LISTSERV 16.5 - XROOTD-DEV Archives

`stash-origin-auth]# xrootd -version
v5.5.5`

This is the case with 2 issuers:

`[root@node-1-5 stash-origin-auth]# cat scitokens.conf 
[Global]
audience = IceCube, NRP

[Issuer https://chtc.cs.wisc.edu/icecube]
issuer = https://chtc.cs.wisc.edu/icecube
base_path = /icecube
map_subject = False

[Issuer https://token.nationalresearchplatform.org/modis]
issuer = https://token.nationalresearchplatform.org/modis
base_path = /nrp/protected/sio/MODIS_Aqua_microphysics_images/
map_subject = False


[Issuer https://token.nationalresearchplatform.org/ucsdphysics]
issuer = https://token.nationalresearchplatform.org/ucsdphysics
base_path = /ucsd/physics
map_subject = False`

`Plugin loaded XRootDTCP v5.4.0 from xrd.tcpmonlib /usr/lib64/libXrdTCPStats-5.so
------ xrootd [log in to unmask]:1095 initialization completed.
230822 18:24:11 291323 XrootdBridge: unknown.1:[log in to unmask] login as nobody
230822 18:24:11 291323 scitokens_GenerateAcls: Failed to deserialize SciToken: token verification failed: Token issuer is not in list of allowed issuers.
230822 18:24:11 291323 scitokens_Access: Failed to generate ACLs for token
230822 18:24:11 291323 acc_Audit: unknown.1:[log in to unmask] deny https *@[::ffff:68.8.122.198] create /nrp/protected/sio/MODIS_Aqua_microphysics_images/aaa
230822 18:24:11 291323 scitokens_GenerateAcls: Failed to deserialize SciToken: token verification failed: Token issuer is not in list of allowed issuers.
230822 18:24:11 291323 scitokens_Access: Failed to generate ACLs for token
230822 18:24:11 291323 acc_Audit: unknown.1:[log in to unmask] deny https *@[::ffff:68.8.122.198] excl_create /nrp/protected/sio/MODIS_Aqua_microphysics_images/aaa
230822 18:24:11 291323 ofs_open: unknown.1:[log in to unmask] Unable to create /nrp/protected/sio/MODIS_Aqua_microphysics_images/aaa; permission denied
230822 18:24:11 291323 unknown.1:[log in to unmask] Xrootd_Response: sending err 3010: Unable to create /nrp/protected/sio/MODIS_Aqua_microphysics_images/aaa; permission denied
230822 18:24:11 291323 XrootdXeq: unknown.1:[log in to unmask] disc 0:00:00 (send failure)
230822 18:24:15 291322 XrootdBridge: unknown.2:[log in to unmask] login as nobody
230822 18:24:15 291322 scitokens_GenerateAcls: Failed to deserialize SciToken: token verification failed: Token issuer is not in list of allowed issuers.
230822 18:24:15 291322 scitokens_Access: Failed to generate ACLs for token
230822 18:24:15 291322 acc_Audit: unknown.2:[log in to unmask] deny https *@[::ffff:68.8.122.198] create /nrp/protected/sio/MODIS_Aqua_microphysics_images/aaa
230822 18:24:15 291322 scitokens_GenerateAcls: Failed to deserialize SciToken: token verification failed: Token issuer is not in list of allowed issuers.
230822 18:24:15 291322 scitokens_Access: Failed to generate ACLs for token
230822 18:24:15 291322 acc_Audit: unknown.2:[log in to unmask] deny https *@[::ffff:68.8.122.198] excl_create /nrp/protected/sio/MODIS_Aqua_microphysics_images/aaa
`

This case is with this config, two different domains:

`[Global]
audience = IceCube, NRP

[Issuer https://chtc.cs.wisc.edu/icecube]
issuer = https://chtc.cs.wisc.edu/icecube
base_path = /icecube
map_subject = False

[Issuer https://token.nationalresearchplatform.org/modis]
issuer = https://token.nationalresearchplatform.org/modis
base_path = /nrp/protected/sio/MODIS_Aqua_microphysics_images/
map_subject = False


[Issuer https://token.nationalresearchplatform.ort/ucsdphysics]
issuer = https://token.nationalresearchplatform.ort/ucsdphysics
base_path = /ucsd/physics
map_subject = False`

`230822 18:30:15 292637 scitokens_Access: Trying token-based access control
230822 18:30:15 292637 scitokens_Access: Cached token mapped_username=, subject=NRP, issuer=https://token.nationalresearchplatform.org/modis, authorizations=/nrp/protected/sio/MODIS_Aqua_microphysics_images:read,dir,stat,create,mkdir,mv,insert,update,chmod,del
230822 18:30:15 292637 scitokens_Access: Grant authorization based on scopes for operation=create, path=/nrp/protected/sio/MODIS_Aqua_microphysics_images/aaa
230822 18:30:15 292637 unknown.2:[log in to unmask] ofs_fstat:  fn=/nrp/protected/sio/MODIS_Aqua_microphysics_images/aaa
`

-- 
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/2074#issuecomment-1688713468
You are receiving this because you are subscribed to this thread.

Message ID: <[log in to unmask]>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1