I have a scitoken from our cilogon issuer:
[arossi@fndcatemp1 ~]$ httokendecode
{
"wlcg.ver": "1.0",
"aud": "https://wlcg.cern.ch/jwt/v1/any",
"sub": "[log in to unmask]",
"nbf": 1648214277,
"scope": "storage.create:/fermilab/users/arossi compute.create compute.read compute.cancel compute.modify storage.read:/fermilab/users/arossi",
"iss": "https://cilogon.org/fermilab",
"exp": 1648225082,
"iat": 1648214282,
"wlcg.groups": [
"/fermilab"
],
"jti": "https://cilogon.org/oauth2/568060ebfe8ef7fa5cbb45aabeec6b09?type=accessToken&ts=1648214282790&version=v2.0&lifetime=10800000"
}
Thus the sub "[log in to unmask]" should be authorized to write a file to /fermilab/users/arossi.
The xrootd server is configured to use:
ofs.authorize
ofs.authlib libXrdAccSciTokens.so config=/opt/xrootd/scitokens.cfg
sec.protocol ztn -maxsz 4k
acc.audit deny
acc.authdb /opt/xrootd/Authfile
The scitokens configuration file, /opt/xrootd/scitokens.cfg:
[Global]
audience=https://wlcg.cern.ch/jwt/v1/any
[Issuer FERMILAB]
issuer=https://cilogon.org/fermilab
base_path=/fermilab
default_user=dcache
map_subject=False
name_mapfile=/opt/xrootd/scitokens-map.json
The scitokens name mapfile, /opt/xrootd/scitokens-map.json, has the path relative to the base path, but if I give it the full path from the base, the result is the same:
[
{"sub": "[log in to unmask]", "path": "/users/arossi", "result": "arossi"}
]
Authfile also gives permissions to arossi on that directory
u dcache // a / a
u arossi // a /fermilab/users/arossi a
I added
u [log in to unmask] // a /fermilab/users/arossi a
to no effect.
Sanity check on the actual filesystem:
[arossi@fndcatemp1 ~]$ ls -l /fermilab/
total 4
drwxr-xr-x 3 dcache dcache 4096 Mar 25 10:12 users
[arossi@fndcatemp1 ~]$ ls -l /fermilab/users/
total 4
drwxr-xr-x 2 arossi ods 4096 Mar 25 10:12 arossi
When I try:
[arossi@fndcatemp1 ~]$ xrdcp5x data/data_1b xroots://fndcatemp1.fnal.gov:1094//fermilab/users/arossi/data-`suffix`?authz=Bearer%20`cat $XDG_RUNTIME_DIR/bt_u8773`
[0B/0B][100%][==================================================][0B/s]
Run: [ERROR] Server responded with an error: [3010] Opening path '/fermilab/users/arossi/data-2022032510271648222044621622690' is disallowed. (destination)
The server log states:
220325 10:27:24 27782 anon.0:22@fndcatemp1 Xrootd_Protocol: 0000 req=protocol dlen=0
220325 10:27:24 27782 anon.0:22@fndcatemp1 Xrootd_Response: 0000 sending 8 data bytes; status=0
220325 10:27:24 27782 anon.0:22@fndcatemp1 TLS_Accept: Accepting a TLS connection...
220325 10:27:24 27782 XrdLinkXeq: anon.0:22@fndcatemp1 connection upgraded to TLSv1.2
220325 10:27:24 27782 anon.0:22@fndcatemp1 TLS_Read: 24 out of 24 bytes.
220325 10:27:24 27782 anon.0:22@fndcatemp1 Xrootd_Protocol: 0000 req=login dlen=105
220325 10:27:24 27782 anon.0:22@fndcatemp1 TLS_Read: 105 out of 105 bytes.
220325 10:27:24 27782 sec_getParms: fndcatemp1.fnal.gov sectoken=&P=ztn,0:4096:
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Response: 0000 sending 30 data bytes; status=0
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 8 out of 8 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 16 out of 16 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 14 out of 14 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 24 out of 24 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Protocol: 0000 req=auth dlen=1079
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 1079 out of 1079 bytes.
sec_PM: Using ztn protocol, args='0:4096:'
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Response: 0000 sending OK
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 8 out of 8 bytes.
