Using the right WebDAV door, revisited

onnozweers commented 3 years ago

This probably a follow-up of https://github.com/dCache/dcache-view/issues/231, but I'm not quite sure so I opened a new ticket.

I have 4 flavors of dCacheView and I want each of them to point to a dedicated WebDAV door by using tags. However, I can't seem to get it working.

The layout file:

[dcacheview22880Domain]
dcache.java.memory.heap=2g
# dCacheView with password authentication.
[dcacheview22880Domain/frontend]
frontend.cell.name=dcacheview-22880-${host.name}
frontend.net.port = 22880
frontend.authn.protocol = https
frontend.authn.basic = true
frontend.authn.require-client-cert = false
frontend.authn.accept-client-cert = false
frontend.static!dcache-view.org-name=SURFsara Grid Storage dCacheView
frontend.static!dcache-view.endpoints.webdav=https://dcacheview.grid.surfsara.nl:2880/
frontend.protocols.tags=webdav2880
frontend.geographic-placement = NL

[dcacheview22881Domain]
dcache.java.memory.heap=2g
# dCacheView with password authentication.
[dcacheview22881Domain/frontend]
frontend.cell.name=dcacheview-22881-${host.name}
frontend.net.port = 22881
frontend.authn.protocol = https
frontend.authn.basic = true
frontend.authn.require-client-cert = false
frontend.authn.accept-client-cert = false
frontend.static!dcache-view.org-name=SURFsara Grid Storage dCacheView
frontend.static!dcache-view.endpoints.webdav=https://dcacheview.grid.surfsara.nl:2881/
frontend.protocols.tags=webdav2881
frontend.geographic-placement = NL

[dcacheview22882Domain]
dcache.java.memory.heap=2g
# dCacheView with X509 cert authentication.
[dcacheview22882Domain/frontend]
frontend.cell.name=dcacheview-22882-${host.name}
frontend.net.port = 22882
frontend.authn.protocol = https
frontend.authn.basic = false
frontend.authn.require-client-cert = true
frontend.authn.accept-client-cert = true
frontend.static!dcache-view.org-name=SURFsara Grid Storage dCacheView
frontend.static!dcache-view.endpoints.webdav=https://dcacheview.grid.surfsara.nl:2882/
frontend.protocols.tags=webdav2882
frontend.geographic-placement = NL

[dcacheview22884Domain]
dcache.java.memory.heap=2g
# dCacheView with X509 cert authentication.
[dcacheview22884Domain/frontend]
frontend.cell.name=dcacheview-22884-${host.name}
frontend.net.port = 22884
frontend.authn.protocol = https
frontend.authn.basic = false
frontend.authn.require-client-cert = true
frontend.authn.accept-client-cert = true
frontend.static!dcache-view.org-name=SURFsara Grid Storage dCacheView
frontend.static!dcache-view.endpoints.webdav=https://dcacheview.grid.surfsara.nl:2884/
frontend.protocols.tags=webdav2884
frontend.geographic-placement = NL

#
# WebDAV doors dedicated to dCacheView
#

# Fast WebDAV with username/password authentication
[webdav2880-${host.name}Domain]
dcache.java.options.extra = -Djdk.tls.ephemeralDHKeySize=2048
[webdav2880-${host.name}Domain/webdav]
webdav.cell.name=webdav2880-${host.name}
webdav.redirect.on-read=true
webdav.redirect.on-write=true
webdav.redirect.allow-https=true
webdav.authn.basic=true
webdav.authn.accept-client-cert = false
webdav.authn.protocol=https
webdav.net.port=2880
webdav.enable.overwrite=true
webdav.allowed.client.origins = https://dcacheview.grid.surfsara.nl:22880
webdav.loginbroker.tags=webdav2880

# Secure WebDAV with username/password authentication
[webdav2881-${host.name}Domain]
dcache.java.options.extra = \
    -Djava.security.properties=/etc/dcache/maximum.java.security \
    -Djdk.tls.ephemeralDHKeySize=2048
[webdav2881-${host.name}Domain/webdav]
webdav.cell.name=webdav2881-${host.name}
webdav.redirect.on-read=false
webdav.redirect.on-write=false
webdav.authn.basic=true
webdav.authn.accept-client-cert = false
webdav.authn.protocol=https
webdav.net.port=2881
webdav.enable.overwrite=true
webdav.allowed.client.origins = https://dcacheview.grid.surfsara.nl:22881
webdav.loginbroker.tags=webdav2881

