search

dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
292 stars 136 forks source link

dcap with gsi authn, anonymous.operations=readonly #1618

Closed rptaylor closed 10 months ago

rptaylor commented 9 years ago

Hello,

According to http://www.dcache.org/manuals/upgrade-2.10/upgrade-2.6-to-2.10.html#Services , a plain dcap service should be replaced with:

dcap.authn.protocol = gsi dcap.authz.anonymous-operations = READONLY

I tried this using dcache-2.10.31-1.noarch but dccp failed: $ dccp dcap://charon03.westgrid.ca:32125//pnfs/westgrid-test.uvic.ca/data/atlas/atlasscratchdisk/user.rptaylor/NTUP_TOP.366711._000015.root.1 /dev/null Error ( POLLIN) (with data) on control line [3] Failed to create a control line Error ( POLLIN) (with data) on control line [3] Failed to create a control line Failed open file in the dCache. Can't open source file : Server rejected "hello" System error: Input/output error

And there was a stack trace: 05 Jun 2015 14:35:24 (DCap-gsi-charon03) [] Exception (ITE) in secure protocol : {} java.lang.IllegalArgumentException: String length must be a multiple of four. at javatunnel.Base64.base64ToByteArray(Base64.java:140) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.Base64.base64ToByteArray(Base64.java:120) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.TunnelConverter.decode(TunnelConverter.java:58) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.GssTunnel.decode(GssTunnel.java:104) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.GssTunnel.verify(GssTunnel.java:195) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.GsiTunnel.verify(GsiTunnel.java:93) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.TunnelSocket.verify(TunnelSocket.java:170) ~[javatunnel-2.10.31.jar:2.10.31] at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source) ~[na:na] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_80] at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_80] at dmg.protocols.telnet.TelnetStreamEngine.<init>(TelnetStreamEngine.java:111) ~[cells-2.10.31.jar:2.10.31] at dmg.cells.services.login.StreamEngineFactory.newStreamEngine(StreamEngineFactory.java:49) ~[cells-2.10.31.jar:2.10.31] at dmg.cells.services.login.LoginManager$RunEngineThread.run(LoginManager.java:863) ~[cells-2.10.31.jar:2.10.31] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_80] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_80] at dmg.cells.nucleus.CellNucleus$5.run(CellNucleus.java:742) [cells-2.10.31.jar:2.10.31] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_80] 05 Jun 2015 14:35:24 (DCap-gsi-charon03) [] Exception (ITE) in secure protocol : {} java.lang.IllegalArgumentException: String length must be a multiple of four. at javatunnel.Base64.base64ToByteArray(Base64.java:140) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.Base64.base64ToByteArray(Base64.java:120) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.TunnelConverter.decode(TunnelConverter.java:58) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.GssTunnel.decode(GssTunnel.java:104) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.GssTunnel.verify(GssTunnel.java:195) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.GsiTunnel.verify(GsiTunnel.java:93) ~[javatunnel-2.10.31.jar:2.10.31] at javatunnel.TunnelSocket.verify(TunnelSocket.java:170) ~[javatunnel-2.10.31.jar:2.10.31] at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source) ~[na:na] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_80] at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_80] at dmg.protocols.telnet.TelnetStreamEngine.<init>(TelnetStreamEngine.java:111) ~[cells-2.10.31.jar:2.10.31] at dmg.cells.services.login.StreamEngineFactory.newStreamEngine(StreamEngineFactory.java:49) ~[cells-2.10.31.jar:2.10.31] at dmg.cells.services.login.LoginManager$RunEngineThread.run(LoginManager.java:863) ~[cells-2.10.31.jar:2.10.31] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_80] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_80] at dmg.cells.nucleus.CellNucleus$5.run(CellNucleus.java:742) [cells-2.10.31.jar:2.10.31] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_80]

rptaylor commented 9 years ago

When I changed to dcap.authn.protocol = plain it worked. Several issues:

  1. The documentation seems wrong?
  2. "A stack trace is a bug" :)
  3. Actually I would have thought this should work. Even if GSI is used, if I'm anonymous I should be able to read only.

Thanks!

gbehrmann commented 9 years ago

Yes, it's a documentation bug and a stack trace for a client protocol violation is a bug too.

As for item 3, it would probably work if you used a gsidcap URI - otherwise it is like requiring that you can use http:// against a TLS enabled endpoint.

gbehrmann commented 9 years ago

@kofemann, could you take care of item 1 and 2?

kofemann commented 9 years ago

the documentation is fixed. The stacktrace fix is more complicated, as this is a result of passing plain text instead of base64. Bu I will try to fix that as well.

rptaylor commented 10 months ago

We don't use dcap anymore so this may not be relevant anymore.