Hi Oliver,
Thank you for prompt reply and showing a solution which will work for us for now.
Dmitry
________________________________________
From: Oliver Freyermuth <[log in to unmask]>
Sent: Thursday, May 17, 2018 1:34 PM
To: Dmitry O Litvintsev; [log in to unmask]
Cc: Peter Wienemann
Subject: Re: GSI xrootd and TPC
Hi,
until proxy delegation is implemented upstream, we are solving proxy generation with a script instead of xrdcp, i.e. we have the following in xrootd.cfg:
ofs.tpc autorm scan all ttl 180 1800 pgm /usr/local/bin/xrdcp-voms --server
The script is the following:
--------------------------------------------------
#!/bin/bash
if [ -e "/etc/grid-security/robotcert.pem" ]; then
export X509_USER_CERT=/etc/grid-security/robotcert.pem
export X509_USER_KEY=/etc/grid-security/robotkey.pem
voms-proxy-info -exists > /dev/null 2>&1
if [ $? -eq 1 ]; then
voms-proxy-init -voms atlas
fi
export X509_USER_PROXY=$(voms-proxy-info -path)
fi
/usr/bin/xrdcp -v -d 3 "$@"
# Fixup permissions, allow everybody to read.
# This obscure syntax is a bashism to get the last argument:
transfered_file="${@: -1}"
if [ -f "${transfered_file}" ]; then
chmod go+r "${transfered_file}"
fi
--------------------------------------------------
However, as you can see, we are using a robot certificate here, *not* the host certificate.
This is needed since for us the certificate needs to be registered in the ATLAS VO, to get a VOMS proxy for authentication against other servers.
For this, we have requested a robot certificate and registered it in the VO.
Maybe something similar will also help in your case?
Cheers,
Oliver
Am 17.05.2018 um 20:06 schrieb Dmitry O Litvintsev:
> Hello,
>
> We have setup two GSI authenticated XRootD servers. I can read/write to any of them.
>
> When I tried 3-rd party transfers (TPC) I had to specify these variables:
>
> in StartXRD.cf :
>
> export X509_USER_CERT=/etc/grid-security/xrootd/hostcert.pem
> export X509_USER_KEY=/etc/grid-security/xrootd/hostkey.pem
> export X509_USER_PROXY=/tmp/x509up_u498
>
> Unfortunately I have to have some external process renewing proxy b/c the client when invoked by the server to perform TPC would not create proxy (from cert/key pair). I get:
>
> TPC job 8: 180517 11:46:47 6099 secgsi_InitProxy: Not a tty: cannot prompt for proxies - do nothing
> TPC job 8: 180517 11:46:47 6099 secgsi_QueryProxy: problems initializing proxy via external shell
>
> Apparently a system call to "grid-proxy-init" is protected against non tty invocation.
> (based on my reading of https://github.com/xrootd/xrootd/blob/master/src/XrdSecgsi/XrdSecProtocolgsi.cc)
>
> This seems awkward. I wonder, am I missing something in my setup?
>
> Thank you,
> Dmitry
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>
--
Oliver Freyermuth
Universität Bonn
Physikalisches Institut, Raum 1.047
Nußallee 12
53115 Bonn
--
Tel.: +49 228 73 2367
Fax: +49 228 73 7869
--
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
