Hi David,
The next step is to use the following knobs on the XrootD config files:
ofs.trace all
xrd.trace all -sched
pss.setopt DebugLevel 5
scitokens.trace all
http.trace all
With this, you can check the logs and determine why the token is not
working.
*--Fábio Andrijauskas*
On Fri, Feb 2, 2024 at 2:07 PM David Sanders <[log in to unmask]>
wrote:
> Dear James:
>
> I had tried that a week ago but then it did not work; however, now it
> does. Between now and then I have rebooted our Storage Element because
> there was a kernel update. I also tried Jyothish’s idea of reversing the
> order in the “audience” line while in the [Issuer CMS_IAM] area but that,
> by itself did not work,. I also had been using
> "-aud=umiss005.hep.olemiss.edu” in the token creation (export
> BEARER_TOKEN command) that Fabio suggested. I would like to thank everyone
> who helped me with this problem.
>
> Best regards,
>
> David Sanders
>
> On Feb 2, 2024, at 12:57 AM, James William Walder <
> [log in to unmask]> wrote:
>
> Hi David,
> For my configuration, I need to have a [Global] section with the
> audiences defined there in the scitokens.cfg file.
> E,g
>
> [Global]
> onmissing = passthrough
> audience = https://wlcg.cern.ch/jwt/v1/any,...
>
> [Issuer CMS_IAM]
> …
>
>
> I wonder if that has an effect?
>
> James
>
>
>
>
> On 1 Feb 2024, at 22:51, David Sanders <[log in to unmask]> wrote:
>
> Dear Colleagues:
>
> I run a OSG Tier-3 here at the University of Mississippi. I am running
> xrootd on our Storage Element as multi-user because we are serving a few
> VOs, primarially CMS and BELLE (for the Belle II experiment). A week or 2
> ago the CMS rucio team requested that I add the line “audience =
> https://wlcg.cern.ch/jwt/v1/any,umiss005.hep.olemiss.edu” to our
> scitokens.conf file. (umiss005.hep.olemiss.edu is the FQDN of out Storage
> Element). When someone uses a command like this they can read my files:
> $export BEARER_TOKEN=$(oidc-token --scope=offline_access
> --scope=storage.read:/ --time=3600 test_dsanders)
> However when they use a command like this it fails with a permissions
> error:
> $export BEARER_TOKEN=$(oidc-token --aud=umiss005.hep.olemiss.edu
> --scope=offline_access --scope=storage.read:/ --time=3600 test_dsanders)
>
> Please see the GGUS ticket:
> https://ggus.eu/index.php?mode=ticket_info&ticket_id=164957
>
> Can you please give me some suggestions about how to get the “audience”
> token working in xrootd. The part of my scitokens.conf file that should
> apply is:
>
> [Issuer CMS_IAM]
> issuer = https://cms-auth.web.cern.ch/
> audience = https://wlcg.cern.ch/jwt/v1/any,umiss005.hep.olemiss.edu
> ###audience = https://wlcg.cern.ch/jwt/v1/any
> base_path = /cms
> map_subject = False
> default_user = uscms01
> ###name_mapfile = /etc/xrootd/scitokens_mapfile_cms.json
>
> Best regards,
>
> David Sanders
>
>
> ------------------------------
>
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>
>
>
>
> ------------------------------
>
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
