As a test, If I remove `ofs.authorize` from my origin's config, then the ztn credentials are proxied via sss (but useless). If I turn on `ofs.authorize` on the origin, then the sss Crlen is 0-- credentials are not proxied. There seems to be some interaction between sss and the authorization framework that I do not understand, but it makes me think that my sss config is not the root of the problem. Here is a pair of logs showing what I think is sss proxying the credentials from the proxy to the origin: Origin Log, without `ofs.authroize`: ``` Copr. 2004-2012 Stanford University, xrd version v5.5.1 ++++++ xrootd [log in to unmask] initialization started. Config using configuration file /etc/xrootd/xrootd-dtn-gluex.cfg =====> xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem =====> xrd.tlsca certdir /etc/grid-security/certificates =====> all.adminpath /var/spool/xrootd =====> all.pidpath /var/run/xrootd ++++++ xrootd [log in to unmask] TLS initialization started. ------ xrootd [log in to unmask] TLS initialization ended. Config maximum number of connections restricted to 65536 Copr. 2012 Stanford University, xroot protocol 5.1.0 version v5.5.1 ++++++ xroot protocol initialization started. =====> all.export / =====> xrootd.seclib default =====> xrootd.trace all Config exporting / 221222 08:40:09 3967494 Xrootd_Protocol: Loading security library default Plugin loaded secprot v5.5.1 from seclib libXrdSec-5.so ++++++ Authentication system initialization started. Plugin loaded secztn v5.5.1 from sec.protocol libXrdSecztn-5.so =====> sec.protocol ztn Plugin loaded secsss v5.5.1 from sec.protocol libXrdSecsss-5.so =====> sec.protocol sss -k -s /etc/xrootd/p3.keytab -c /etc/xrootd/p3.keytab --getcreds --proxy ztn =====> sec.trace debug Config 3 authentication directives processed in /etc/xrootd/xrootd-dtn-gluex.cfg 221222 08:40:09 3967494 sec_ProtBind_Complete: Default sectoken built: '&P=ztn,0:4096:&P=sss,0.+013:/etc/xrootd/p3.keytab' ------ Authentication system initialization completed. ++++++ Protection system initialization started. Config warning: Security level is set to none; request protection disabled! Config Local protection level: none Config Remote protection level: none ------ Protection system initialization completed. Config Authentication protocol(s) ztn require TLS; login now requires TLS. Config Routing for dtn2201.jlab.org: local pub4 prv4 Config Route all4: dtn2201.jlab.org Dest=[::192.70.245.29]:1094 ++++++ File system initialization started. =====> ofs.osslib libXrdPss.so =====> ofs.ckslib * libXrdPss.so =====> ofs.authlib ++ libXrdAccSciTokens.so =====> ofs.trace -all Copr. 2019, Stanford University, Pss Version v5.5.1 =====> all.export / =====> pss.origin sciwork1802.jlab.org:1094 =====> pss.persona client =====> pss.trace all debug Plugin loaded XrdAccSciTokens v5.5.1 from authlib libXrdAccSciTokens-5.so ++++++ XrdAccSciTokens: Initialized SciTokens-based authorization. =====> scitokens.trace all debug 221222 08:40:10 3967494 scitokens_Config: Logging levels enabled - all 221222 08:40:10 3967494 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg 221222 08:40:10 3967494 scitokens_Reconfig: Configuring issuer https://cilogon.org/jlab 221222 08:40:10 3967494 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json Plugin loaded PssCks v5.5.1 from ckslib libXrdPss-5.so Config POSC has been disabled by the osslib plugin. Config effective /etc/xrootd/xrootd-dtn-gluex.cfg ofs configuration: all.role server ofs.authorize ofs.maxdelay 60 ofs.persist off hold 600 ofs.trace 0 ofs.authlib default ofs.authlib ++ libXrdAccSciTokens.so ofs.ckslib libXrdPss.so ofs.osslib libXrdPss-5.so ------ File system server initialization completed. Config sendfile has been disabled by file system plugin. ------ xroot protocol initialization completed. ------ xrootd [log in to unmask]:1094 initialization completed. 