Hi Oliver,

Thanks for tips and explanation!

I went one step ahead but I still get permission denied. 
Here is a full log, maybe you can spot something funky. 

Cheers,
Dejan


########################################################
230208 09:21:57 21429 Starting on Linux 3.10.0-1160.81.1.el7.x86_64
230208 09:21:57 21429 /usr/bin/xrootd -l /var/log/xrootd/xrootd.log -c /etc/xrootd/xrootd-http.cfg -k fifo -s /run/xrootd/xrootd-http.pid -n http
Copr.  2004-2012 Stanford University, xrd version v5.5.1
Config warning: this hostname, localhost, is registered without a domain qualification.
++++++ xrootd http@localhost initialization started.
Config using configuration file /etc/xrootd/xrootd-http.cfg
=====> all.adminpath /var/spool/xrootd
=====> all.pidpath /run/xrootd
=====> xrd.protocol XrdHttp:80 libXrdHttp.so 
=====> xrd.tls /etc/grid-security/xrd/xrdcert.pem /etc/grid-security/xrd/xrdkey.pem
=====> xrd.tlsca certdir /etc/grid-security/certificates refresh 8h
=====> continue /etc/xrootd/config.d/
++++++ xrootd http@localhost TLS initialization started.
------ xrootd http@localhost TLS initialization ended.
Config maximum number of connections restricted to 65536
Config maximum number of threads restricted to 7149
Plugin loaded xrdhttp v5.5.1 from protocol libXrdHttp-5.so
Copr.  2012 Stanford University, xroot protocol 5.1.0 version v5.5.1
++++++ xroot protocol initialization started.
=====> all.export /data
=====> xrootd.tls capable all -data
=====> xrootd.seclib libXrdSec.so
=====> continue /etc/xrootd/config.d/
Config exporting /data
Plugin loaded secprot v5.5.1 from seclib libXrdSec-5.so
++++++ Authentication system initialization started.
Plugin loaded secztn v5.5.1 from sec.protocol libXrdSecztn-5.so
=====> sec.protocol ztn
=====> continue /etc/xrootd/config.d/
Config 1 authentication directives processed in /etc/xrootd/xrootd-http.cfg
------ Authentication system initialization completed.
++++++ Protection system initialization started.
Config warning: Security level is set to none; request protection disabled!
Config Local  protection level: none
Config Remote protection level: none
------ Protection system initialization completed.
Config Routing for [::1]: local pub4 prv4 pub6 prv6
Config Route all4: 127.0.0.1 Dest=[::127.0.0.1]:1094
Config Route all6: [::1] Dest=[::1]:1094
++++++ File system initialization started.
=====> ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg 
=====> ofs.trace -all
=====> continue /etc/xrootd/config.d/
++++++ Storage system initialization started.
=====> all.export /data
=====> continue /etc/xrootd/config.d/
Config effective /etc/xrootd/xrootd-http.cfg oss configuration:
       oss.alloc        0 0 0
       oss.spacescan    600
       oss.fdlimit      32768 65536
       oss.maxsize      0
       oss.trace        0
       oss.xfr          1 deny 10800 keep 1200
       oss.memfile off  max 963475456
       oss.defaults  r/w nocheck nodread nomig nopurge norcreate nostage
       oss.path /data r/w nocheck nodread nomig nopurge norcreate nostage
------ Storage system initialization completed.
++++++ Authorization system initialization started.
230208 09:21:57 21429 acc_Config: Authorization system using configuration in /etc/xrootd/xrootd-http.cfg
=====> acc.authdb /etc/xrootd/Authfile
=====> continue /etc/xrootd/config.d/
Config 1 authorization directives processed in /etc/xrootd/xrootd-http.cfg
Config 1 auth entries processed in /etc/xrootd/Authfile
------ Authorization system initialization completed.
Plugin loaded XrdAccSciTokens v5.5.1 from authlib libXrdAccSciTokens-5.so
++++++ XrdAccSciTokens: Initialized SciTokens-based authorization.
=====> scitokens.trace all 
=====> continue /etc/xrootd/config.d/
230208 09:21:57 21429 scitokens_Config: Logging levels enabled - all
230208 09:21:57 21429 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg
230208 09:21:57 21429 scitokens_Reconfig: Configuring issuer https://iam-escape.cloud.cnaf.infn.it/
++++++ Checkpoint initialization started.
++++++ Checkpoint initialization completed.
Config effective /etc/xrootd/xrootd-http.cfg ofs configuration:
       all.role server
       ofs.authorize
       ofs.maxdelay   60
       ofs.persist    manual hold 600 logdir /var/spool/xrootd/http/.ofs/posc.log
       ofs.trace      0
       ofs.authlib default 
       ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
------ File system server initialization completed.
Config asynchronous I/O has been disabled!
------ xroot protocol initialization completed.
Copr. 2012 CERN IT, an HTTP implementation for the XRootD framework.
++++++ HTTP protocol initialization started.
=====> http.header2cgi Authorization authz
=====> continue /etc/xrootd/config.d/
Config Using xrd.tls to supply 'cert' and 'key'.
Config Using xrd.tlsca to supply 'cadir'.
++++++ HTTPS initialization started.
------ HTTPS initialization completed.
230208 09:21:57 21429 sysConfig: XRDROLE:  server
230208 09:21:57 21429 sysConfig: Configured as HTTP(s) data server.
------ HTTP protocol initialization completed.
------ xrootd http@localhost:80 initialization completed.
230208 09:22:14 21434 XrootdBridge: unknown.1:26@localhost login as nobody
230208 09:22:14 21434 scitokens_Access: Trying token-based access control
230208 09:22:14 21434 scitokens_Access: Token not found in recent cache; parsing.
230208 09:22:14 21434 scitokens_Access: New valid token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska
230208 09:22:14 21434 scitokens_Access: Trying token-based access control
230208 09:22:14 21434 scitokens_Access: Cached token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska
230208 09:22:14 21434 ofs_open: unknown.1:26@localhost Unable to create /data/testfile-token-2.repo; permission denied
230208 09:22:14 21434 XrootdXeq: unknown.1:26@localhost disc 0:00:00 (send failure)
[centos@xrootd ~]$ 
########################################################



