Hi, I’m new to XRootD and trying to configure XRootD with token access. But I’m hitting permission denied error. If there is someone who has experience with this configuration, any help would be appreciated. My guess is that I did not configure “/etc/xrootd/Authfile” properly. Thanks in advance, Dejan /var/log/xrootd/http/xrootd.log 230207 15:11:41 12921 XrootdBridge: unknown.2:27@localhost login as nobody 230207 15:11:41 12921 scitokens_Access: Trying token-based access control 230207 15:11:41 12921 scitokens_Access: Token not found in recent cache; parsing. 230207 15:11:41 12921 scitokens_Access: New valid token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska 230207 15:11:41 12921 scitokens_Access: Trying token-based access control 230207 15:11:41 12921 scitokens_Access: Cached token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska 230207 15:11:41 12921 ofs_open: unknown.2:27@localhost Unable to create /data/testfile-token-2.repo; permission denied 230207 15:11:41 12921 XrootdXeq: unknown.2:27@localhost disc 0:00:00 (send failure) [centos@xrootd ~]$ /etc/xrootd/xrootd-http.cfg [centos@xrootd ~]$ sudo cat /etc/xrootd/xrootd-http.cfg # The export directive indicates which paths are to be exported. While the all.export /data # The adminpath and pidpath variables indicate where the pid and various all.adminpath /var/spool/xrootd all.pidpath /run/xrootd # Load the http protocol, indicate that it should be served on port 80. xrd.protocol XrdHttp:80 libXrdHttp.so # Config TLS xrd.tls /etc/grid-security/xrd/xrdcert.pem /etc/grid-security/xrd/xrdkey.pem xrd.tlsca certdir /etc/grid-security/certificates refresh 8h xrootd.tls capable all -data # Dejan tokens part ###################################################### ofs.authorize ofs.authlib libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg acc.authdb /etc/xrootd/Authfile # Pass the bearer token to the Xrootd authorization framework. http.header2cgi Authorization authz # Only for debugging (comment out after setup is done) scitokens.trace all ofs.trace -all continue /etc/xrootd/config.d/ [centos@xrootd ~]$ /etc/xrootd/scitokens.cfg [centos@xrootd ~]$ sudo cat /etc/xrootd/scitokens.cfg [Issuer ESCAPE IAM] issuer = https://iam-escape.cloud.cnaf.infn.it/ base_path = /data map_subject = false default_user = xrootd [centos@xrootd ~]$ /etc/xrootd/Authfile [centos@xrootd ~]$ sudo cat /etc/xrootd/Authfile = xrootd o: https://iam-escape.cloud.cnaf.infn.it/ g: /escape/ska # Grant 'xrootd' access to all directories below '/data/' u xrootd /data a [centos@xrootd ~]$ — CHALMERS Dejan Vitlacil Senior forskningsingenjör | Senior Research Engineer Institutionen för fysik | Department of Physics e-Commons +46(0)76-064 18 45 (mobile) [log in to unmask] Chalmers tekniska högskola | Chalmers University of Technology Fysik Origo, O6146 Kemigården 1 SE-412 96 Göteborg, Sweden www.chalmers.se <http://www.chalmers.se/> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1