Hi, you should try with "https" for the certificates to be processed. Could you please try that? Cheers Fabrizio Il 08/12/20 09:25, [log in to unmask] ha scritto: > Hi, > > I am a bit puzzled concerning the configuration of my XRootD server running v4.11.2-1 when I try to enable http with voms authentication. The following packages are installed: > > xrootd-4.11.2-1.el7.x86_64 > xrootd-client-4.11.2-1.el7.x86_64 > xrootd-client-libs-4.11.2-1.el7.x86_64 > xrootd-libs-4.11.2-1.el7.x86_64 > xrootd-selinux-4.11.2-1.el7.noarch > xrootd-server-4.11.2-1.el7.x86_64 > xrootd-server-libs-4.11.2-1.el7.x86_64 > voms-2.0.15-1.el7.x86_64 > voms-clients-cpp-2.0.15-1.el7.x86_64 > vomsxrd-0.3.0-1.el7.cern.x86_64 > xrdhttpvoms-0.2.5-2.el7.x86_64 > > and I have the following configuration files: > > ================================================= > $ cat xrootd_server_grid.cfg > xrd.port 1094 > xrd.protocol xrootd * > [...] > > all.export /xrootd/in2p3.fr/disk/juno nolock r/w > > if exec xrootd > xrd.protocol http:1094 /usr/lib64/libXrdHttp.so > http.exthandler xrdtpc /usr/lib64/libXrdHttpTPC.so > http.secxtractor /usr/lib64/libXrdHttpVOMS.so > http.header2cgi Authorization authz > http.cadir /etc/grid-security/certificates > http.cert /etc/grid-security/xrd/xrdcert.pem > http.key /etc/grid-security/xrd/xrdkey.pem > http.listingdeny yes > http.trace all > fi > > ofs.tpc fcreds gsi =X509_USER_PROXY ttl 60 70 xfr 20 autorm pgm /usr/share/xrootd/utils/xrdcp-tpc.sh > xrootd.chksum adler32 /usr/share/xrootd/utils/xrdadler32-tpc.sh > > xrootd.seclib /usr/lib64/libXrdSec.so > sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS-4.so -vomsfunparms:certfmt=pem|vos=juno|grps=/juno|grpopt=10|dbg > sec.protocol /usr/lib64 gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/dev/null > acc.audit deny > acc.authdb /etc/xrootd/auth_file > acc.authrefresh 60 > ofs.authorize > [...] > > $ cat auth_file > g /juno /xrootd/in2p3.fr/disk/juno rwild /xrootd/in2p3.fr/tape/juno rwild > ================================================= > > With my Juno proxy, I am able to read a file using xrdcp. However, using gfal-copy with the http protocol, it fails with: > > $ gfal-copy http://ccxrdli284.in2p3.fr:1094//xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt ti) > > gfal-copy error: 1 (Operation not permitted) - Could not stat the source: HTTP 403 : Permission refused > > > It seems that the mapping is not done correctly (login as "nobody" user) as shown below. I wonder what is the tricky part to modify in my XRootD configuration file... > > ================================================= > 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp: received dlen: 16 > 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp: received dump: 72 69 65 68 32 47 47 120 114 111 111 116 100 47 105 00 > 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp: Protocol matched. https: 0 > 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp: Process. lp:0x7fdfe80010d8 reqstate: 0 > 201207 21:42:49 190911 ?:27@[xxx.xxx.xxx.xxx] sysXrdHttp: Setting host: [xxx.xxx.xxx.xxx] > 201207 21:42:49 190911 sysXrdHttp: getDataOneShot BuffAvailable: 1048576 maxread: 1048576 > 201207 21:42:49 190911 sysXrdHttp: read 237 of 1048576 bytes > 201207 21:42:49 190911 sysXrdHttp: rc:96 got hdr line: HEAD //xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt HTTP/1.1 > 201207 21:42:49 190911 sysXrdHttp: Parsing first line: HEAD //xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt HTTP/1.1 > 201207 21:42:49 190911 sysXrdHttp: rc:55 got hdr line: User-Agent: gfal2-util/1.5.3 gfal2/2.18.1 neon/0.0.29 > 201207 21:42:49 190911 sysXrdHttp: rc:14 got hdr line: Keep-Alive: > 201207 21:42:49 190911 sysXrdHttp: rc:24 got hdr line: Connection: Keep-Alive > 201207 21:42:49 190911 sysXrdHttp: rc:14 got hdr line: TE: trailers > 201207 21:42:49 190911 sysXrdHttp: rc:32 got hdr line: Host: yyyyyy.zzzz.fr:1094 > 201207 21:42:49 190911 sysXrdHttp: rc:2 got hdr line: > 01207 21:42:49 190911 sysXrdHttp: rc:2 detected header end. > 201207 21:42:49 190911 XrootdBridge: unknown.7:27@[xxx.xxx.xxx.xxx] login as nobody > 201207 21:42:49 190911 unknown.7:27@[xxx.xxx.xxx.xxx] sysXrdHttp: Process. lp:0x7fdfe80010d8 reqstate: 0 > 201207 21:42:49 190911 unknown.7:27@[xxx.xxx.xxx.xxx] sysXrdHttp: Process is exiting rc:0 > 201207 21:42:49 190911 acc_Audit: http deny *@[xxx.xxx.xxx.xxx] stat /xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt > 201207 21:42:49 190911 ofs_stat: unknown.7:27@[xxx.xxx.xxx.xxx] Unable to locate /xrootd/in2p3.fr/disk/juno/user/y/ycalas/testfile_dir/testfile_IN2P3-XROOTD.txt; permission denied > ================================================= > > Any idea? > > Thanks, > > Yvan > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1