:19@anyMachine XrootdResponse: 0100 > sending 4 data bytes; status=4005 > 180413 08:59:54 17672 root.16275:19@anyMachine XrootdProtocol: 0100 > request timeout; read 0 of 24 bytes > 180413 08:59:54 17672 XrdPoll: Poller 0 enabled root.16275:19@anyMachine > 180413 08:59:54 17760 XrdSched: running root.16275:19@anyMachine inq=0 > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100 > req=stat dlen=28 > 180413 08:59:54 17760 root.16275:19@anyMachine ofs_stat: > fn=/xrootd/myTestDir/index.html > 180413 08:59:54 17681 Receive REDIRECTOR 47 bytes on 5119 > 180413 08:59:54 17681 Decode REDIRECTOR gave root.16275:19@anyMachine > err -2 'No servers are available to read the file.' > /xrootd/myTestDir/index.html > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100 > rc=-1 stat /xrootd/myTestDir/index.html > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdResponse: 0100 > sending err 3011: No servers are available to read the file. > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100 > req=open dlen=43 > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100 open > unmat /xrootd/myTestDir/index.html?oss.asize=9805 > 180413 08:59:54 17760 root.16275:19@anyMachine ofs_open: 102-40644 > fn=/xrootd/myTestDir/index.html > 180413 08:59:54 17681 Receive REDIRECTOR 19 bytes on 6143 > 180413 08:59:54 17681 Decode REDIRECTOR redirects > root.16275:19@anyMachine to 192.168.16.122:1094 /xrootd/myTestDir/index.html > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100 > redirecting to 192.168.16.122:1094 > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdResponse: 0100 > sending 18 data bytes; status=4004 > 180413 08:59:54 17760 root.16275:19@anyMachine ofs_close: use=0 fn=dummy > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100 > req=open dlen=64 > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100 open > unmat /xrootd/myTestDir/index.html?oss.asize=9805&tried=192.168.16.122 > 180413 08:59:54 17760 root.16275:19@anyMachine ofs_open: 102-40644 > fn=/xrootd/myTestDir/index.html > 180413 08:59:54 17681 Receive REDIRECTOR 45 bytes on 7167 > 180413 08:59:54 17681 Decode REDIRECTOR gave root.16275:19@anyMachine > err -2 'No servers have write access to the file' > /xrootd/myTestDir/index.html > 180413 08:59:54 17760 root.16275:19@anyMachine XrootdResponse: 0100 > sending err 3011: No servers have write access to the file > 180413 08:59:54 17760 root.16275:19@anyMachine ofs_close: use=0 fn=dummy > 180413 08:59:54 17760 XrootdXeq: root.16275:19@anyMachine disc 0:00:06 > 180413 08:59:54 17760 root.16275:19@anyMachine XrdPoll: FD 19 detached > from poller 0; num=0 > > > With ~/.xrd/sss.keytab file copy is OK: > > 180413 09:02:29 17760 XrdSched: running main accept inq=0 > 180413 09:02:29 17672 XrdInet: Accepted connection from > [log in to unmask] > 180413 09:02:29 17672 XrdProtocol: matched protocol xrootd > 180413 09:02:29 17672 ?:19@anyMachine XrdPoll: FD 19 attached to poller > 0; num=1 > 180413 09:02:29 17672 ?:19@anyMachine XrootdProtocol: 0000 req=login dlen=97 > 180413 09:02:29 17672 root.16357:19@anyMachine XrootdResponse: 0000 > sending 16 data bytes > 180413 09:02:29 17672 XrootdXeq: root.16357:19@anyMachine pvt IPv4 login > 180413 09:02:29 17672 root.16357:19@anyMachine XrootdProtocol: 0100 > req=stat dlen=28 > 180413 09:02:29 17672 root.16357:19@anyMachine ofs_stat: > fn=/xrootd/myTestDir/index.html > 180413 09:02:29 17681 Receive REDIRECTOR 4 bytes on 8191 > 180413 09:02:29 17681 Decode REDIRECTOR delays root.16357:19@anyMachine > 5 /xrootd/myTestDir/index.html > 180413 09:02:29 17672 root.16357:19@anyMachine XrootdProtocol: 0100 rc=5 > stat /xrootd/myTestDir/index.html > 180413 09:02:29 17672 root.16357:19@anyMachine XrootdProtocol: 0100 > stalling client for 5 sec > 180413 09:02:29 17672 root.16357:19@anyMachine XrootdResponse: 0100 > sending 4 data bytes; status=4005 > 180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100 > req=stat dlen=28 > 180413 09:02:34 17672 root.16357:19@anyMachine ofs_stat: > fn=/xrootd/myTestDir/index.html > 180413 09:02:34 17681 Receive REDIRECTOR 47 bytes on 9215 > 180413 09:02:34 17681 Decode REDIRECTOR gave root.16357:19@anyMachine > err -2 'No servers are available to read the file.' > /xrootd/myTestDir/index.html > 180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100 > rc=-1 stat /xrootd/myTestDir/index.html > 180413 09:02:34 17672 root.16357:19@anyMachine XrootdResponse: 0100 > sending err 3011: No servers are available to read the file. > 180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100 > req=open dlen=43 > 180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100 open > unmat /xrootd/myTestDir/index.html?oss.asize=9805 > 180413 09:02:34 17672 root.16357:19@anyMachine ofs_open: 102-40644 > fn=/xrootd/myTestDir/index.html > 180413 09:02:34 17681 Receive REDIRECTOR 19 bytes on 10239 > 180413 09:02:34 17681 Decode REDIRECTOR redirects > root.16357:19@anyMachine to 192.168.16.122:1094 /xrootd/myTestDir/index.html > 180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100 > redirecting to 192.168.16.122:1094 > 180413 09:02:34 17672 root.16357:19@anyMachine XrootdResponse: 0100 > sending 18 data bytes; status=4004 > 180413 09:02:34 17672 root.16357:19@anyMachine ofs_close: use=0 fn=dummy > 180413 09:02:34 17672 XrootdXeq: root.16357:19@anyMachine disc 0:00:05 > 180413 09:02:34 17672 root.16357:19@anyMachine XrdPoll: FD 19 detached > from poller 0; num=0 > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1