On 7 Feb 2023, at 17:29, Oliver Freyermuth <[log in to unmask]> wrote:

Hi,

I may be mistaken (but in case I am, surely someone on the list will correct me), but I think the missing magic piece is that you need:
ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
instead of:
ofs.authlib libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg

The explanation should be that the SciTokens plugin itself does not authorize in your case (it would be able to if the token had explicit path permissions embedded), but the authdb then does authorize the mapped user.
So you are using the SciTokens library "only" to enrich the auth information with the information taken from the token, and stack it on top of the authdb which then grants the actual access,
so the "++" are needed for stacking.

In pricniple, you'd also require:
[Global]
onmissing = passthrough
in scitokens.cfg, but that is the default anyways ;-).

Cheers and hope taht helps,
Oliver

Am 07.02.23 um 17:16 schrieb Dejan Vitlacil:
Hi,
I’m new to XRootD and trying to configure XRootD with token access.
But I’m hitting permission denied error. If there is someone who has experience with this configuration, any help would be appreciated.
My guess is that I did not configure “/etc/xrootd/Authfile” properly.
Thanks in advance,
Dejan
 * /var/log/xrootd/http/xrootd.log
|230207 15:11:41 12921 XrootdBridge: unknown.2:27@localhost login as nobody 230207 15:11:41 12921 scitokens_Access: Trying token-based access control 230207 15:11:41 12921 scitokens_Access: Token not found in recent cache; parsing. 230207 15:11:41 12921 scitokens_Access: New valid token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska 230207 15:11:41 12921 scitokens_Access: Trying token-based access control 230207 15:11:41 12921 scitokens_Access: Cached token mapped_username=xrootd, subject=2deba9d1-9558-4963-95bc-75e993e3c82e, issuer=https://iam-escape.cloud.cnaf.infn.it/, groups=/escape,/escape/ska 230207 15:11:41 12921 ofs_open: unknown.2:27@localhost Unable to create /data/testfile-token-2.repo; permission denied 230207 15:11:41 12921 XrootdXeq: unknown.2:27@localhost disc 0:00:00 (send failure)[centos@xrootd ~]$ |
 * /etc/xrootd/xrootd-http.cfg
|[centos@xrootd ~]$ sudo cat /etc/xrootd/xrootd-http.cfg # The export directive indicates which paths are to be exported. While the all.export /data # The adminpath and pidpath variables indicate where the pid and various all.adminpath /var/spool/xrootd all.pidpath /run/xrootd # Load the http protocol, indicate that it should be served on port 80. xrd.protocol XrdHttp:80 libXrdHttp.so # Config TLS xrd.tls /etc/grid-security/xrd/xrdcert.pem /etc/grid-security/xrd/xrdkey.pem xrd.tlsca certdir /etc/grid-security/certificates refresh 8h xrootd.tls capable all -data # Dejan tokens part ###################################################### ofs.authorize ofs.authlib libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg acc.authdb /etc/xrootd/Authfile # Pass the bearer token to the Xrootd authorization framework. http.header2cgi Authorization authz # Only for debugging (comment out after setup is done) scitokens.trace all ofs.trace -all continue /etc/xrootd/config.d/ [centos@xrootd ~]$ |
 * /etc/xrootd/scitokens.cfg
|[centos@xrootd ~]$ sudo cat /etc/xrootd/scitokens.cfg [Issuer ESCAPE IAM] issuer = https://iam-escape.cloud.cnaf.infn.it/ base_path = /data map_subject = false default_user = xrootd [centos@xrootd ~]$ |
 * /etc/xrootd/Authfile
|[centos@xrootd ~]$ sudo cat /etc/xrootd/Authfile = xrootd o: https://iam-escape.cloud.cnaf.infn.it/ g: /escape/ska # Grant 'xrootd' access to all directories below '/data/' u xrootd /data a [centos@xrootd ~]$ |

*CHALMERS*
*Dejan Vitlacil*
Senior forskningsingenjör | Senior Research Engineer
Institutionen för fysik | Department of Physics
 e-Commons
+46(0)76-064 18 45 (mobile)
[log in to unmask]
Chalmers tekniska högskola | Chalmers University of Technology
Fysik Origo, O6146
Kemigården 1
SE-412 96 Göteborg, Sweden
www.chalmers.se <http://www.chalmers.se>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 <https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1>

-- 
Oliver Freyermuth
Universität Bonn
Physikalisches Institut, Raum 1.047
Nußallee 12
53115 Bonn
--
Tel.: +49 228 73 2367
Fax:  +49 228 73 7869
--


Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1