Hi Fabio, Thanks for reaching out! This is command I’m using: [centos@xrootd ~]$ curl -v -X PUT --upload-file test.repo -H "Authorization: Bearer $AT" --cacert fullchain.pem https://xrootd.e-commons.chalmers.se:80/data/testfile-token_new.repo If I comment out “ofs.authorize” - there are no problems in uploading a file: ############################################################################# [centos@xrootd ~]$ curl -v -X PUT --upload-file test.repo -H "Authorization: Bearer $AT" --cacert fullchain.pem https://xrootd.e-commons.chalmers.se:80/data/testfile-token_NOauthz.repo * We are completely uploaded and fine * Closing connection 0 :-) [centos@xrootd ~ ls -lh /data total 16K drwxr-xr-x. 2 xrootd xrootd 6 Feb 6 14:13 escape -rw-r--r--. 1 xrootd xrootd 77 Jan 25 13:21 four.txt -rw-r--r--. 1 xrootd xrootd 168 Feb 6 15:22 testfile-token.repo -rw-r--r--. 1 xrootd xrootd 168 Feb 8 13:17 testfile-token_NOauthz.repo -rw-r--r--. 1 xrootd xrootd 168 Feb 2 14:18 testfile.repo [centos@xrootd ~]$ ############################################################################## I also added more tracing as you suggested. Cheers, Dejan ############################################################################### [centos@xrootd ~]$ curl -v -X PUT --upload-file test.repo -H "Authorization: Bearer $AT" --cacert fullchain.pem https://xrootd.e-commons.chalmers.se:80/data/testfile-token_new.repo * About to connect() to xrootd.e-commons.chalmers.se port 80 (#0) * Trying ::1... * Connected to xrootd.e-commons.chalmers.se (::1) port 80 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: fullchain.pem CApath: none * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=xrootd.e-commons.chalmers.se * start date: Jan 30 14:29:24 2023 GMT * expire date: Apr 30 14:29:23 2023 GMT * common name: xrootd.e-commons.chalmers.se * issuer: CN=R3,O=Let's Encrypt,C=US > PUT /data/testfile-token_new.repo HTTP/1.1 > User-Agent: curl/7.29.0 > Host: xrootd.e-commons.chalmers.se > Accept: */* > Authorization: Bearer eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJ3bGNnLnZlciI6IjEuMCIsInN1YiI6IjJkZWJhOWQxLTk1NTgtNDk2My05NWJjLTc1ZTk5M2UzYzgyZSIsImF1ZCI6Imh0dHBzOlwvXC93bGNnLmNlcm4uY2hcL2p3dFwvdjFcL2FueSIsIm5iZiI6MTY3NTg1OTE2Mywic2NvcGUiOiJhZGRyZXNzIG9wZW5pZCBwcm9maWxlIHN0b3JhZ2Uuc3RhZ2U6XC8gZWR1cGVyc29uX2VudGl0bGVtZW50IHBob25lIG9mZmxpbmVfYWNjZXNzIGVkdXBlcnNvbl9zY29wZWRfYWZmaWxpYXRpb24gZWR1cGVyc29uX2Fzc3VyYW5jZSBlbWFpbCB3bGNnLmdyb3VwcyIsImlzcyI6Imh0dHBzOlwvXC9pYW0tZXNjYXBlLmNsb3VkLmNuYWYuaW5mbi5pdFwvIiwiZXhwIjoxNjc1ODYyNzYzLCJpYXQiOjE2NzU4NTkxNjMsImp0aSI6ImIyZTZjOGU0LTZlM2ItNDkzZS04ODcwLWNjNDY0NWYzMTk0OSIsImNsaWVudF9pZCI6ImMyNjU0ZWZiLWY4MTUtNGE2ZS04NDQ4LWIyZWU4MGVjYjE2YiIsIndsY2cuZ3JvdXBzIjpbIlwvZXNjYXBlIiwiXC9lc2NhcGVcL3NrYSJdfQ.L2DKM95W1ovF3QOIPrYR5ifGkyXlDgW2FwiKoSFm2XXAXVdzqrK36gQBCTu2hqoXaP9-6eU_a6Un0jXaY4Gi457HPUk4mDy8Mm0ZctaWAzOZnMyIIbvv0VKmEfFUDq_gBLMr1Lq2PbIuvHbhGhi58dyNlj4pdI8Ped19Q4fNXzg > Content-Length: 168 > Expect: 100-continue > < HTTP/1.1 403 Forbidden < Connection: Keep-Alive < Server: XrootD/v5.5.1 < Content-Length: 66 * HTTP error before end of send, stop sending < Unable to create /data/testfile-token_new.repo; permission denied * Closing connection 0 [centos@xrootd ~]$ ####################################################################### [centos@xrootd ~]$ sudo cat /etc/xrootd/scitokens.cfg [Global] onmissing = passthrough # don't use https://wlcg.cern.ch/jwt/v1/any on production instances # audience = https://xrd.example.com:1094, https://wlcg.cern.ch/jwt/v1/any [Issuer ESCAPE IAM] issuer = https://iam-escape.cloud.cnaf.infn.it/ base_path = /data map_subject = false default_user = xrootd [centos@xrootd ~]$ ######################################################################## 230208 13:32:12 22541 Starting on Linux 3.10.0-1160.81.1.el7.x86_64 230208 13:32:12 22541 /usr/bin/xrootd -l /var/log/xrootd/xrootd.log -c /etc/xrootd/xrootd-http.cfg -k fifo -s /run/xrootd/xrootd-http.pid -n http Copr. 2004-2012 Stanford University, xrd version v5.5.1 Config warning: this hostname, localhost, is registered without a domain qualification. ++++++ xrootd http@localhost initialization started. Config using configuration file /etc/xrootd/xrootd-http.cfg =====> all.adminpath /var/spool/xrootd =====> all.pidpath /run/xrootd =====> xrd.protocol XrdHttp:80 libXrdHttp.so =====> xrd.tls /etc/grid-security/xrd/xrdcert.pem /etc/grid-security/xrd/xrdkey.pem =====> xrd.tlsca certdir /etc/grid-security/certificates refresh 8h =====> xrd.trace all -sched =====> continue /etc/xrootd/config.d/ ++++++ xrootd http@localhost TLS initialization started. ------ xrootd http@localhost TLS initialization ended. Config maximum number of connections restricted to 65536 Config maximum number of threads restricted to 7149 230208 13:32:12 22541 Xrd_Config: sendfile enabled. 230208 13:32:12 22541 Xrd_LinkCtl: Allocating 64 link objects at a time 230208 13:32:12 22541 Xrd_Poll: Starting poller 0 230208 13:32:12 22541 Xrd_Poll: Starting poller 1 230208 13:32:12 22541 Xrd_Poll: Starting poller 2 230208 13:32:12 22541 Xrd_ProtLoad: protocol xroot wants to use port 1094 Plugin loaded xrdhttp v5.5.1 from protocol libXrdHttp-5.so 230208 13:32:12 22541 Xrd_ProtLoad: protocol XrdHttp wants to use port 80 230208 13:32:12 22541 Xrd_Config: xroot:1094 wsz=87380 230208 13:32:12 22541 Xrd_ProtLoad: getting protocol object xroot Copr. 2012 Stanford University, xroot protocol 5.1.0 version v5.5.1 ++++++ xroot protocol initialization started. =====> all.export /data =====> xrootd.tls capable all -data =====> xrootd.seclib libXrdSec.so =====> continue /etc/xrootd/config.d/ Config exporting /data Plugin loaded secprot v5.5.1 from seclib libXrdSec-5.so ++++++ Authentication system initialization started. Plugin loaded secztn v5.5.1 from sec.protocol libXrdSecztn-5.so =====> sec.protocol ztn =====> continue /etc/xrootd/config.d/ Config 1 authentication directives processed in /etc/xrootd/xrootd-http.cfg ------ Authentication system initialization completed. ++++++ Protection system initialization started. Config warning: Security level is set to none; request protection disabled! Config Local protection level: none Config Remote protection level: none ------ Protection system initialization completed. Config Routing for [::1]: local pub4 prv4 pub6 prv6 Config Route all4: 127.0.0.1 Dest=[::127.0.0.1]:1094 Config Route all6: [::1] Dest=[::1]:1094 ++++++ File system initialization started. =====> ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg =====> ofs.trace all =====> continue /etc/xrootd/config.d/ ++++++ Storage