LISTSERV 16.5 - XROOTD-DEV Archives

As a test, If I remove `ofs.authorize` from my origin's config, then the ztn credentials are proxied via sss (but useless). If I turn on `ofs.authorize` on the origin, then the sss Crlen is 0-- credentials are not proxied. There seems to be some interaction between sss and the authorization framework that I do not understand, but it makes me think that my sss config is not the root of the problem. 

Here is a pair of logs showing what I think is sss proxying the credentials from the proxy to the origin:

Origin Log, without `ofs.authroize`:

```
Copr.  2004-2012 Stanford University, xrd version v5.5.1
++++++ xrootd [log in to unmask] initialization started.
Config using configuration file /etc/xrootd/xrootd-dtn-gluex.cfg
=====> xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem
=====> xrd.tlsca certdir /etc/grid-security/certificates
=====> all.adminpath /var/spool/xrootd
=====> all.pidpath /var/run/xrootd
++++++ xrootd [log in to unmask] TLS initialization started.
------ xrootd [log in to unmask] TLS initialization ended.
Config maximum number of connections restricted to 65536
Copr.  2012 Stanford University, xroot protocol 5.1.0 version v5.5.1
++++++ xroot protocol initialization started.
=====> all.export /
=====> xrootd.seclib default
=====> xrootd.trace all
Config exporting /
221222 08:40:09 3967494 Xrootd_Protocol: Loading security library default
Plugin loaded secprot v5.5.1 from seclib libXrdSec-5.so
++++++ Authentication system initialization started.
Plugin loaded secztn v5.5.1 from sec.protocol libXrdSecztn-5.so
=====> sec.protocol ztn
Plugin loaded secsss v5.5.1 from sec.protocol libXrdSecsss-5.so
=====> sec.protocol sss -k -s /etc/xrootd/p3.keytab -c /etc/xrootd/p3.keytab --getcreds --proxy ztn
=====> sec.trace debug
Config 3 authentication directives processed in /etc/xrootd/xrootd-dtn-gluex.cfg
221222 08:40:09 3967494 sec_ProtBind_Complete: Default sectoken built: '&P=ztn,0:4096:&P=sss,0.+013:/etc/xrootd/p3.keytab'
------ Authentication system initialization completed.
++++++ Protection system initialization started.
Config warning: Security level is set to none; request protection disabled!
Config Local  protection level: none
Config Remote protection level: none
------ Protection system initialization completed.
Config Authentication protocol(s) ztn require TLS; login now requires TLS.
Config Routing for dtn2201.jlab.org: local pub4 prv4
Config Route all4: dtn2201.jlab.org Dest=[::192.70.245.29]:1094
++++++ File system initialization started.
=====> ofs.osslib libXrdPss.so
=====> ofs.ckslib * libXrdPss.so
=====> ofs.authlib ++ libXrdAccSciTokens.so
=====> ofs.trace -all
Copr.  2019, Stanford University, Pss Version v5.5.1
=====> all.export /
=====> pss.origin sciwork1802.jlab.org:1094
=====> pss.persona client
=====> pss.trace all debug

Plugin loaded XrdAccSciTokens v5.5.1 from authlib libXrdAccSciTokens-5.so
++++++ XrdAccSciTokens: Initialized SciTokens-based authorization.
=====> scitokens.trace all debug
221222 08:40:10 3967494 scitokens_Config: Logging levels enabled - all
221222 08:40:10 3967494 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg
221222 08:40:10 3967494 scitokens_Reconfig: Configuring issuer https://cilogon.org/jlab
221222 08:40:10 3967494 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json
Plugin loaded PssCks v5.5.1 from ckslib libXrdPss-5.so
Config POSC has been disabled by the osslib plugin.
Config effective /etc/xrootd/xrootd-dtn-gluex.cfg ofs configuration:
       all.role server
       ofs.authorize
       ofs.maxdelay   60
       ofs.persist    off hold 600
       ofs.trace      0
       ofs.authlib default
       ofs.authlib ++ libXrdAccSciTokens.so
       ofs.ckslib libXrdPss.so
       ofs.osslib libXrdPss-5.so
------ File system server initialization completed.
