Hi Albert,
This is handled by an envar XrdSecGSIDELEGPROXY and is documented in the
security reference
http://xrootd.org/doc/dev49/sec_config.htm
Specifically, in section
http://xrootd.org/doc/dev49/sec_config.htm#_Toc517294107
It is done this way because the client does not have a config file, so it
relies on envars to enable specific behaviour.
Andy
On Wed, 6 Mar 2019, Albert Rossi wrote:
> Hello,
>
>
> What is necessary in order to get the 4.9 xrdcp client to sign proxy requests besides setting the env variable?
>
>
> I cannot find anything in the documentation that describes this (your GSI document merely mentions the kgsiHandshakeOpts enum that is used internally).
>
>
> I have looked at
>
>
> XrdSecprotocolgsi.cc
>
>
> With respect to the client, here is what I see.
>
>
> Your extern C initializing function, char *XrdSecProtocolgsiInit, at l. 2557 does:
>
>
> cenv = getenv("XrdSecGSIDELEGPROXY");
> if (cenv)
> opts.dlgpxy = atoi(cenv);
>
> this function does a tail call on the C++ initializer: char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp)
>
> which in turn, at l. 989, sets up the options for the client:
>
> // Delegate proxy options
> if (opt.dlgpxy > 0) {
> PxyReqOpts |= kOptsSigReq;
> if (opt.dlgpxy == 2) {
> PxyReqOpts |= kOptsFwdPxy;
> } else {
> PxyReqOpts |= kOptsDlgPxy;
> }
> }
>
>
> So, from the looks of it, all it should take to get the client to sign delegation requests is to set the env var XrdSecGSIDELEGPROXY to 1.
>
>
> The script I am using to run the 4.9 client has this:
>
>
> #!/bin/bash
>
> export LD_LIBRARY_PATH="/usr/share/xrootd/xrootd-4.9.0/lib64:$LD_LIBRARY_PATH"
> export XrdSecGSIDELEGPROXY=1
>
> /usr/share/xrootd/xrootd-4.9.0/bin/xrdcp $@
>
>
>
> and yet, the dCache server/door tells me on the sigpxy step that it has received a kXRS_message bucket with the following:
>
>
> "client cannot sign request; Not allowed to sign proxy requests."
>
>
> Is there something else that needs to be done in order to get the client to sign proxy requests?
>
>
> Thanks, Al
>
>
> ________________________________________________
> Albert L. Rossi
> Application Developer & Systems Analyst III
> Scientific Computing Division, Data Movement Development
> FCC 229A
> Mail Station 369 (FCC 2W)
> Fermi National Accelerator Laboratory
> Batavia, IL 60510
> (630) 840-3023
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-DEV list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
