search

ivmfnal / metacat

Metadata Catalog
BSD 3-Clause "New" or "Revised" License
4 stars 5 forks source link

Authenticating via kx509 from cern fails - url query returns 403 #25

Closed hschellman closed 1 year ago

hschellman commented 1 year ago

Hello, I'm at CERN and am trying to use kx509 authentication to access metacat.

Any ideas? Here are the details, of course my $USER=hschellm since I'm at CERN so maybe that's the issue? But no debug info from the authentication step.

metacat version MetaCat Server URL: https://metacat.fnal.gov:9443/dune_meta_demo/app Authentication server URL: https://metacat.fnal.gov:8143/auth/dune Server version: 3.27.2 Client version: 3.27.0

I think I have a valid kx509 as I can access files interactively via xrdcp

[hschellm@lxplus794 hschellm]$ xrdcp root://fndca1.fnal.gov:1094/pnfs/fnal.gov/usr/dune/scratch/users/schellma/myout/time.db . Plugin version SecClnt v5.1.0 is incompatible with secztn v5.5.2 (must be <= 5.1.x) in sec.protocol libXrdSecztn-5.so [24kB/24kB][100%][==================================================][12kB/s]

but when I try to authorize to metacat I get an error

echo $X509_USER_PROXY /tmp/x509up_u79129

metacat auth login -m x509 schellma Authentication error: Authentication failed

with no error log to tell me why it failed.

I put in print statements and the url query is returning 403.

voms-proxy-info --all subject : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=hschellm/CN=514437/CN=Heidi Marie Schellman/CN=666041349 issuer : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=hschellm/CN=514437/CN=Heidi Marie Schellman identity : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=hschellm/CN=514437/CN=Heidi Marie Schellman type : RFC3820 compliant impersonation proxy strength : 2048 path : /tmp/x509up_u79129 timeleft : 23:41:22 key usage : Digital Signature, Key Encipherment === VO dune extension information === VO : dune subject : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=hschellm/CN=514437/CN=Heidi Marie Schellman issuer : /DC=org/DC=incommon/C=US/ST=Illinois/O=Fermi Research Alliance/CN=voms1.fnal.gov attribute : /dune/Role=Analysis/Capability=NULL attribute : /dune/Role=NULL/Capability=NULL timeleft : 23:41:21 uri : voms1.fnal.gov:15042

hschellman commented 1 year ago

Correction, i am not physically at cern, virtually testing from there.

ivmfnal commented 1 year ago

please use 

$ metacat auth mydn
hschellman commented 1 year ago

metacat auth mydn CN=1747757498,CN=551566791,CN=Heidi Marie Schellman,CN=514437,CN=hschellm,OU=Users,OU=Organic Units,DC=cern,DC=ch

On Feb 24, 2023, at 9:14 AM, Igor Mandrichenko @.***> wrote:

[This email originated from outside of OSU. Use caution with links and attachments.]

please use

$ metacat auth mydn

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

Heidi Schellman Oregon State Physics DUNE Collaboration

"This is the way the world ends This is the way the world ends This is the way the world ends Not with a bang but with an expired cert."

ivmfnal commented 1 year ago

You need to add this DN to the list of your DNs in the MetaCat database:

  1. Log in to MetaCat GUI using services password
  2. Go to your user profile https://metacat.fnal.gov:9443/dune_meta_demo/app/gui/user?username=schellma
  3. Copy-paste the output from "metacat auth mydn" into blank text box in front of Add button
  4. Click Add
hschellman commented 1 year ago

That worked, maybe add an error message that tells people to do this if you get a 403 back? Right now it’s pretty hard to diagnose.

metacat auth mydn CN=1747757498,CN=551566791,CN=Heidi Marie Schellman,CN=514437,CN=hschellm,OU=Users,OU=Organic Units,DC=cern,DC=ch @.*** batch]$ metacat auth login -m x509 schellma https://metacat.fnal.gov:8143/auth/dune/auth?method=x509&username=schellma ('/tmp/x509up_u79129', '/tmp/x509up_u79129') 200 User: schellma Expires: Fri Mar 3 18:34:10 2023

On Feb 24, 2023, at 9:29 AM, Igor Mandrichenko @.***> wrote:

[This email originated from outside of OSU. Use caution with links and attachments.]

You need to add this DN to the list of your DNs in the MetaCat database:

• Log in to MetaCat GUI using services password • Go to your user profile https://metacat.fnal.gov:9443/dune_meta_demo/app/gui/user?username=schellma • Copy-paste the output from "metacat auth mydn" into blank text box in front of Add button • Click Add — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

Heidi Schellman Oregon State Physics DUNE Collaboration

"This is the way the world ends This is the way the world ends This is the way the world ends Not with a bang but with an expired cert."