221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Protocol: 0000 req=protocol dlen=0 221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Response: 0000 sending 8 data bytes; status=0 221222 08:40:36 3967503 XrdLinkXeq: anon.0:32@cobia connection upgraded to TLSv1.3 221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Protocol: 0000 req=login dlen=89 221222 08:40:36 3967503 sec_getParms: cobia.jlab.org sectoken=&P=ztn,0:4096:&P=sss,0.+013:/etc/xrootd/p3.keytab 221222 08:40:36 3967503 bhess.423487:32@cobia Xrootd_Response: 0000 sending 65 data bytes; status=0 221222 08:40:36 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0000 req=auth dlen=999 sec_PM: Using ztn protocol, args='0:4096:' 221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Response: 0000 sending OK bhess.423487:32@cobia Protocol 'ztn' bhess.423487:32@cobia Name 'http://cilogon.org/serverA/users/6772316' bhess.423487:32@cobia Host 'cobia.jlab.org' bhess.423487:32@cobia Vorg '' bhess.423487:32@cobia Role '' bhess.423487:32@cobia Grps '' bhess.423487:32@cobia Caps '' bhess.423487:32@cobia Pidn 'bhess.423487:32@cobia' bhess.423487:32@cobia Mon '' bhess.423487:32@cobia Crlen 986 bhess.423487:32@cobia ueid 1 bhess.423487:32@cobia uid 0 bhess.423487:32@cobia gid 0 221222 08:40:37 3967503 XrootdXeq: bhess.423487:32@cobia pub IPv4 TLSv1.3 login as http://cilogon.org/serverA/users/6772316 221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 req=stat dlen=12 U1.3967494:25@dtn2201 Pidn 'bhess.423487:32@cobia' U1.3967494:25@dtn2201 Crlen 986 U1.3967494:25@dtn2201 ueid 2 U1.3967494:25@dtn2201 uid 0 U1.3967494:25@dtn2201 gid 0 U1.3967494:25@dtn2201Attr xrd.appname = 'xrdcp' U1.3967494:25@dtn2201Attr = '' 221222 08:40:37 13500 XrootdXeq: U1.3967494:25@dtn2201 pub IP46 TLSv1.2 login as http://cilogon.org/serverA/users/6772316 via ztn auth for bhess.423487:32@cobia 221222 08:40:37 13500 multiuser_UserSentry: XRootD mapped request to username that does not exist: http://cilogon.org/serverA/users/6772316 221222 08:40:37 13500 U1.3967494:25@dtn2201 Xrootd_Protocol: 0100 req=open dlen=25 221222 08:40:37 13500 U1.3967494:25@dtn2201 Xrootd_Protocol: 0100 open udmt /gluex/test5?oss.asize=18 221222 08:40:37 13500 U1.3967494:25@dtn2201 ofs_open: 200-40644 fn=/gluex/test5 221222 08:40:37 13500 multiuser_UserSentry: XRootD mapped request to username that does not exist: http://cilogon.org/serverA/users/6772316 221222 08:40:37 13500 ofs_open: U1.3967494:25@dtn2201 Unable to create /gluex/test5; permission denied 221222 08:40:37 13500 U1.3967494:25@dtn2201 Xrootd_Response: 0100 sending err 3010: Unable to create /gluex/test5; permission denied 221222 08:40:37 13500 U1.3967494:25@dtn2201 ofs_close: use=0 fn=dummy 221222 08:40:37 13500 XrdTLS: U1.3967494:25@dtn2201 TLS error rc=0 ec=6 (zero_return) errno=0. 