Config sendfile has been disabled by file system plugin.
------ xroot protocol initialization completed.
------ xrootd [log in to unmask]:1094 initialization completed.
221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Protocol: 0000 req=protocol dlen=0
221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Response: 0000 sending 8 data bytes; status=0
221222 08:40:36 3967503 XrdLinkXeq: anon.0:32@cobia connection upgraded to TLSv1.3
221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Protocol: 0000 req=login dlen=89
221222 08:40:36 3967503 sec_getParms: cobia.jlab.org sectoken=&P=ztn,0:4096:&P=sss,0.+013:/etc/xrootd/p3.keytab
221222 08:40:36 3967503 bhess.423487:32@cobia Xrootd_Response: 0000 sending 65 data bytes; status=0
221222 08:40:36 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0000 req=auth dlen=999
sec_PM: Using ztn protocol, args='0:4096:'
221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Response: 0000 sending OK
bhess.423487:32@cobia Protocol 'ztn'
bhess.423487:32@cobia Name 'http://cilogon.org/serverA/users/6772316'
bhess.423487:32@cobia Host 'cobia.jlab.org'
bhess.423487:32@cobia Vorg ''
bhess.423487:32@cobia Role ''
bhess.423487:32@cobia Grps ''
bhess.423487:32@cobia Caps ''
bhess.423487:32@cobia Pidn 'bhess.423487:32@cobia'
bhess.423487:32@cobia Mon  ''
bhess.423487:32@cobia Crlen 986
bhess.423487:32@cobia ueid  1
bhess.423487:32@cobia uid   0
bhess.423487:32@cobia gid   0
221222 08:40:37 3967503 XrootdXeq: bhess.423487:32@cobia pub IPv4 TLSv1.3 login as http://cilogon.org/serverA/users/6772316
221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 req=stat dlen=12
U1.3967494:25@dtn2201 Pidn 'bhess.423487:32@cobia'
U1.3967494:25@dtn2201 Crlen 986
U1.3967494:25@dtn2201 ueid  2
U1.3967494:25@dtn2201 uid   0
U1.3967494:25@dtn2201 gid   0
U1.3967494:25@dtn2201Attr  xrd.appname = 'xrdcp'
U1.3967494:25@dtn2201Attr   = ''
221222 08:40:37 13500 XrootdXeq: U1.3967494:25@dtn2201 pub IP46 TLSv1.2 login as http://cilogon.org/serverA/users/6772316 via ztn auth for bhess.423487:32@cobia
221222 08:40:37 13500 multiuser_UserSentry: XRootD mapped request to username that does not exist: http://cilogon.org/serverA/users/6772316
221222 08:40:37 13500 U1.3967494:25@dtn2201 Xrootd_Protocol: 0100 req=open dlen=25
221222 08:40:37 13500 U1.3967494:25@dtn2201 Xrootd_Protocol: 0100 open udmt /gluex/test5?oss.asize=18
221222 08:40:37 13500 U1.3967494:25@dtn2201 ofs_open: 200-40644 fn=/gluex/test5
221222 08:40:37 13500 multiuser_UserSentry: XRootD mapped request to username that does not exist: http://cilogon.org/serverA/users/6772316
221222 08:40:37 13500 ofs_open: U1.3967494:25@dtn2201 Unable to create /gluex/test5; permission denied
221222 08:40:37 13500 U1.3967494:25@dtn2201 Xrootd_Response: 0100 sending err 3010: Unable to create /gluex/test5; permission denied
221222 08:40:37 13500 U1.3967494:25@dtn2201 ofs_close: use=0 fn=dummy
221222 08:40:37 13500 XrdTLS: U1.3967494:25@dtn2201 TLS error rc=0 ec=6 (zero_return) errno=0.
221222 08:40:37 13500 XrootdXeq: U1.3967494:25@dtn2201 disc 0:00:00
221222 08:40:37 13500 multiuser_UserSentry: XRootD mapped request to username that does not exist: http://cilogon.org/serverA/users/6772316
221222 08:40:40 13501 p0.3967494:23@dtn2201 Xrootd_Protocol: 0100 request timeout; read 0 of 24 bytes
```

the log from the proxy:

```
Copr.  2004-2012 Stanford University, xrd version v5.5.1
++++++ xrootd [log in to unmask] initialization started.
