Print

Print

Hi Wei,


> The way it works in xrootd and others is that the applications will check X509_USER_PROXY. Failing that, check /tmp/x509up_u$(id -u.


Is there a way to determine why Xrootd fails using X509_USER_PROXY? Even on the highest debug level I do not see anything indicating that Xrootd even attempts to access that file. I can unset the environment variable X509_USER_PROXY or delete the corresponding file, the behavior is always the same.


> It will never use ~/.globus/userkey.pem alone since that file has only private key.


That's true but it is irrelevant to my setup because I don't have neither userkey.pem nor usercert.pem, I only use X509_USER_PROXY.


> Giving the way you use MyProxy, I suppose you also have its own CA? Assuming that the Xrootd have access to the CA, it should grant you access base on the X509 proxy you obtain from the MyProxy.


Yes, I have an own CA. But what do you mean by "Xrootd have access to the CA"? Are you speaking about Xrootd TRUSTING the CA? There is no direct communication between Xrootd and MyProxy from what I understand...


Best,

Lukas


--
Lukas Koschmieder
Steel Institute IEHK
RWTH Aachen University
Intzestraße 1
52072 Aachen
Germany

Tel: +49 (0)241 80 95823
Fax: +49 (0)241 80 92253
[log in to unmask]

From: Yang, Wei <[log in to unmask]>
Sent: Wednesday, September 12, 2018 8:35:22 PM
To: Koschmieder, Lukas; xrootd-l
Subject: Re: Using GSI X509_USER_PROXY for authentication
 
The way it works in xrootd and others is that the applications will check X509_USER_PROXY. Failing that, check /tmp/x509up_u$(id -u. It will never use ~/.globus/userkey.pem alone since that file has only private key.

Giving the way you use MyProxy, I suppose you also have its own CA? Assuming that the Xrootd have access to the CA, it should grant you access base on the X509 proxy you obtain from the MyProxy.

--
Wei Yang  |  [log in to unmask]  |  650-926-3338(O)

?-----Original Message-----
From: <[log in to unmask]> on behalf of "Koschmieder, Lukas" <[log in to unmask]>
Date: Wednesday, September 12, 2018 at 11:05 AM
To: xrootd-l <[log in to unmask]>
Subject: Using GSI X509_USER_PROXY for authentication

    Hi,
   
    I've installed a small grid setup using MyProxy, HTCondor and XRootD. My MyProxy server uses a LDAP database to generate user proxies "on the fly". By "on the fly" I mean, that I've disabled the MyProxy feature to accept/store actual certificates. So the idea
     is that users are supposed to run "myproxy-logon" (and enter their LDAP password) in order to retrieve a temporary proxy which then can be used to authenticate against XRootD or HTCondor.
   
    This setup works for HTCondor. For instance, I can use my temporary proxy to check the job queue or submit a job. But XRootD authentication doesn't work for some reason. When I try to copy a file to my XRootD server, xrdcp fails (complaining about not being
     able to access ~/.globus/userkey.pem). So my first question would be: Why wouldn't the XRootD client simply fall back to using X509_USER_PROXY if ~/.globus/userkey.pem doesn't exist?
   
    Also I've discovered that this setup actually does work if I modify the default path to userkey.pem in such a way that it points to my temporary proxy location (X509_USER_PROXY):
   
      export XrdSecGSIUSERKEY=/tmp/x509up_u$UID
      export XrdSecGSIUSERPROXY=/tmp/x509up_u$UID
   
    This leads me to my second question: Would this be "the way to go"?
   
    Best,
    Lukas
   
   
    --
    Lukas Koschmieder
    Steel Institute IEHK
    RWTH Aachen University
    Intzestraße 1
    52072 Aachen
    Germany
   
    Tel: +49 (0)241 80 95823
    Fax: +49 (0)241 80 92253
    [log in to unmask]
   
   
   
   
   
   
   
    ________________________________________
    Use REPLY-ALL to reply to list
    To unsubscribe from the XROOTD-L list, click the following link:
    https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
   


Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1