LISTSERV 16.5 - XROOTD-L Archives

Isn't this still the effect of ofs.forward ?

--
Wei Yang  |  [log in to unmask]  |  650-926-3338

________________________________________
From: [log in to unmask] <[log in to unmask]> on behalf of Heiko Schröter <[log in to unmask]>
Sent: Friday, April 13, 2018 9:40 AM
To: xrootd-l
Subject: sss.keytab authorization is ignored when removing files

Hello,

i want to setup a simple security structure with xrootd. Any "root" with
a *valid* sss.keytab shall be able to have complete access to the xrootd
filesystem, whereas any root without shall only be able read and list as
everyone else. The basic security is working as expected.

But "removing" a file always works for any root from any client machine.
There is no feedback on the command line or in the data server logs.
During the remove the log files are accessed only on the redirector.
When copying log access happens on the redirector and the data server.
This is a test setup with one redirector and one data server.

xrootd Version 8.4.2 compiled from source on Lubuntu 16.04.

root@REDIRECTOR build # cmake ../  -DCMAKE_INSTALL_PREFIX=/usr
-DCMAKE_BUILD_TYPE=release -DENABLE_KRB5=false -DENABLE_READLINE=true
-- Could NOT find ceph (missing:  RADOS_INCLUDE_DIR RADOS_LIBS)
[I] No git repository info found. Trying to interpret VERSION_INFO
-- ----------------------------------------
-- Installation path: /usr
-- C Compiler:        /usr/bin/cc
-- C++ Compiler:      /usr/bin/c++
-- Build type:        release
-- Plug-in version:   4
--
-- Readline support:  yes
-- Fuse support:      yes
-- Crypto support:    yes
-- Kerberos5 support: disabled
-- XrdCl:             yes
-- Tests:             disabled
-- HTTP support:      yes
-- CEPH support:      disabled
-- Python support:    yes
-- ----------------------------------------
-- Configuring done
-- Generating done
-- Build files have been written to: /root/xrootd-4.8.2/build

What do i miss ?

Regards
Heiko


Authfile:
u *    /xrootd lr
u root /xrootd lwrnid

xrootd.cf:

xrd.timeout hail 30 idle 0 kill 3 read 5
all.export /xrootd
set xrdr=glogin1.iup.uni-bremen.de
set inventory=/var/log/xrootd/inventory
all.manager $(xrdr):3121
cms.allow host *.iup.uni-bremen.de

if $(xrdr) && named cns
       all.export $(inventory)
       xrd.port 1095
else if $(xrdr)
       all.role manager
       oss.defaults rw
       xrd.port 1094
else
       all.role server
       ofs.notify closew create mkdir mv rm rmdir trunc |
/usr/bin/XrdCnsd -d -D 2 -i 90 -b $(xrdr):1095:$(inventory)
       ofs.notifymsg create $TID create $FMODE $LFN?$CGI
       ofs.notifymsg closew $TID closew $LFN $FSIZE
       xrootd.seclib /usr/lib/libXrdSec.so
       sec.protocol sss -s /etc/xrootd/sss.keytab
       acc.authdb /etc/xrootd/Authfile
       acc.authrefresh 60
       ofs.authorize
       cms.space min 100g 110g
fi


Debug logs from the redirector: Removing always works for any root
account on any client machine:
xrdfs REDIRECTOR rm /xrootd/myTestDir/index.html

180413 08:57:31 17672 XrdSched: running main accept inq=0
180413 08:57:31 17760 XrdInet: Accepted connection from
[log in to unmask]
180413 08:57:31 17760 XrdProtocol: matched protocol xrootd
180413 08:57:31 17760 ?:7@anyMachine XrdPoll: FD 7 attached to poller 0;
num=1
180413 08:57:31 17760 ?:7@anyMachine XrootdProtocol: 0000 req=login dlen=97
180413 08:57:31 17760 root.16246:7@anyMachine XrootdResponse: 0000
sending 16 data bytes
180413 08:57:31 17760 XrootdXeq: root.16246:7@anyMachine pvt IPv4 login
180413 08:57:31 17760 root.16246:7@anyMachine XrootdProtocol: 0100
req=rm dlen=28
180413 08:57:31 17760 root.16246:7@anyMachine ofs_remove: f
fn=/xrootd/myTestDir/index.html
180413 08:57:31 17760 root.16246:7@anyMachine XrootdProtocol: 0100 rc=0
rm /xrootd/myTestDir/index.html
180413 08:57:31 17760 root.16246:7@anyMachine XrootdResponse: 0100
sending OK
180413 08:57:31 17760 XrootdXeq: root.16246:7@anyMachine disc 0:00:00
180413 08:57:31 17760 root.16246:7@anyMachine XrdPoll: FD 7 detached
from poller 0; num=0



