Dear Colleagues:I run a OSG Tier-3 here at the University of Mississippi. I am running xrootd on our Storage Element as multi-user because we are serving a few VOs, primarially CMS and BELLE (for the Belle II experiment). A week or 2 ago the CMS rucio team requested that I add the line “audience = https://wlcg.cern.ch/jwt/v1/any,umiss005.hep.olemiss.edu” to our scitokens.conf file. (umiss005.hep.olemiss.edu is the FQDN of out Storage Element). When someone uses a command like this they can read my files:$export BEARER_TOKEN=$(oidc-token --scope=offline_access --scope=storage.read:/ --time=3600 test_dsanders)However when they use a command like this it fails with a permissions error:$export BEARER_TOKEN=$(oidc-token --aud=umiss005.hep.olemiss.edu --scope=offline_access --scope=storage.read:/ --time=3600 test_dsanders)Please see the GGUS ticket: https://ggus.eu/index.php?mode=ticket_info&ticket_id=164957Can you please give me some suggestions about how to get the “audience” token working in xrootd. The part of my scitokens.conf file that should apply is:[Issuer CMS_IAM]issuer = https://cms-auth.web.cern.ch/###audience = https://wlcg.cern.ch/jwt/v1/anybase_path = /cmsmap_subject = Falsedefault_user = uscms01###name_mapfile = /etc/xrootd/scitokens_mapfile_cms.jsonBest regards,David Sanders
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1