1 instance configuration for both CMS (gsi) and ALICE experiments

Site Administrators
1

Hello,

I’m facing problem with my EOS instance getting it working for both CMS (gsi) and ALICE (token) experiments

Without ALICE token stuff in /etc/xrd.cf.mgm i.e. lines commented :

# mgmofs.authlib /usr/lib64/libXrdAliceTokenAcc.so
# mgmofs.authorize 1
# alicetokenacc.noauthzhost localhost
# alicetokenacc.noauthzhost localhost.localdomain

then I have access to files using gsi :

[pugnere@lyoui1:~] $ eos -b root://lyoeosmgm1.in2p3.fr whoami
Virtual Identity: uid=2059 (99,2059) gid=110 (99,110) [authz:gsi] host=lyoui1.in2p3.fr domain=in2p3.fr

Then, when I enable ALICE token Authorization (i.e. uncomment) :

mgmofs.authlib /usr/lib64/libXrdAliceTokenAcc.so
mgmofs.authorize 1
alicetokenacc.noauthzhost localhost
alicetokenacc.noauthzhost localhost.localdomain

and the file /etc/grid-security/xrootd/TkAuthz.Authorization contains :

EXPORT   PATH:/ VO:*     ACCESS:ALLOW CERT:*
RULE     PATH:/eos/lyoeos.in2p3.fr/grid/alice/  AUTHZ:|  NOAUTHZ:delete|read|write|write-once| VO:*| CERT:IGNORE
KEY VO:* PRIVKEY:/etc/grid-security/xrootd/privkey.pem PUBKEY:/etc/grid-security/xrootd/pubkey.pem

Then, gsi doesn’t work anymore :

[pugnere@lyoui1:~] $ eos -b root://lyoeosmgm1.in2p3.fr whoami
error: errc=3010 msg="[ERROR] Error response: Permission denied" (errc=3010) (Unknown error 3010)

In the MGM log files :

200909 17:15:58 10766 XrootdXeq: pugnere.65863:368@lyoui1 pub IPv4 login as pugnere
200909 17:15:58 time=1599664558.410408 func=IdMap                    level=INFO  logid=static.............................. unit=mgm@lyoeosmgm1.in2p3.fr:1094 tid=00007efc3affe700 source=Mapping:993   
                 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=gsi sec.name="pugnere" sec.host="lyoui1.in2p3.fr" sec.vorg="" sec.grps="" sec.role="" sec.info="/O=GRID-FR/C=FR/O=CNRS/OU=IPNL/
CN=Denis Pugnere" sec.app="" sec.tident="pugnere.65863:368@lyoui1" vid.uid=2059 vid.gid=110
200909 17:15:58 time=1599664558.410456 func=open                     level=INFO  logid=5d24a8f6-f2af-11ea-a06f-7845c4fc35a5 unit=mgm@lyoeosmgm1.in2p3.fr:1094 tid=00007efc3affe700 source=XrdMgmOfsFile:
462              tident=pugnere.65863:368@lyoui1 sec=gsi   uid=2059 gid=110 name=pugnere geo="" op=read path=/proc/user/ info=mgm.cmd=whoami
200909 17:15:58 time=1599664558.410508 func=Emsg                     level=ERROR logid=5d24a8f6-f2af-11ea-a06f-7845c4fc35a5 unit=mgm@lyoeosmgm1.in2p3.fr:1094 tid=00007efc3affe700 source=XrdMgmOfsFile:
3094             tident=pugnere.65863:368@lyoui1 sec=gsi   uid=2059 gid=110 name=pugnere geo="" Unable to execute proc command - you don't have the requested permissions for that operation (1) /proc/u
ser/; Operation not permitted
200909 17:15:58 10766 XrootdXeq: pugnere.65863:368@lyoui1 disc 0:00:00

I’m stucked since a long time on this authorization problem.
I’ll appreciate your suggestions or comments.
Best regards,
Denis

2

Hi Denis,
we had a similar thing happening here: Install eod :: mgm configuration

If i remember this correctly, the eos client itself will not work in this situation. We ended up relying on the xrdcp / xrdfs clients that do work fine with GSI certificates.

edit:
we also see the exact same error with the EOS client, i.e.

Unable to execute proc command - you don't have the requested permissions for that operation (1) /proc/user/; Operation not permitted

Best,
Erich