Config using configuration file /etc/xrootd/xrootd-dtn-gluex.cfg
=====> xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem
=====> xrd.tlsca certdir /etc/grid-security/certificates
=====> all.adminpath /var/spool/xrootd
=====> all.pidpath /var/run/xrootd
++++++ xrootd [log in to unmask] TLS initialization started.
------ xrootd [log in to unmask] TLS initialization ended.
Config maximum number of connections restricted to 65536
Copr.  2012 Stanford University, xroot protocol 5.1.0 version v5.5.1
++++++ xroot protocol initialization started.
=====> all.export /
=====> xrootd.seclib default
=====> xrootd.trace all
Config exporting /
221222 08:40:09 3967494 Xrootd_Protocol: Loading security library default
Plugin loaded secprot v5.5.1 from seclib libXrdSec-5.so
++++++ Authentication system initialization started.
Plugin loaded secztn v5.5.1 from sec.protocol libXrdSecztn-5.so
=====> sec.protocol ztn
Plugin loaded secsss v5.5.1 from sec.protocol libXrdSecsss-5.so
=====> sec.protocol sss -k -s /etc/xrootd/p3.keytab -c /etc/xrootd/p3.keytab --getcreds --proxy ztn
=====> sec.trace debug
Config 3 authentication directives processed in /etc/xrootd/xrootd-dtn-gluex.cfg
221222 08:40:09 3967494 sec_ProtBind_Complete: Default sectoken built: '&P=ztn,0:4096:&P=sss,0.+013:/etc/xrootd/p3.keytab'
------ Authentication system initialization completed.
++++++ Protection system initialization started.
Config warning: Security level is set to none; request protection disabled!
Config Local  protection level: none
Config Remote protection level: none
------ Protection system initialization completed.
Config Authentication protocol(s) ztn require TLS; login now requires TLS.
Config Routing for dtn2201.jlab.org: local pub4 prv4
Config Route all4: dtn2201.jlab.org Dest=[::192.70.245.29]:1094
++++++ File system initialization started.
=====> ofs.osslib libXrdPss.so
=====> ofs.ckslib * libXrdPss.so
=====> ofs.authlib ++ libXrdAccSciTokens.so
=====> ofs.trace -all
Copr.  2019, Stanford University, Pss Version v5.5.1
=====> all.export /
=====> pss.origin sciwork1802.jlab.org:1094
=====> pss.persona client
=====> pss.trace all debug

Plugin loaded XrdAccSciTokens v5.5.1 from authlib libXrdAccSciTokens-5.so
++++++ XrdAccSciTokens: Initialized SciTokens-based authorization.
=====> scitokens.trace all debug
221222 08:40:10 3967494 scitokens_Config: Logging levels enabled - all
221222 08:40:10 3967494 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg
221222 08:40:10 3967494 scitokens_Reconfig: Configuring issuer https://cilogon.org/jlab
221222 08:40:10 3967494 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json
Plugin loaded PssCks v5.5.1 from ckslib libXrdPss-5.so
Config POSC has been disabled by the osslib plugin.
Config effective /etc/xrootd/xrootd-dtn-gluex.cfg ofs configuration:
       all.role server
       ofs.authorize
       ofs.maxdelay   60
       ofs.persist    off hold 600
       ofs.trace      0
       ofs.authlib default
       ofs.authlib ++ libXrdAccSciTokens.so
       ofs.ckslib libXrdPss.so
       ofs.osslib libXrdPss-5.so
------ File system server initialization completed.
Config sendfile has been disabled by file system plugin.
------ xroot protocol initialization completed.
------ xrootd [log in to unmask]:1094 initialization completed.