arossi.4418:22@fndcatemp1 Protocol 'ztn'
arossi.4418:22@fndcatemp1 Name [log in to unmask]
arossi.4418:22@fndcatemp1 Host 'fndcatemp1.fnal.gov'
arossi.4418:22@fndcatemp1 Vorg ''
arossi.4418:22@fndcatemp1 Role ''
arossi.4418:22@fndcatemp1 Grps ''
arossi.4418:22@fndcatemp1 Caps ''
arossi.4418:22@fndcatemp1 Pidn 'arossi.4418:22@fndcatemp1'
arossi.4418:22@fndcatemp1 Crlen 1066
arossi.4418:22@fndcatemp1 ueid 2
arossi.4418:22@fndcatemp1 uid 0
arossi.4418:22@fndcatemp1 gid 0
220325 10:27:24 27782 XrootdXeq: arossi.4418:22@fndcatemp1 pub IPv4 TLSv1.2 login as [log in to unmask]
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 24 out of 24 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Protocol: 0100 req=stat dlen=59
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 59 out of 59 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Response: 0100 sending err 3010: Stating path '/fermilab/users/arossi/data-2022032510271648222044621622690' is disallowed.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 8 out of 8 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 4 out of 4 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 90 out of 90 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 24 out of 24 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Protocol: 0100 req=open dlen=1153
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Read: 1153 out of 1153 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Protocol: 0100 open unmt /fermilab/users/arossi/data-2022032510271648222044621622690?authz=Bearer%20eyJ0eXAiOiJKV1QiLCJraWQiOiJCODYzNDk1MUZEMUUzMTVEQUY3NUM5NEFFQ0YwMzY2OCIsImFsZyI6IlJTMjU2In0.eyJ3bGNnLnZlciI6IjEuMCIsImF1ZCI6Imh0dHBzOi8vd2xjZy5jZXJuLmNoL2p3dC92MS9hbnkiLCJzdWIiOiJhcm9zc2lAZm5hbC5nb3YiLCJuYmYiOjE2NDgyMTQyNzcsInNjb3BlIjoic3RvcmFnZS5jcmVhdGU6L2Zlcm1pbGFiL3VzZXJzL2Fyb3NzaSBjb21wdXRlLmNyZWF0ZSBjb21wdXRlLnJlYWQgY29tcHV0ZS5jYW5jZWwgY29tcHV0ZS5tb2RpZnkgc3RvcmFnZS5yZWFkOi9mZXJtaWxhYi91c2Vycy9hcm9zc2kiLCJpc3MiOiJodHRwczovL2NpbG9nb24ub3JnL2Zlcm1pbGFiIiwiZXhwIjoxNjQ4MjI1MDgyLCJpYXQiOjE2NDgyMTQyODIsIndsY2cuZ3JvdXBzIjpbIi9mZXJtaWxhYiJdLCJqdGkiOiJodHRwczovL2NpbG9nb24ub3JnL29hdXRoMi81NjgwNjBlYmZlOGVmN2ZhNWNiYjQ1YWFiZWVjNmIwOT90eXBlPWFjY2Vzc1Rva2VuJnRzPTE2NDgyMTQyODI3OTAmdmVyc2lvbj12Mi4wJmxpZmV0aW1lPTEwODAwMDAwIn0.OK7FKVea6ZyZAgBf5nYHaIYUiASEyZVO3QeRKcnNMIWJj7kp-dcI4vVB-quVYe8PX_ED7MY1yczARGRHibVpnVllShiUT0avr5sj1hBqFreWbXZDJz2_pGpSiYtaQ-KRAXXhuK89ry86YC7P0bYeAflKq-8xeVWokJUvvq5BKdN0EbqmgR_we9jIWdn7_vv8R-AVIQNeDhtvIc9pUGjCzXH1IR0nFw89OVMcQ7a7ZkBUU2uzDJ-VbSbDMD7L11jxUYb0TnK4hIZgwLfGRkoEU7LJF3jGjKwu-JoUSauechvkQCsvKGDuGJNp38-Bay4Bnygd8JGjsJZtgoXTrCaz3g&oss.asize=1
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 Xrootd_Response: 0100 sending err 3010: Opening path '/fermilab/users/arossi/data-2022032510271648222044621622690' is disallowed.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 8 out of 8 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 4 out of 4 bytes.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Write: 90 out of 90 bytes.
220325 10:27:24 27782 XrdTLS: arossi.4418:22@fndcatemp1 TLS error rc=0 ec=6 (zero_return) errno=0.
220325 10:27:24 27782 arossi.4418:22@fndcatemp1 TLS_Shutdown: Doing fast shutdown.
220325 10:27:24 27782 XrootdXeq: arossi.4418:22@fndcatemp1 disc 0:00:00
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1