Whereas Copying:
XrdSecDEBUG=1 xrdcp index.html
root://REDIRECTOR//xrootd/myTestDir/index.html

Without ~/.xrd/sss.keytab file copy is rejected:

180413 08:59:48 17672 XrdInet: Accepted connection from
[log in to unmask]
180413 08:59:48 17672 XrdProtocol: matched protocol xrootd
180413 08:59:48 17672 ?:19@anyMachine XrdPoll: FD 19 attached to poller
0; num=1
180413 08:59:48 17672 ?:19@anyMachine XrootdProtocol: 0000 req=login dlen=97
180413 08:59:48 17672 root.16275:19@anyMachine XrootdResponse: 0000
sending 16 data bytes
180413 08:59:48 17672 XrootdXeq: root.16275:19@anyMachine pvt IPv4 login
180413 08:59:48 17673 XrdSched: running main accept inq=0
180413 08:59:48 17672 root.16275:19@anyMachine XrootdProtocol: 0100
req=stat dlen=28
180413 08:59:48 17672 root.16275:19@anyMachine ofs_stat:
fn=/xrootd/myTestDir/index.html
180413 08:59:49 17681 Receive REDIRECTOR 4 bytes on 4095
180413 08:59:49 17681 Decode REDIRECTOR delays root.16275:19@anyMachine
5 /xrootd/myTestDir/index.html
180413 08:59:49 17672 root.16275:19@anyMachine XrootdProtocol: 0100 rc=5
stat /xrootd/myTestDir/index.html
180413 08:59:49 17672 root.16275:19@anyMachine XrootdProtocol: 0100
stalling client for 5 sec
180413 08:59:49 17672 root.16275:19@anyMachine XrootdResponse: 0100
sending 4 data bytes; status=4005
180413 08:59:54 17672 root.16275:19@anyMachine XrootdProtocol: 0100
request timeout; read 0 of 24 bytes
180413 08:59:54 17672 XrdPoll: Poller 0 enabled root.16275:19@anyMachine
180413 08:59:54 17760 XrdSched: running root.16275:19@anyMachine inq=0
180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100
req=stat dlen=28
180413 08:59:54 17760 root.16275:19@anyMachine ofs_stat:
fn=/xrootd/myTestDir/index.html
180413 08:59:54 17681 Receive REDIRECTOR 47 bytes on 5119
180413 08:59:54 17681 Decode REDIRECTOR gave root.16275:19@anyMachine
err -2 'No servers are available to read the file.'
/xrootd/myTestDir/index.html
180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100
rc=-1 stat /xrootd/myTestDir/index.html
180413 08:59:54 17760 root.16275:19@anyMachine XrootdResponse: 0100
sending err 3011: No servers are available to read the file.
180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100
req=open dlen=43
180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100 open
unmat /xrootd/myTestDir/index.html?oss.asize=9805
180413 08:59:54 17760 root.16275:19@anyMachine ofs_open: 102-40644
fn=/xrootd/myTestDir/index.html
180413 08:59:54 17681 Receive REDIRECTOR 19 bytes on 6143
180413 08:59:54 17681 Decode REDIRECTOR redirects
root.16275:19@anyMachine to 192.168.16.122:1094 /xrootd/myTestDir/index.html
180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100
redirecting to 192.168.16.122:1094
180413 08:59:54 17760 root.16275:19@anyMachine XrootdResponse: 0100
sending 18 data bytes; status=4004
180413 08:59:54 17760 root.16275:19@anyMachine ofs_close: use=0 fn=dummy
180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100
req=open dlen=64
180413 08:59:54 17760 root.16275:19@anyMachine XrootdProtocol: 0100 open
unmat /xrootd/myTestDir/index.html?oss.asize=9805&tried=192.168.16.122
180413 08:59:54 17760 root.16275:19@anyMachine ofs_open: 102-40644
fn=/xrootd/myTestDir/index.html
180413 08:59:54 17681 Receive REDIRECTOR 45 bytes on 7167
180413 08:59:54 17681 Decode REDIRECTOR gave root.16275:19@anyMachine
err -2 'No servers have write access to the file'
/xrootd/myTestDir/index.html
180413 08:59:54 17760 root.16275:19@anyMachine XrootdResponse: 0100
sending err 3011: No servers have write access to the file
180413 08:59:54 17760 root.16275:19@anyMachine ofs_close: use=0 fn=dummy
180413 08:59:54 17760 XrootdXeq: root.16275:19@anyMachine disc 0:00:06
180413 08:59:54 17760 root.16275:19@anyMachine XrdPoll: FD 19 detached
from poller 0; num=0


