On Tue, 19 Mar 2024, Petr Vokac wrote:
> KEK is using StoRM, could you try your tests with other StoRM source?
>
Yes, I can reproduce an error with another KEK SE;
for belle2-webdav-raw-daa.cc.kek.jp only Belle production role proxies
have access to.
However, the curl commands do not work. Using it, fails to verify my
cert/proxy on the redirector.
Using gfal-copy in pull mode works, while push mode via
gfal-copy -vvv -f https://belle2-webdav-analysis-data.cc.kek.jp:8443/disk/belle/TMP/belle/Raw/e0012_8GBTest/physics/r04420/sub00/physics.0012.4420.8GBTest.f00000.root
https://rdc-redirector.belle.uvic.ca:1094/TMP/belle/some_test_file
gives the error:
failure: SocketException while pushing
https://rdc-redirector.belle.uvic.ca:1094/TMP/belle/some_test_file:
Connection reset by peer (Write failed)
full log: https://particle.phys.uvic.ca/~mebert/xrootd/gfal-copy.log
What is interesting is that if I substitute "rdc-redirector" with one of
the servers, then it always works. Looking to the connections on the
network, it seems the initial connection with gfal-copy gets redirected to
one of the servers and gfal-copy tries to keep the connection open, while
the KEK SE goes again to the redirector as it should and gets then
redirected to a server. It seems at that point the connection gets reset
by the server that initally was connected with gfal-copy.
Cheers,
Marcus
> You could try to download file with curl or even initiate HTTP-TPC manually,
> e.g.
>
> export
> SRC=https://belle2-webdav-raw-data.cc.kek.jp:8443/belle/TMP/belle/Raw/e0026/physics/r00194/sub00/physics.0026.00194.HLT2.f00002.root
> export DST=https://rdc-redirector.belle.uvic.ca:1094/TMP/belle/some_test_file
> export TSRC=$(curl --silent --cert /tmp/x509up_u$(id -u) --key
> /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath
> /etc/grid-security/certificates -X POST -H 'Content-Type:
> application/macaroon-request' -d '{"caveats": ["activity:DOWNLOAD"],
> "validity": "PT30M"}' "$SRC" | jq -r '.macaroon')
> export TDST=$(curl --silent --cert /tmp/x509up_u$(id -u) --key
> /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath
> /etc/grid-security/certificates -X POST -H 'Content-Type:
> application/macaroon-request' -d '{"caveats":
> ["activity:UPLOAD,DELETE,LIST"], "validity": "PT30M"}' "$DST" | jq -r
> '.macaroon')
> # StoRM is using JWT tokens, so you can inspect token from KEK site using
> # e.g.https://jwt.io
> # it is possible to inspect also macaroon tokens returned by XRootD with
> # e.g.
> # python -c "import macaroons;
> # print(macaroons.deserialize('$TDST'[12:]).inspect())"
>
> # Download
> curl -v --capath /etc/grid-security/certificates -L -X GET -H
> 'Secure-Redirection: 1' -H "Authorization: Bearer $TSRC" --output /tmp/x
> "$SRC"
> # Upload
> curl -v --capath /etc/grid-security/certificates -L -X PUT -H
> 'Secure-Redirection: 1' -H "Authorization: Bearer $TDST" --upload-file
> /etc/services "$DST"
> # TPC pull
> curl -v --capath /etc/grid-security/certificates -L -X COPY -H
> 'Secure-Redirection: 1' -H 'X-No-Delegate: 1' -H 'Credential: none' -H
> "Authorization: Bearer $TDST" -H "TransferHeaderAuthorization: Bearer $TSRC"
> -H "Source: $SRC" "$DST"
> # TPC push
> curl -v --capath /etc/grid-security/certificates -L -X COPY -H
> 'Secure-Redirection: 1' -H 'X-No-Delegate: 1' -H 'Credential: none' -H
> "Authorization: Bearer $TSRC" -H "TransferHeaderAuthorization: Bearer $TDST"
> -H "Destination: $DST" "$SRC"
>
> Petr
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
