 |
 |
Hi, I may be mistaken (but in case I am, surely someone on the list will correct me), but I think the missing magic piece is that you need: ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg instead of: ofs.authlib libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg The explanation should be that the SciTokens plugin itself does not authorize in your case (it would be able to if the token had explicit path permissions embedded), but the authdb then does authorize the mapped user. So you are using the SciTokens library "only" to enrich the auth information with the information taken from the token, and stack it on top of the authdb which then grants the actual access, so the "++" are needed for stacking. In pricniple, you'd also require: [Global] onmissing = passthrough in scitokens.cfg, but that is the default anyways ;-). Cheers and hope taht helps, Oliver Am 07.02.23 um 17:16 schrieb Dejan Vitlacil: > Hi, > > I’m new to XRootD and trying to configure XRootD with token access. > But I’m hitting permission denied error. If there is someone who has experience with this configuration, any help would be appreciated. > My guess is that I did not configure “/etc/xrootd/Authfile” properly. > > Thanks in advance, > Dejan > > > * /var/log/xrootd/http/xrootd.log > > |230207 15:11:41 12921 XrootdBridge: unknown.2:27@localhost login as nobody 230207 15:11:41 12921 scitokens_Access: Trying token-based access control 230207 15:11:41 12921 scitokens_Access: Token not found in recent cache; parsing. 230207 15:11:41 12921 scitokens_Access: New valid token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska 230207 15:11:41 12921 scitokens_Access: Trying token-based access control 230207 15:11:41 12921 scitokens_Access: Cached token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska 230207 15:11:41 12921 ofs_open: unknown.2:27@localhost Unable to create /data/testfile-token-2.repo; permission denied 230207 15:11:41 12921 XrootdXeq: unknown.2:27@localhost disc 0:00:00 (send failure)[centos@xrootd ~]$ | > > * /etc/xrootd/xrootd-http.cfg > > |[centos@xrootd ~]$ sudo cat /etc/xrootd/xrootd-http.cfg # The export directive indicates which paths are to be exported. While the all.export /data # The adminpath and pidpath variables indicate where the pid and various all.adminpath /var/spool/xrootd all.pidpath /run/xrootd # Load the http protocol, indicate that it should be served on port 80. xrd.protocol XrdHttp:80 libXrdHttp.so # Config TLS xrd.tls /etc/grid-security/xrd/xrdcert.pem /etc/grid-security/xrd/xrdkey.pem xrd.tlsca certdir /etc/grid-security/certificates refresh 8h xrootd.tls capable all -data # Dejan tokens part ###################################################### ofs.authorize ofs.authlib libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg acc.authdb /etc/xrootd/Authfile # Pass the bearer token to the Xrootd authorization framework. http.header2cgi Authorization authz # Only for debugging (comment out after setup is done) scitokens.trace all ofs.trace -all continue /etc/xrootd/config.d/ [centos@xrootd > ~]$ | > > * /etc/xrootd/scitokens.cfg > > |[centos@xrootd ~]$ sudo cat /etc/xrootd/scitokens.cfg [Issuer ESCAPE IAM] issuer = https://iam-escape.cloud.cnaf.infn.it/ base_path = /data map_subject = false default_user = xrootd [centos@xrootd ~]$ | > > * /etc/xrootd/Authfile > > |[centos@xrootd ~]$ sudo cat /etc/xrootd/Authfile = xrootd o: https://iam-escape.cloud.cnaf.infn.it/ g: /escape/ska # Grant 'xrootd' access to all directories below '/data/' u xrootd /data a [centos@xrootd ~]$ | > > > > — > *CHALMERS* > > *Dejan Vitlacil* > Senior forskningsingenjör | Senior Research Engineer > Institutionen för fysik | Department of Physics > e-Commons > +46(0)76-064 18 45 (mobile) > [log in to unmask] > > Chalmers tekniska högskola | Chalmers University of Technology > Fysik Origo, O6146 > Kemigården 1 > SE-412 96 Göteborg, Sweden > www.chalmers.se <http://www.chalmers.se> > > > > > > > > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 <https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1> > -- Oliver Freyermuth Universität Bonn Physikalisches Institut, Raum 1.047 Nußallee 12 53115 Bonn -- Tel.: +49 228 73 2367 Fax: +49 228 73 7869 -- ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1