With ~/.xrd/sss.keytab file copy is OK:

180413 09:02:29 17760 XrdSched: running main accept inq=0
180413 09:02:29 17672 XrdInet: Accepted connection from
[log in to unmask]
180413 09:02:29 17672 XrdProtocol: matched protocol xrootd
180413 09:02:29 17672 ?:19@anyMachine XrdPoll: FD 19 attached to poller
0; num=1
180413 09:02:29 17672 ?:19@anyMachine XrootdProtocol: 0000 req=login dlen=97
180413 09:02:29 17672 root.16357:19@anyMachine XrootdResponse: 0000
sending 16 data bytes
180413 09:02:29 17672 XrootdXeq: root.16357:19@anyMachine pvt IPv4 login
180413 09:02:29 17672 root.16357:19@anyMachine XrootdProtocol: 0100
req=stat dlen=28
180413 09:02:29 17672 root.16357:19@anyMachine ofs_stat:
fn=/xrootd/myTestDir/index.html
180413 09:02:29 17681 Receive REDIRECTOR 4 bytes on 8191
180413 09:02:29 17681 Decode REDIRECTOR delays root.16357:19@anyMachine
5 /xrootd/myTestDir/index.html
180413 09:02:29 17672 root.16357:19@anyMachine XrootdProtocol: 0100 rc=5
stat /xrootd/myTestDir/index.html
180413 09:02:29 17672 root.16357:19@anyMachine XrootdProtocol: 0100
stalling client for 5 sec
180413 09:02:29 17672 root.16357:19@anyMachine XrootdResponse: 0100
sending 4 data bytes; status=4005
180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100
req=stat dlen=28
180413 09:02:34 17672 root.16357:19@anyMachine ofs_stat:
fn=/xrootd/myTestDir/index.html
180413 09:02:34 17681 Receive REDIRECTOR 47 bytes on 9215
180413 09:02:34 17681 Decode REDIRECTOR gave root.16357:19@anyMachine
err -2 'No servers are available to read the file.'
/xrootd/myTestDir/index.html
180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100
rc=-1 stat /xrootd/myTestDir/index.html
180413 09:02:34 17672 root.16357:19@anyMachine XrootdResponse: 0100
sending err 3011: No servers are available to read the file.
180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100
req=open dlen=43
180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100 open
unmat /xrootd/myTestDir/index.html?oss.asize=9805
180413 09:02:34 17672 root.16357:19@anyMachine ofs_open: 102-40644
fn=/xrootd/myTestDir/index.html
180413 09:02:34 17681 Receive REDIRECTOR 19 bytes on 10239
180413 09:02:34 17681 Decode REDIRECTOR redirects
root.16357:19@anyMachine to 192.168.16.122:1094 /xrootd/myTestDir/index.html
180413 09:02:34 17672 root.16357:19@anyMachine XrootdProtocol: 0100
redirecting to 192.168.16.122:1094
180413 09:02:34 17672 root.16357:19@anyMachine XrootdResponse: 0100
sending 18 data bytes; status=4004
180413 09:02:34 17672 root.16357:19@anyMachine ofs_close: use=0 fn=dummy
180413 09:02:34 17672 XrootdXeq: root.16357:19@anyMachine disc 0:00:05
180413 09:02:34 17672 root.16357:19@anyMachine XrdPoll: FD 19 detached
from poller 0; num=0

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1