system initialization started. =====> all.export /data =====> continue /etc/xrootd/config.d/ Config effective /etc/xrootd/xrootd-http.cfg oss configuration: oss.alloc 0 0 0 oss.spacescan 600 oss.fdlimit 32768 65536 oss.maxsize 0 oss.trace 0 oss.xfr 1 deny 10800 keep 1200 oss.memfile off max 963475456 oss.defaults r/w nocheck nodread nomig nopurge norcreate nostage oss.path /data r/w nocheck nodread nomig nopurge norcreate nostage ------ Storage system initialization completed. ++++++ Authorization system initialization started. 230208 13:32:12 22541 acc_Config: Authorization system using configuration in /etc/xrootd/xrootd-http.cfg =====> acc.authdb /etc/xrootd/Authfile =====> continue /etc/xrootd/config.d/ Config 1 authorization directives processed in /etc/xrootd/xrootd-http.cfg Config 1 auth entries processed in /etc/xrootd/Authfile ------ Authorization system initialization completed. Plugin loaded XrdAccSciTokens v5.5.1 from authlib libXrdAccSciTokens-5.so ++++++ XrdAccSciTokens: Initialized SciTokens-based authorization. =====> scitokens.trace all =====> continue /etc/xrootd/config.d/ 230208 13:32:12 22541 scitokens_Config: Logging levels enabled - all 230208 13:32:12 22541 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg 230208 13:32:12 22541 scitokens_Reconfig: Configuring issuer https://iam-escape.cloud.cnaf.infn.it/ ++++++ Checkpoint initialization started. ++++++ Checkpoint initialization completed. Config effective /etc/xrootd/xrootd-http.cfg ofs configuration: all.role server ofs.authorize ofs.maxdelay 60 ofs.persist manual hold 600 logdir /var/spool/xrootd/http/.ofs/posc.log ofs.trace ffff ofs.authlib default ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg ------ File system server initialization completed. Config asynchronous I/O has been disabled! 230208 13:32:12 22541 ofs_FAttr: FAttr req=info ------ xroot protocol initialization completed. 230208 13:32:12 22541 Xrd_ProtLoad: enabling port 1094 for protocol xroot 230208 13:32:12 22541 Xrd_Config: XrdHttp:80 wsz=87380 230208 13:32:12 22541 Xrd_ProtLoad: getting protocol object XrdHttp Copr. 2012 CERN IT, an HTTP implementation for the XRootD framework. ++++++ HTTP protocol initialization started. =====> http.header2cgi Authorization authz =====> continue /etc/xrootd/config.d/ Config Using xrd.tls to supply 'cert' and 'key'. Config Using xrd.tlsca to supply 'cadir'. ++++++ HTTPS initialization started. ------ HTTPS initialization completed. 230208 13:32:12 22541 sysConfig: XRDROLE: server 230208 13:32:12 22541 sysConfig: Configured as HTTP(s) data server. ------ HTTP protocol initialization completed. 230208 13:32:12 22541 Xrd_ProtLoad: enabling port 80 for protocol XrdHttp ------ xrootd http@localhost:80 initialization completed. 230208 13:32:12 22558 TLS_Refresh: CRL refresh started. 230208 13:32:12 22558 TLS_Refresh: CRL refresh will happen in 28800 seconds. 230208 13:32:12 22550 TLS_Refresh: CRL refresh started. 230208 13:32:12 22550 TLS_Refresh: CRL refresh will happen in 28800 seconds. 