search

rucio / k8s-tutorial

Rucio K8s tutorial
7 stars 24 forks source link

rucio upload fails due to authentication issue with xrootd #16

Open maxnoe opened 8 months ago

maxnoe commented 8 months ago

The commands here seem to be missing the crucial step of creating an authentication proxy for xrootd.

Checking the test setup in the main rucio repository, it creates the proxy like this: https://github.com/rucio/rucio/blob/788a0d43fa1caa141efcaaa2780765913a8a49be/tools/docker_activate_rses.sh#L35

Calling this line first make upload / download succeed.

rdimaio commented 1 month ago

I was not able to reproduce this issue - Following the commands, both upload and download work for me:

[user@client ~]$ rucio upload --rse XRD1 --scope test file1
2024-09-25 15:40:27,941 INFO    Preparing upload for file file1
2024-09-25 15:40:28,047 INFO    Successfully added replica in Rucio catalogue at XRD1
2024-09-25 15:40:28,144 INFO    Successfully added replication rule at XRD1
240925 15:40:28 091 cryptossl_X509CreateProxy: Your identity: /CN=Rucio User
2024-09-25 15:40:28,838 INFO    Trying upload with root to XRD1
2024-09-25 15:40:29,181 INFO    Successful upload of temporary file. root://xrd1:1094//rucio/test/80/25/file1.rucio.upload
2024-09-25 15:40:29,220 INFO    Successfully uploaded file file1
[user@client ~]$ rucio download test:file1
2024-09-25 15:43:20,755 INFO    Processing 1 item(s) for input
2024-09-25 15:43:20,911 INFO    No preferred protocol impl in rucio.cfg: No section: 'download'
2024-09-25 15:43:20,912 INFO    Using main thread to download 1 file(s)
2024-09-25 15:43:20,912 INFO    Preparing download of test:file1
2024-09-25 15:43:20,925 INFO    Trying to download with root and timeout of 80s from XRD1: test:file1
2024-09-25 15:43:20,985 INFO    Using PFN: root://xrd1:1094//rucio/test/80/25/file1
TLS: Unable to create TLS context; invalid private key.
TLS: 4006980C107F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:405:

2024-09-25 15:43:21,308 INFO    File test:file1 successfully downloaded. 10.486 MB in 0.31 seconds = 33.83 MBps
----------------------------------
Download summary
----------------------------------------
DID test:file1
Total files (DID):                            1
Total files (filtered):                       1
Downloaded files:                             1
Files already found locally:                  0
Files that cannot be downloaded:              0

The only suspicious log is:

TLS: Unable to create TLS context; invalid private key.
TLS: 4006980C107F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:405:

Even after creating the proxy via:

(KEY=$(mktemp); cat /opt/rucio/etc/userkey.pem > "$KEY"; voms-proxy-init -valid 9999:00 -cert /opt/rucio/etc/usercert.pem -key "$KEY"; rm -f "$KEY")

If I retry to upload/download, it succeeds, but it outputs that TLS message. Not sure if it's an issue - @bari12 what do you think?

bari12 commented 1 month ago

I think this is fine. @maxnoe can you try again with the latest main branch?

maxnoe commented 1 month ago

@bari12 I still don't see voms-proxy-init being mentioned anywhere in this repository, neither in the README for manually following the steps, nor in the automated scripts.

So XROOTD authentication will not work as descriped in the issue. Only the xrootd-noauth variant will work.