# Fast WebDAV with X509 (cert) authentication
[webdav2882-${host.name}Domain]
dcache.java.options.extra = -Djdk.tls.ephemeralDHKeySize=2048
[webdav2882-${host.name}Domain/webdav]
webdav.cell.name=webdav2882-${host.name}
webdav.redirect.on-read=true
webdav.redirect.on-write=true
webdav.authn.basic=false
webdav.authn.accept-client-cert = true
webdav.authn.require-client-cert = true
webdav.authn.protocol=https
webdav.net.port=2882
webdav.enable.overwrite=true
webdav.allowed.client.origins = https://dcacheview.grid.surfsara.nl:22882
webdav.loginbroker.tags=webdav2882

# Secure WebDAV with X509 (cert) authentication
[webdav2884-${host.name}Domain]
dcache.java.options.extra = \
    -Djava.security.properties=/etc/dcache/maximum.java.security \
    -Djdk.tls.ephemeralDHKeySize=2048
[webdav2884-${host.name}Domain/webdav]
webdav.cell.name=webdav2884-${host.name}
webdav.redirect.on-read=false
webdav.redirect.on-write=false
webdav.authn.basic=false
webdav.authn.accept-client-cert = true
webdav.authn.require-client-cert = true
webdav.authn.protocol=https
webdav.net.port=2884
webdav.enable.overwrite=true
webdav.allowed.client.origins = https://dcacheview.grid.surfsara.nl:22884
webdav.loginbroker.tags=webdav2884

I log in to the dCacheView on port 22880 (username/password) and go to a file; then I try to download the file but dCacheView says "TypeError: Request failed with response status code 404." In the Firefox browser console I can see this error:

XHR GET https://dcacheview.grid.surfsara.nl:22881/scripts/tasks/undefined

The "undefined" looks similar to #231.

We're running 6.0.29.

paulmillar commented 3 years ago

I'm actually just discovering a similar problem for a dCache instance here at DESY.

The cause is that dCacheView has a hard-coded tag it uses to selected WebDAV doors: dcache-view. You currently cannot change this.

Only if there are no doors with this tag (and that have a door-root path of /) then dCacheView will uses the URL from the configuration property frontend.static!dcache-view.endpoints.webdav.

If that configuration property isn't defined then it uses the same endpoint as frontend, but with port 2880.

So, currently the only way to have different dCacheView / frontend target different WebDAV endpoints is to make sure the dcache-view tag isn't defined anywhere and to configure the frontend.static!dcache-view.endpoints.webdav configuration property.

onnozweers commented 3 years ago

Hi Paul, thanks for your reply.

Then I must have misunderstood this property:

# ---- Login subscription tags (doors are filtered on this basis)
#
frontend.protocols.tags=

Or is it not fully implemented yet?

And I thought I had removed the "dcache-view" tag from all WebDAV doors, but I guess I must have missed some. I'll check.

Cheers, Onno

paulmillar commented 3 years ago

The frontend.protocols.tags is the list of tags that the frontend uses when advertising itself.

We don't have a property to say which tag frontend will use to select webdav doors -- that's really the problem :-(

onnozweers commented 3 years ago

It appears I had removed all the "dcache-view" tags after all:

    453         Tags             : [cdmi, glue, srm, storage-descriptor]
      1         Tags             : [webdav2880]
      1         Tags             : [webdav2881]
      1         Tags             : [webdav2882]
      1         Tags             : [webdav2884]

Assuming it's still "dcache-view".

So then the frontend.static!dcache-view.endpoints.webdav values should be used, which would be OK, if it worked.

paulmillar commented 3 years ago

I did a little digging and although Femi fixed #231 in dCacheView, there was no release of dCacheView with that bug-fix, and therefore no fix in dCache.

I've another couple of fixes that are also ready to go into dCache (#244 & #245). These are also committed.

I plan to do a release of dCacheView now and request dCache is updated to use that new version. That new version dCacheView (that would come along with a new version of dCache) may be sufficient to get something working, albeit not in a great way.

I'll also try to fix #251 and #252, which should make handling multiple frontend/dCacheView instances easier to deploy.

dCache / dcache-view

Using the right WebDAV door, revisited #250