Print

Print
Hi,

I’m new to XRootD and trying to configure XRootD with token access.
But I’m hitting permission denied error. If there is someone who has experience with this configuration, any help would be appreciated.
My guess is that I did not configure “/etc/xrootd/Authfile” properly. 

Thanks in advance,
Dejan


230207 15:11:41 12921 XrootdBridge: unknown.2:27@localhost login as nobody
230207 15:11:41 12921 scitokens_Access: Trying token-based access control
230207 15:11:41 12921 scitokens_Access: Token not found in recent cache; parsing.
230207 15:11:41 12921 scitokens_Access: New valid token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska
230207 15:11:41 12921 scitokens_Access: Trying token-based access control
230207 15:11:41 12921 scitokens_Access: Cached token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska
230207 15:11:41 12921 ofs_open: unknown.2:27@localhost Unable to create /data/testfile-token-2.repo; permission denied
230207 15:11:41 12921 XrootdXeq: unknown.2:27@localhost disc 0:00:00 (send failure)
[centos@xrootd ~]$ 

[centos@xrootd ~]$ sudo cat /etc/xrootd/xrootd-http.cfg
# The export directive indicates which paths are to be exported. While the
all.export /data

# The adminpath and pidpath variables indicate where the pid and various
all.adminpath /var/spool/xrootd
all.pidpath /run/xrootd

# Load the http protocol, indicate that it should be served on port 80.
xrd.protocol XrdHttp:80 libXrdHttp.so

# Config TLS
xrd.tls /etc/grid-security/xrd/xrdcert.pem /etc/grid-security/xrd/xrdkey.pem
xrd.tlsca certdir /etc/grid-security/certificates refresh 8h
xrootd.tls capable all -data

# Dejan tokens part ######################################################
ofs.authorize 
ofs.authlib libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
acc.authdb /etc/xrootd/Authfile

# Pass the bearer token to the Xrootd authorization framework.
http.header2cgi Authorization authz

# Only for debugging (comment out after setup is done)
scitokens.trace all
ofs.trace -all

continue /etc/xrootd/config.d/
[centos@xrootd ~]$ 

[centos@xrootd ~]$ sudo cat /etc/xrootd/scitokens.cfg 
[Issuer ESCAPE IAM]
issuer = https://iam-escape.cloud.cnaf.infn.it/
base_path = /data
map_subject = false
default_user = xrootd
[centos@xrootd ~]$ 

[centos@xrootd ~]$ sudo cat /etc/xrootd/Authfile 
= xrootd o: https://iam-escape.cloud.cnaf.infn.it/ g: /escape/ska
# Grant 'xrootd' access to all directories below '/data/'
u xrootd /data a
[centos@xrootd ~]$


— 
CHALMERS

Dejan Vitlacil
Senior forskningsingenjör | Senior Research Engineer 
Institutionen för fysik | Department of Physics
 e-Commons   
+46(0)76-064 18 45 (mobile) 

Chalmers tekniska högskola | Chalmers University of Technology 
Fysik Origo, O6146
Kemigården 1 
SE-412 96 Göteborg, Sweden








Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1