Hi Albert,
This is because of the security check in xrdcp that filters the setting out unless it’s a real TPC case.
The easiest way around is to use xrdfs, for example like this
$ xrdfs root://your.server.url <root://your.server.url> stat /path/to/your/file
Gerri
> On 06 Mar 2019, at 15:54, Albert Rossi <[log in to unmask]> wrote:
>
> Hi Andy,
>
> yes, that is the env variable I have been setting (see the script I mentioned below).
>
> There is something wrong, then, with the way I am doing it, because it does not seem to be working.
>
> i.e.,
>
> > #!/bin/bash
> >
> > export LD_LIBRARY_PATH="/usr/share/xrootd/xrootd-4.9.0/lib64:$LD_LIBRARY_PATH"
> > export XrdSecGSIDELEGPROXY=1
> >
> > /usr/share/xrootd/xrootd-4.9.0/bin/xrdcp $@
> >
>
> does not work for me.
>
> thanks, Al
>
>
> ________________________________________________
> Albert L. Rossi
> Application Developer & Systems Analyst III
> Scientific Computing Division, Data Movement Development
> FCC 229A
> Mail Station 369 (FCC 2W)
> Fermi National Accelerator Laboratory
> Batavia, IL 60510
> (630) 840-3023
>
>
> From: Andrew Hanushevsky <[log in to unmask] <mailto:[log in to unmask]>>
> Sent: Wednesday, March 6, 2019 8:50 AM
> To: Albert Rossi
> Cc: xrootd-dev; [log in to unmask] <mailto:[log in to unmask]>
> Subject: Re: activating client delegation
>
> Hi Albert,
>
> This is handled by an envar XrdSecGSIDELEGPROXY and is documented in the
> security reference
> https://urldefense.proofpoint.com/v2/url?u=http-3A__xrootd.org_doc_dev49_sec-5Fconfig.htm&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=Hc0rm9dtHt1Ayif3JHCgkTFwgTRXRG4ZPfmxfZptGm4&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__xrootd.org_doc_dev49_sec-5Fconfig.htm&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=Hc0rm9dtHt1Ayif3JHCgkTFwgTRXRG4ZPfmxfZptGm4&e=>
>
> Specifically, in section
> https://urldefense.proofpoint.com/v2/url?u=http-3A__xrootd.org_doc_dev49_sec-5Fconfig.htm-23-5FToc517294107&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=ToMmFfGRbGkTb02agcNUN2GeJD9cXHKonGBxfRPXmDw&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__xrootd.org_doc_dev49_sec-5Fconfig.htm-23-5FToc517294107&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=ToMmFfGRbGkTb02agcNUN2GeJD9cXHKonGBxfRPXmDw&e=>
>
> It is done this way because the client does not have a config file, so it
> relies on envars to enable specific behaviour.
>
> Andy
>
> On Wed, 6 Mar 2019, Albert Rossi wrote:
>
> > Hello,
> >
> >
> > What is necessary in order to get the 4.9 xrdcp client to sign proxy requests besides setting the env variable?
> >
> >
> > I cannot find anything in the documentation that describes this (your GSI document merely mentions the kgsiHandshakeOpts enum that is used internally).
> >
> >
> > I have looked at
> >
> >
> > XrdSecprotocolgsi.cc <http://xrdsecprotocolgsi.cc/>
> >
> >
> > With respect to the client, here is what I see.
> >
> >
> > Your extern C initializing function, char *XrdSecProtocolgsiInit, at l. 2557 does:
> >
> >
> > cenv = getenv("XrdSecGSIDELEGPROXY");
> > if (cenv)
> > opts.dlgpxy = atoi(cenv);
> >
> > this function does a tail call on the C++ initializer: char *XrdSecProtocolgsi::Init(gsiOptions opt, XrdOucErrInfo *erp)
> >
> > which in turn, at l. 989, sets up the options for the client:
> >
> > // Delegate proxy options
> > if (opt.dlgpxy > 0) {
> > PxyReqOpts |= kOptsSigReq;
> > if (opt.dlgpxy == 2) {
> > PxyReqOpts |= kOptsFwdPxy;
> > } else {
> > PxyReqOpts |= kOptsDlgPxy;
> > }
> > }
> >
> >
> > So, from the looks of it, all it should take to get the client to sign delegation requests is to set the env var XrdSecGSIDELEGPROXY to 1.
> >
> >
> > The script I am using to run the 4.9 client has this:
> >
> >
> > #!/bin/bash
> >
> > export LD_LIBRARY_PATH="/usr/share/xrootd/xrootd-4.9.0/lib64:$LD_LIBRARY_PATH"
> > export XrdSecGSIDELEGPROXY=1
> >
> > /usr/share/xrootd/xrootd-4.9.0/bin/xrdcp $@
> >
> >
> >
> > and yet, the dCache server/door tells me on the sigpxy step that it has received a kXRS_message bucket with the following:
> >
> >
> > "client cannot sign request; Not allowed to sign proxy requests."
> >
> >
> > Is there something else that needs to be done in order to get the client to sign proxy requests?
> >
> >
> > Thanks, Al
> >
> >
> > ________________________________________________
> > Albert L. Rossi
> > Application Developer & Systems Analyst III
> > Scientific Computing Division, Data Movement Development
> > FCC 229A
> > Mail Station 369 (FCC 2W)
> > Fermi National Accelerator Laboratory
> > Batavia, IL 60510
> > (630) 840-3023
> >
> > ########################################################################
> > Use REPLY-ALL to reply to list
> >
> > To unsubscribe from the XROOTD-DEV list, click the following link:
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DDEV-26A-3D1&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=7Swm5XvoFU7BM2FilUQyaUIPVWPb03Lmr-k631NqojQ&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DDEV-26A-3D1&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=60rQ0HHqHmEY1P6VSdyuTQ&m=Si51LbJlKCEyx2WfKgPV8W0xh3B-16Xj5Mr6yV2RSAY&s=7Swm5XvoFU7BM2FilUQyaUIPVWPb03Lmr-k631NqojQ&e=>
> >
>
> Use REPLY-ALL to reply to list
> To unsubscribe from the XROOTD-DEV list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 <https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