221222 08:40:37 13500 XrootdXeq: U1.3967494:25@dtn2201 disc 0:00:00 221222 08:40:37 13500 multiuser_UserSentry: XRootD mapped request to username that does not exist: http://cilogon.org/serverA/users/6772316 221222 08:40:40 13501 p0.3967494:23@dtn2201 Xrootd_Protocol: 0100 request timeout; read 0 of 24 bytes ``` the log from the proxy: ``` Copr. 2004-2012 Stanford University, xrd version v5.5.1 ++++++ xrootd [log in to unmask] initialization started. Config using configuration file /etc/xrootd/xrootd-dtn-gluex.cfg =====> xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem =====> xrd.tlsca certdir /etc/grid-security/certificates =====> all.adminpath /var/spool/xrootd =====> all.pidpath /var/run/xrootd ++++++ xrootd [log in to unmask] TLS initialization started. ------ xrootd [log in to unmask] TLS initialization ended. Config maximum number of connections restricted to 65536 Copr. 2012 Stanford University, xroot protocol 5.1.0 version v5.5.1 ++++++ xroot protocol initialization started. =====> all.export / =====> xrootd.seclib default =====> xrootd.trace all Config exporting / 221222 08:40:09 3967494 Xrootd_Protocol: Loading security library default Plugin loaded secprot v5.5.1 from seclib libXrdSec-5.so ++++++ Authentication system initialization started. Plugin loaded secztn v5.5.1 from sec.protocol libXrdSecztn-5.so =====> sec.protocol ztn Plugin loaded secsss v5.5.1 from sec.protocol libXrdSecsss-5.so =====> sec.protocol sss -k -s /etc/xrootd/p3.keytab -c /etc/xrootd/p3.keytab --getcreds --proxy ztn =====> sec.trace debug Config 3 authentication directives processed in /etc/xrootd/xrootd-dtn-gluex.cfg 221222 08:40:09 3967494 sec_ProtBind_Complete: Default sectoken built: '&P=ztn,0:4096:&P=sss,0.+013:/etc/xrootd/p3.keytab' ------ Authentication system initialization completed. ++++++ Protection system initialization started. Config warning: Security level is set to none; request protection disabled! Config Local protection level: none Config Remote protection level: none ------ Protection system initialization completed. Config Authentication protocol(s) ztn require TLS; login now requires TLS. Config Routing for dtn2201.jlab.org: local pub4 prv4 Config Route all4: dtn2201.jlab.org Dest=[::192.70.245.29]:1094 ++++++ File system initialization started. =====> ofs.osslib libXrdPss.so =====> ofs.ckslib * libXrdPss.so =====> ofs.authlib ++ libXrdAccSciTokens.so =====> ofs.trace -all Copr. 2019, Stanford University, Pss Version v5.5.1 =====> all.export / =====> pss.origin sciwork1802.jlab.org:1094 =====> pss.persona client =====> pss.trace all debug Plugin loaded XrdAccSciTokens v5.5.1 from authlib libXrdAccSciTokens-5.so ++++++ XrdAccSciTokens: Initialized SciTokens-based authorization. =====> scitokens.trace all debug 221222 08:40:10 3967494 scitokens_Config: Logging levels enabled - all 221222 08:40:10 3967494 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg 221222 08:40:10 3967494 scitokens_Reconfig: Configuring issuer https://cilogon.org/jlab 221222 08:40:10 3967494 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json Plugin loaded PssCks v5.5.1 from ckslib libXrdPss-5.so Config POSC has been disabled by the osslib plugin. Config effective /etc/xrootd/xrootd-dtn-gluex.cfg ofs configuration: all.role server ofs.authorize ofs.maxdelay 60 ofs.persist off hold 600 ofs.trace 0 ofs.authlib default ofs.authlib ++ libXrdAccSciTokens.so ofs.ckslib libXrdPss.so ofs.osslib libXrdPss-5.so ------ File system server initialization completed. Config sendfile has been disabled by file system plugin. ------ xroot protocol initialization completed. ------ xrootd [log in to unmask]:1094 initialization completed. 221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Protocol: 0000 req=protocol dlen=0 221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Response: 0000 sending 8 data bytes; status=0 221222 08:40:36 3967503 XrdLinkXeq: anon.0:32@cobia connection upgraded to TLSv1.3 221222 08:40:36 3967503 anon.0:32@cobia Xrootd_Protocol: 0000 req=login dlen=89 221222 08:40:36 3967503 sec_getParms: cobia.jlab.org sectoken=&P=ztn,0:4096:&P=sss,0.