Hello, I have what seems to be a race condition writing files through a proxy server. The proxy passes the credentials to the origin, where the the multiuser plugin is used to write the file as a default_user mapped in scitokens.cfg.
If I run the same xrdcp repeatedly, it will work ~90% of the time, occasionally failing with "permission denied" which I assume happens because the origin server does not switch UIDs in that instance(?) I can find no pattern to the failure. When writing directly to the origin, bypassing the proxy, it always succeeds. I suspect something in the config of the proxy, or some race condition on the origin related to sss+ztn and multiuser.
Here are the two configs and examples of log files from both the successful and the failing cases.
Any pointers greatly appreciated.
proxy config (dtn2201):
all.export /
ofs.osslib libXrdPss.so
ofs.ckslib * libXrdPss.so
pss.origin roots://scifs2103.jlab.org:1094
pss.persona client strict verify
xrootd.tls all
xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
xrootd.seclib default
ofs.authorize
acc.authdb /etc/xrootd/Authfile
acc.authrefresh 60
ofs.authlib libXrdAccSciTokens.so
sec.protocol ztn
sec.protocol sss -k -s /etc/xrootd/p3.keytab -c /etc/xrootd/p3.keytab --getcreds --proxy ztn
all.adminpath /var/spool/xrootd
all.pidpath /var/run/xrootd
sec.trace debug
ofs.trace all
xrootd.trace all
scitokens.trace all debug
ztn.trace all debug
auth.trace all debug
pss.trace all debug
origin config (scifs2103):
all.export /eic
oss.localroot /xrd
xrd.port 1094
all.role server
xrootd.seclib default
xrootd.tls all
xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
ofs.osslib ++ libXrdMultiuser.so
ofs.ckslib ++ libXrdMultiuser.so
ofs.authlib libXrdAccSciTokens.so
#ofs.authlib ++ libXrdAccSciTokens.so
ofs.authorize
acc.authdb /etc/xrootd/Authfile
acc.authrefresh 60
all.manager xrdmgr1 3121
sec.protocol ztn
sec.protocol sss -k -s /etc/xrootd/p3.keytab -c /etc/xrootd/p3.keytab --getcreds --proxy ztn
all.adminpath /var/spool/xrootd
all.pidpath /var/run/xrootd
ofs.trace all debug
oss.trace all debug
auth.trace all debug
scitokens.trace all debug
xrootd.trace all
pss.trace all debug
Hello, I have what seems to be a race condition writing files through a proxy server. The proxy passes the credentials to the origin, where the the multiuser plugin is used to write the file as a default_user mapped in scitokens.cfg.
If I run the same xrdcp repeatedly, it will work ~90% of the time, occasionally failing with "permission denied" which I assume happens because the origin server does not switch UIDs in that instance(?) I can find no pattern to the failure. When writing directly to the origin, bypassing the proxy, it always succeeds. I suspect something in the config of the proxy, or some race condition on the origin related to sss+ztn and multiuser.
Here are the two configs and examples of log files from both the successful and the failing cases.
Any pointers greatly appreciated.
proxy config (dtn2201):
origin config (scifs2103):
Command line examples, no changes in between:
proxy log for the failing case:
origin log for the failing case:
proxy log, working case:
origin log, good case: