search

scikit-hep / uproot5

ROOT I/O in pure Python and NumPy.
https://uproot.readthedocs.io
BSD 3-Clause "New" or "Revised" License
241 stars 76 forks source link

Uproot 5.2.0+ no longer respects URL parameters #1168

Open chrisburr opened 8 months ago

chrisburr commented 8 months ago

Since moving to fsspec uproot now strips URL parameters from XRootD URLs. In this case I use them to add EOS tokens to authenticate, but I've also known them be required to even access files for quirks of the storage system.

Running this on lxplus at CERN:

export MYEOSTOKEN=$(eos token --path /eos/lhcb/user/c/cburr/test1/ --permission r)
# Destroy kerberos credentials so the token in the URL is the only available auth method
kdestroy
In [1]: import os
   ...: import uproot
   ...: print(f"{uproot.__version__}")
   ...: f = uproot.open(f"root://eoslhcb.cern.ch//eos/lhcb/user/c/cburr/test.root?xrd.wantprot=unix&authz={os.environ['MYEOSTOKEN']}")
   ...: f.keys()
5.2.2

... truncated

OSError: File did not open properly: [ERROR] Server responded with an error: [3010] Unable to give access - user access restricted - unauthorized identity used ; Permission denied
In [1]: import os
   ...: import uproot
   ...: print(f"{uproot.__version__}")
   ...: f = uproot.open(f"root://eoslhcb.cern.ch//eos/lhcb/user/c/cburr/test.root?xrd.wantprot=unix&authz={os.environ['MYEOSTOKEN']}")
   ...: f.keys()
5.1.2
Out[1]:
['HltRoutingBitsMonitor;1',
 'HltRoutingBitsMonitor/rb_frac;1',
 'HltRoutingBitsMonitor/rb_count;1',
 'HltDecReportsMonitor;1',
 'HltDecReportsMonitor/pass_frac_ul;1',
 'HltDecReportsMonitor/pass_frac;1',
 'HltDecReportsMonitor/pass_count_ul;1',
 'HltDecReportsMonitor/pass_count;1']
nsmith- commented 3 months ago

This is due to https://github.com/CoffeaTeam/fsspec-xrootd/issues/64

nsmith- commented 3 months ago

As an aside, you can do this with http as well:

url = "https://eoslhcb.cern.ch//eos/lhcb/user/c/cburr/test.root?xrd.wantprot=unix&authz=" + token
fin = uproot.open(url, verify_ssl=False)
fin.keys()

or equivalently,

fin = uproot.open(url, verify_ssl=False, params={"xrd.wantprot": "unix", "authz": token})

Edit: to be secure on a machine without IGTF grid certificates trusted systemwide you can download the CERN CA, convert it to pem:

openssl x509 -in CERN\ Root\ Certification\ Authority\ 2.crt -out CERN\ Root\ Certification\ Authority\ 2.pem -outform PEM

and load it with

import ssl

sslctx = ssl.create_default_context()
sslctx.load_verify_locations("CERN Root Certification Authority 2.pem")
fin = uproot.open(
    url,
    ssl=sslctx,
    params={"xrd.wantprot": "unix", "authz": token},
)

though at this point one might as well use x509 user certs as in #1241