221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Protocol: 0000 req=protocol dlen=0
221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Response: 0000 sending 8 data bytes; status=0
221222 08:40:36 3967503 XrdLinkXeq: anon.0:32@cobia connection upgraded to TLSv1.3
221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Protocol: 0000 req=login dlen=89
221222 08:40:36 3967503 sec_getParms: cobia.jlab.org sectoken=&P=ztn,0:4096:&P=sss,0.+013:/etc/xrootd/p3.keytab
221222 08:40:36 3967503 bhess.423487:32@cobia Xrootd_Response: 0000 sending 65 data bytes; status=0
221222 08:40:36 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0000 req=auth dlen=999
sec_PM: Using ztn protocol, args='0:4096:'
221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Response: 0000 sending OK
bhess.423487:32@cobia Protocol 'ztn'
bhess.423487:32@cobia Name 'http://cilogon.org/serverA/users/6772316'
bhess.423487:32@cobia Host 'cobia.jlab.org'
bhess.423487:32@cobia Vorg ''
bhess.423487:32@cobia Role ''
bhess.423487:32@cobia Grps ''
bhess.423487:32@cobia Caps ''
bhess.423487:32@cobia Pidn 'bhess.423487:32@cobia'
bhess.423487:32@cobia Mon  ''
bhess.423487:32@cobia Crlen 986
bhess.423487:32@cobia ueid  1
bhess.423487:32@cobia uid   0
bhess.423487:32@cobia gid   0
221222 08:40:37 3967503 XrootdXeq: bhess.423487:32@cobia pub IPv4 TLSv1.3 login as http://cilogon.org/serverA/users/6772316
221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 req=stat dlen=12
U1.3967494:25@dtn2201 Pidn 'bhess.423487:32@cobia'
U1.3967494:25@dtn2201 Crlen 986
221222 08:40:37 3967503 scitokens_Access: New valid token mapped_username=, subject=http://cilogon.org/serverA/users/6772316, issuer=https://cilogon.org/jlab, authorizations=/gluex:read,dir,stat,create,mkdir,mv,insert,update,chmod,del
221222 08:40:37 3967503 scitokens_Access: Grant authorization based on scopes for operation=stat, path=/gluex/test5
221222 08:40:37 3967503 scitokens_Access: Request username bhess
221222 08:40:37 3967503 ofs_stat: bhess.423487:32@cobia Unable to locate /gluex/test5; no such file or directory
221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 rc=-1 stat /gluex/test5
221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Response: 0100 sending err 3011: Unable to locate /gluex/test5; no such file or directory
221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 req=open dlen=25
221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 open udmat /gluex/test5?oss.asize=18
221222 08:40:37 3967503 scitokens_Access: Trying token-based access control
221222 08:40:37 3967503 scitokens_Access: Cached token mapped_username=, subject=http://cilogon.org/serverA/users/6772316, issuer=https://cilogon.org/jlab, authorizations=/gluex:read,dir,stat,create,mkdir,mv,insert,update,chmod,del
221222 08:40:37 3967503 scitokens_Access: Grant authorization based on scopes for operation=create, path=/gluex/test5
221222 08:40:37 3967503 scitokens_Access: Request username bhess
221222 08:40:37 3967503 Posix_Open: [ERROR] Error response: permission denied open root:[log in to unmask]:1094//gluex/test5?oss.asize=18
221222 08:40:37 3967503 ofs_open: bhess.423487:32@cobia Unable to open /gluex/test5; permission denied
221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Response: 0100 sending err 3010: Unable to open /gluex/test5; permission denied
[2022-12-22 08:40:37.142265 -0500][Error  ][TlsMsg            ] [bhess.423487:32@cobia] TLS error rc=0 ec=6 (zero_return) errno=0.
221222 08:40:37 3967503 XrootdXeq: bhess.423487:32@cobia disc 0:00:01
[2022-12-22 08:40:37.142364 -0500][Error  ][PostMaster        ] [[log in to unmask]:1094] Forcing error on disconnect: [ERROR] Operation interrupted.


This sss key:

```
     Number Len Date/Time Created Expires  Keyname User & Group
     ------ --- --------- ------- -------- -------
          1  32 12/21/22 17:16:34 -------- p3 allusers usrgroup
```



-- 
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1851#issuecomment-1362867905
You are receiving this because you commented.

Message ID: <[log in to unmask]>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1