230208 13:32:32 22546 Xrd_Inet: Accepted connection on port 80 from 25@localhost 230208 13:32:32 22546 Xrd_ProtLoad: matched port 80 protocol XrdHttp 230208 13:32:32 22546 anon.0:25@localhost Xrd_Poll: FD 25 attached to poller 0; num=1 230208 13:32:32 22546 XrootdBridge: unknown.1:25@localhost login as nobody 230208 13:32:32 22546 unknown.1:25@localhost ofs_open: 200-40664 fn=/data/testfile-token_WITHauthz.repo 230208 13:32:32 22546 scitokens_Access: Trying token-based access control 230208 13:32:32 22546 scitokens_Access: Token not found in recent cache; parsing. 230208 13:32:32 22546 scitokens_Access: New valid token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska 230208 13:32:32 22546 scitokens_Access: Trying token-based access control 230208 13:32:32 22546 scitokens_Access: Cached token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska 230208 13:32:32 22546 ofs_open: unknown.1:25@localhost Unable to create /data/testfile-token_WITHauthz.repo; permission denied 230208 13:32:32 22546 unknown.1:25@localhost ofs_close: use=0 fn=dummy 230208 13:32:32 22546 XrootdXeq: unknown.1:25@localhost disc 0:00:00 (send failure) 230208 13:32:32 22546 unknown.1:25@localhost Xrd_Poll: Poller 0 removing FD 25 230208 13:32:32 22546 unknown.1:25@localhost Xrd_Poll: FD 25 detached from poller 0; num=0 [centos@xrootd ~]$ > On 8 Feb 2023, at 12:42, Fabio Andrijauskas <[log in to unmask]> wrote: > > Hi, > > Can you send how are you requesting/creating the files? > > Try to add this to get all the possible logs: > > pfc.trace all > ofs.trace all > xrd.trace all -sched > pss.setopt DebugLevel 5 > scitokens.trace all > > Did you try to create the the path on the export path? > > Can you send your sci token config file? > > > > On Wed, Feb 8, 2023 at 2:25 AM Dejan Vitlacil <[log in to unmask] <mailto:[log in to unmask]>> wrote: >> Hi Matt, >> >> I run out of ideas, so all suggestions are appreciated. >> I think unix bits are in place. >> >> Cheers, >> Dejan >> >> …… >> [centos@xrootd ~]$ ls -lh / |grep data >> drwxr-xr-x. 3 xrootd xrootd 84 Feb 6 15:22 data >> [centos@xrootd ~]$ ls -lh /data >> total 12K >> drwxr-xr-x. 2 xrootd xrootd 6 Feb 6 14:13 escape >> -rw-r--r--. 1 xrootd xrootd 77 Jan 25 13:21 four.txt >> -rw-r--r--. 1 xrootd xrootd 168 Feb 6 15:22 testfile-token.repo >> -rw-r--r--. 1 xrootd xrootd 168 Feb 2 14:18 testfile.repo >> [centos@xrootd ~]$ >> >> >> > On 8 Feb 2023, at 11:05, Doidge, Matt <[log in to unmask] <mailto:[log in to unmask]>> wrote: >> > >> > Hello, >> > This is a bit of a low-level suggestion, but can the xrootd unix user write to /data? I had similar looking issues with a test xrootd server and a known working config where I had forgotten to chown the exported path. >> > >> > My apologies for the noise if you've already checked this. >> > >> > Cheers, >> > Matt >> > >> > ________________________________________ >> > From: [log in to unmask] <mailto:[log in to unmask]> <[log in to unmask] <mailto:[log in to unmask]>> on behalf of Dejan Vitlacil <[log in to unmask] <mailto:[log in to unmask]>> >> > Sent: 08 February 2023 09:24 >> > To: Oliver Freyermuth >> > Cc: [log in to unmask] <mailto:[log in to unmask]> >> > Subject: [External] Re: XRootD and tokens >> > >> > This email originated outside the University. Check before clicking links or attachments. >> >> >> ######################################################################## >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > -- > -- > Fábio Andrijauskas ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1