Hi David, The next step is to use the following knobs on the XrootD config files: ofs.trace all xrd.trace all -sched pss.setopt DebugLevel 5 scitokens.trace all http.trace all With this, you can check the logs and determine why the token is not working. *--Fábio Andrijauskas* On Fri, Feb 2, 2024 at 2:07 PM David Sanders <[log in to unmask]> wrote: > Dear James: > > I had tried that a week ago but then it did not work; however, now it > does. Between now and then I have rebooted our Storage Element because > there was a kernel update. I also tried Jyothish’s idea of reversing the > order in the “audience” line while in the [Issuer CMS_IAM] area but that, > by itself did not work,. I also had been using > "-aud=umiss005.hep.olemiss.edu” in the token creation (export > BEARER_TOKEN command) that Fabio suggested. I would like to thank everyone > who helped me with this problem. > > Best regards, > > David Sanders > > On Feb 2, 2024, at 12:57 AM, James William Walder < > [log in to unmask]> wrote: > > Hi David, > For my configuration, I need to have a [Global] section with the > audiences defined there in the scitokens.cfg file. > E,g > > [Global] > onmissing = passthrough > audience = https://wlcg.cern.ch/jwt/v1/any,... > > [Issuer CMS_IAM] > … > > > I wonder if that has an effect? > > James > > > > > On 1 Feb 2024, at 22:51, David Sanders <[log in to unmask]> wrote: > > Dear Colleagues: > > I run a OSG Tier-3 here at the University of Mississippi. I am running > xrootd on our Storage Element as multi-user because we are serving a few > VOs, primarially CMS and BELLE (for the Belle II experiment). A week or 2 > ago the CMS rucio team requested that I add the line “audience = > https://wlcg.cern.ch/jwt/v1/any,umiss005.hep.olemiss.edu” to our > scitokens.conf file. (umiss005.hep.olemiss.edu is the FQDN of out Storage > Element). When someone uses a command like this they can read my files: > $export BEARER_TOKEN=$(oidc-token --scope=offline_access > --scope=storage.read:/ --time=3600 test_dsanders) > However when they use a command like this it fails with a permissions > error: > $export BEARER_TOKEN=$(oidc-token --aud=umiss005.hep.olemiss.edu > --scope=offline_access --scope=storage.read:/ --time=3600 test_dsanders) > > Please see the GGUS ticket: > https://ggus.eu/index.php?mode=ticket_info&ticket_id=164957 > > Can you please give me some suggestions about how to get the “audience” > token working in xrootd. The part of my scitokens.conf file that should > apply is: > > [Issuer CMS_IAM] > issuer = https://cms-auth.web.cern.ch/ > audience = https://wlcg.cern.ch/jwt/v1/any,umiss005.hep.olemiss.edu > ###audience = https://wlcg.cern.ch/jwt/v1/any > base_path = /cms > map_subject = False > default_user = uscms01 > ###name_mapfile = /etc/xrootd/scitokens_mapfile_cms.json > > Best regards, > > David Sanders > > > ------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > > > > > ------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1