I have a scitoken from our cilogon issuer: [arossi@fndcatemp1 ~]$ httokendecode { "wlcg.ver": "1.0", "aud": "https://wlcg.cern.ch/jwt/v1/any", "sub": "[log in to unmask]", "nbf": 1648214277, "scope": "storage.create:/fermilab/users/arossi compute.create compute.read compute.cancel compute.modify storage.read:/fermilab/users/arossi", "iss": "https://cilogon.org/fermilab", "exp": 1648225082, "iat": 1648214282, "wlcg.groups": [ "/fermilab" ], "jti": "https://cilogon.org/oauth2/568060ebfe8ef7fa5cbb45aabeec6b09?type=accessToken&ts=1648214282790&version=v2.0&lifetime=10800000" } Thus the sub "[log in to unmask]" should be authorized to write a file to /fermilab/users/arossi. The xrootd server is configured to use: ofs.authorize ofs.authlib libXrdAccSciTokens.so config=/opt/xrootd/scitokens.cfg sec.protocol ztn -maxsz 4k acc.audit deny acc.authdb /opt/xrootd/Authfile The scitokens configuration file, /opt/xrootd/scitokens.cfg: [Global] audience=https://wlcg.cern.ch/jwt/v1/any [Issuer FERMILAB] issuer=https://cilogon.org/fermilab base_path=/fermilab default_user=dcache map_subject=False name_mapfile=/opt/xrootd/scitokens-map.json The scitokens name mapfile, /opt/xrootd/scitokens-map.json, has the path relative to the base path, but if I give it the full path from the base, the result is the same: [ {"sub": "[log in to unmask]", "path": "/users/arossi", "result": "arossi"} ] Authfile also gives permissions to arossi on that directory u dcache // a / a u arossi // a /fermilab/users/arossi a I added u [log in to unmask] // a /fermilab/users/arossi a to no effect. Sanity check on the actual filesystem: [arossi@fndcatemp1 ~]$ ls -l /fermilab/ total 4 drwxr-xr-x 3 dcache dcache 4096 Mar 25 10:12 users [arossi@fndcatemp1 ~]$ ls -l /fermilab/users/ total 4 drwxr-xr-x 2 arossi ods 4096 Mar 25 10:12 arossi When I try: [arossi@fndcatemp1 ~]$ xrdcp5x data/data_1b xroots://fndcatemp1.fnal.gov:1094//fermilab/users/arossi/data-`suffix`?authz=Bearer%20`cat $XDG_RUNTIME_DIR/bt_u8773` [0B/0B][100%][==================================================][0B/s] Run: [ERROR] Server responded with an error: [3010] Opening path '/fermilab/users/arossi/data-2022032510271648222044621622690' is disallowed. (destination) The server log states: 220325 10:27:24 27782 anon.0:22@fndcatemp1 Xrootd_Protocol: 0000 req=protocol dlen=0 220325 10:27:24 27782 anon.0:22@fndcatemp1 Xrootd_Response: 0000 sending 8 data bytes; status=0 220325 10:27:24 27782 anon.0:22@fndcatemp1 TLS_Accept: Accepting a TLS connection... 220325 10:27:24 27782 XrdLinkXeq: anon.0:22@fndcatemp1 connection upgraded to TLSv1.2 220325 10:27:24 27782 anon.0:22@fndcatemp1 TLS_Read: 24 out of 24 bytes. 220325 10:27:24 27782 anon.0:22@fndcatemp1 Xrootd_Protocol: 0000 req=login dlen=105 220325 10:27:24 27782 anon.0:22@fndcatemp1 TLS_Read: 105 out of 105 bytes. 220325 10:27:24 27782 sec_getParms: fndcatemp1.fnal.gov sectoken=&P=ztn,0:4096: 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Response: 0000 sending 30 data bytes; status=0 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 8 out of 8 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 16 out of 16 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 14 out of 14 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 24 out of 24 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Protocol: 0000 req=auth dlen=1079 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 1079 out of 1079 bytes. sec_PM: Using ztn protocol, args='0:4096:' 