search

EUDAT-B2STAGE / B2STAGE-GridFTP

B2STAGE service core code for EUDAT project: iRODS-DSI
14 stars 15 forks source link

Question about DN to iRODS user mapping #21

Closed JustinKyleJames closed 7 years ago

JustinKyleJames commented 7 years ago

I don't think I fully understand how the mapping from the certificate to the iRODS user works. Maybe you can clarify for me.

I have the certificates and configuration set up. The globus server is running under the root account (as a service) and it is configured to connect as "irods". This is working.

I have the following in /etc/grid-security/grid-mapfile:

"/O=Grid/OU=GlobusTest/OU=simpleCA-ubuntuonly-virtualbox/OU=local/CN=UbuntuOnly-VirtualBox" jjames

When I try to put a file it works but the file is going in as the admin (irods) user rather than as the user jjames. I know this grid-mapfile is being referenced because if I remove the line above I will get an error.

I've also tried doing the following:

$ iadmin aua jjames '/O=Grid/OU=GlobusTest/OU=simpleCA-ubuntuonly-virtualbox/OU=local/CN=UbuntuOnly-VirtualBox'

and when I run testirodsmap I get jjames#tempZone returned:

$ ./testirodsmap '/O=Grid/OU=GlobusTest/OU=simpleCA-ubuntuonly-virtualbox/OU=local/CN=UbuntuOnly-VirtualBox' Level(16) libirodsmap_connect: attempting rcConnect to localhost:1247 Level(16) libirodsmap_connect: connected to iRODS server (localhost:1247) Level(16) libirodsmap_query_dn: rcGenQuery returned user jjames (rc=0) Level(16) libirodsmap_query_dn: rcGenQuery returned zone tempZone (rc=0) Mapping for /O=Grid/OU=GlobusTest/OU=simpleCA-ubuntuonly-virtualbox/OU=local/CN=UbuntuOnly-VirtualBox is jjames#tempZone

However, when I put a file it still goes in under the rods user.

Here's my configuration in gridftp.conf:

$LD_LIBRARY_PATH "$LD_LIBRARY_PATH:/iRODS_DSI" $irodsConnectAsAdmin "rods" $GSI_AUTHZ_CONF /iRODS_DSI/gridmap_iRODS_callout.conf load_dsi_module iRODS auth_level 4 port 2811 $HOME "/root"

I am sure I have a misunderstanding on how this ties together. Any clarification would be appreciated.

JustinKyleJames commented 7 years ago

I believe I figured this out. I believe the problem might have been because I was using the same certificate for the client and server. I went back to iRODS 4.1.x and after creating a client cert and a server cert I was able to get the mapfile to work. I will try in 4.2 to make sure this isn't an issue with the 4.2 plugin. If it is I will investigate and fix it.

I will close this out.