+013:/etc/xrootd/p3.keytab 221222 08:40:36 3967503 bhess.423487:32@cobia Xrootd_Response: 0000 sending 65 data bytes; status=0 221222 08:40:36 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0000 req=auth dlen=999 sec_PM: Using ztn protocol, args='0:4096:' 221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Response: 0000 sending OK bhess.423487:32@cobia Protocol 'ztn' bhess.423487:32@cobia Name 'http://cilogon.org/serverA/users/6772316' bhess.423487:32@cobia Host 'cobia.jlab.org' bhess.423487:32@cobia Vorg '' bhess.423487:32@cobia Role '' bhess.423487:32@cobia Grps '' bhess.423487:32@cobia Caps '' bhess.423487:32@cobia Pidn 'bhess.423487:32@cobia' bhess.423487:32@cobia Mon '' bhess.423487:32@cobia Crlen 986 bhess.423487:32@cobia ueid 1 bhess.423487:32@cobia uid 0 bhess.423487:32@cobia gid 0 221222 08:40:37 3967503 XrootdXeq: bhess.423487:32@cobia pub IPv4 TLSv1.3 login as http://cilogon.org/serverA/users/6772316 221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 req=stat dlen=12 U1.3967494:25@dtn2201 Pidn 'bhess.423487:32@cobia' U1.3967494:25@dtn2201 Crlen 986 221222 08:40:37 3967503 scitokens_Access: New valid token mapped_username=, subject=http://cilogon.org/serverA/users/6772316, issuer=https://cilogon.org/jlab, authorizations=/gluex:read,dir,stat,create,mkdir,mv,insert,update,chmod,del 221222 08:40:37 3967503 scitokens_Access: Grant authorization based on scopes for operation=stat, path=/gluex/test5 221222 08:40:37 3967503 scitokens_Access: Request username bhess 221222 08:40:37 3967503 ofs_stat: bhess.423487:32@cobia Unable to locate /gluex/test5; no such file or directory 221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 rc=-1 stat /gluex/test5 221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Response: 0100 sending err 3011: Unable to locate /gluex/test5; no such file or directory 221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 req=open dlen=25 221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Protocol: 0100 open udmat /gluex/test5?oss.asize=18 221222 08:40:37 3967503 scitokens_Access: Trying token-based access control 221222 08:40:37 3967503 scitokens_Access: Cached token mapped_username=, subject=http://cilogon.org/serverA/users/6772316, issuer=https://cilogon.org/jlab, authorizations=/gluex:read,dir,stat,create,mkdir,mv,insert,update,chmod,del 221222 08:40:37 3967503 scitokens_Access: Grant authorization based on scopes for operation=create, path=/gluex/test5 221222 08:40:37 3967503 scitokens_Access: Request username bhess 221222 08:40:37 3967503 Posix_Open: [ERROR] Error response: permission denied open root:[log in to unmask]:1094//gluex/test5?oss.asize=18 221222 08:40:37 3967503 ofs_open: bhess.423487:32@cobia Unable to open /gluex/test5; permission denied 221222 08:40:37 3967503 bhess.423487:32@cobia Xrootd_Response: 0100 sending err 3010: Unable to open /gluex/test5; permission denied [2022-12-22 08:40:37.142265 -0500][Error ][TlsMsg ] [bhess.423487:32@cobia] TLS error rc=0 ec=6 (zero_return) errno=0. 221222 08:40:37 3967503 XrootdXeq: bhess.423487:32@cobia disc 0:00:01 [2022-12-22 08:40:37.142364 -0500][Error ][PostMaster ] [[log in to unmask]:1094] Forcing error on disconnect: [ERROR] Operation interrupted. This sss key: ``` Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 12/21/22 17:16:34 -------- p3 allusers usrgroup ``` -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1851#issuecomment-1362867905 You are receiving this because you commented. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1