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Response: 0000 sending OK 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 8 out of 8 bytes. arossi.4418:22@fndcatemp1 Protocol 'ztn' arossi.4418:22@fndcatemp1 Name [log in to unmask] arossi.4418:22@fndcatemp1 Host 'fndcatemp1.fnal.gov' arossi.4418:22@fndcatemp1 Vorg '' arossi.4418:22@fndcatemp1 Role '' arossi.4418:22@fndcatemp1 Grps '' arossi.4418:22@fndcatemp1 Caps '' arossi.4418:22@fndcatemp1 Pidn 'arossi.4418:22@fndcatemp1' arossi.4418:22@fndcatemp1 Crlen 1066 arossi.4418:22@fndcatemp1 ueid 2 arossi.4418:22@fndcatemp1 uid 0 arossi.4418:22@fndcatemp1 gid 0 220325 10:27:24 27782 XrootdXeq: arossi.4418:22@fndcatemp1 pub IPv4 TLSv1.2 login as [log in to unmask] 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 24 out of 24 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Protocol: 0100 req=stat dlen=59 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 59 out of 59 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Response: 0100 sending err 3010: Stating path '/fermilab/users/arossi/data-2022032510271648222044621622690' is disallowed. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 8 out of 8 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 4 out of 4 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 90 out of 90 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 24 out of 24 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Protocol: 0100 req=open dlen=1153 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 1153 out of 1153 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Protocol: 0100 open unmt /fermilab/users/arossi/data-2022032510271648222044621622690?authz=Bearer%20eyJ0eXAiOiJKV1QiLCJraWQiOiJCODYzNDk1MUZEMUUzMTVEQUY3NUM5NEFFQ0YwMzY2OCIsImFsZyI6IlJTMjU2In0.eyJ3bGNnLnZlciI6IjEuMCIsImF1ZCI6Imh0dHBzOi8vd2xjZy5jZXJuLmNoL2p3dC92MS9hbnkiLCJzdWIiOiJhcm9zc2lAZm5hbC5nb3YiLCJuYmYiOjE2NDgyMTQyNzcsInNjb3BlIjoic3RvcmFnZS5jcmVhdGU6L2Zlcm1pbGFiL3VzZXJzL2Fyb3NzaSBjb21wdXRlLmNyZWF0ZSBjb21wdXRlLnJlYWQgY29tcHV0ZS5jYW5jZWwgY29tcHV0ZS5tb2RpZnkgc3RvcmFnZS5yZWFkOi9mZXJtaWxhYi91c2Vycy9hcm9zc2kiLCJpc3MiOiJodHRwczovL2NpbG9nb24ub3JnL2Zlcm1pbGFiIiwiZXhwIjoxNjQ4MjI1MDgyLCJpYXQiOjE2NDgyMTQyODIsIndsY2cuZ3JvdXBzIjpbIi9mZXJtaWxhYiJdLCJqdGkiOiJodHRwczovL2NpbG9nb24ub3JnL29hdXRoMi81NjgwNjBlYmZlOGVmN2ZhNWNiYjQ1YWFiZWVjNmIwOT90eXBlPWFjY2Vzc1Rva2VuJnRzPTE2NDgyMTQyODI3OTAmdmVyc2lvbj12Mi4wJmxpZmV0aW1lPTEwODAwMDAwIn0.OK7FKVea6ZyZAgBf5nYHaIYUiASEyZVO3QeRKcnNMIWJj7kp-dcI4vVB-quVYe8PX_ED7MY1yczARGRHibVpnVllShiUT0avr5sj1hBqFreWbXZDJz2_pGpSiYtaQ-KRAXXhuK89ry86YC7P0bYeAflKq-8xeVWokJUvvq5BKdN0EbqmgR_we9jIWdn7_vv8R-AVIQNeDhtvIc9pUGjCzXH1IR0nFw89OVMcQ7a7ZkBUU2uzDJ-VbSbDMD7L11jxUYb0TnK4hIZgwLfGRkoEU7LJF3jGjKwu-JoUSauechvkQCsvKGDuGJNp38-Bay4Bnygd8JGjsJZtgoXTrCaz3g&oss.asize=1 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Response: 0100 sending err 3010: Opening path '/fermilab/users/arossi/data-2022032510271648222044621622690' is disallowed. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 8 out of 8 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 4 out of 4 bytes. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 90 out of 90 bytes. 220325 10:27:24 27782 XrdTLS: arossi.4418:22@fndcatemp1 TLS error rc=0 ec=6 (zero_return) errno=0. 220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Shutdown: Doing fast shutdown. 220325 10:27:24 27782 XrootdXeq: arossi.4418:22@fndcatemp1 disc 0:00:00 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1