Dear Elvin
I see the following behavior on eos 5.1.9
when my DN is mapped ( to some account) and
I use x509 to create a eos macaroon
I got 230426 16:50:54 time=1682520654.844667 func=IdMap level=INFO logid=static.............................. unit=mgm@grid23.lal.in2p3.fr:1094 tid=00007f6c877fb700 source=Mapping:1000 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=https sec.name="" sec.host="[::ffff:134.158.72.161]" sec.vorg="" sec.grps="" sec.role="" sec.info="" sec.app="http" sec.tident="http" vid.uid=5000 vid.gid=5005
230426 16:50:54 time=1682520654.848706 func=IdMap level=INFO logid=static.............................. unit=mgm@grid23.lal.in2p3.fr:1094 tid=00007f6c877fb700 source=Mapping:1000 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=https sec.name="dtes" sec.host="[::ffff:134.158.72.161]" sec.vorg="" sec.grps="" sec.role="" sec.info="" sec.app="http" sec.tident="http" vid.uid=5000 vid.gid=5005
230426 16:50:54 time=1682520654.850977 func=open level=INFO logid=bf199928-e441-11ed-a6d8-44a8423af928 unit=mgm@grid23.lal.in2p3.fr:1094 tid=00007f6c877fb700 source=XrdMgmOfsFile:3210 tident=http sec=https uid=5000 gid=5005 name=dtes geo="" path=/eos/grif/dteam/alekos open:rt=2.14 io:bw=inf io:sched=0 io:type=buffered io:prio=default io:redirect=grid21.lal.in2p3.fr:11001 duration=2.162ms timing=IdMap=0.066ms fid::fetch=0.067ms fid::fetched=0.000ms authorize=0.124ms authorized=0.007ms path-computed=0.003ms container::fetched=0.154ms write::begin=0.120ms write::end=0.947ms Policy::begin=0.003ms Policy::end=0.115ms Scheduler::FilePlacement=0.253ms Scheduler::FilePlaced=0.078ms end=0.225ms Open=2.162ms
and the curl upload works fine , with
export DST=https://grid23.lal.in2p3.fr:11000/eos/grif/dteam/alekos
export TDST=$(curl --silent --cert /tmp/x509up_u$(id -u) --key /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath /etc/grid-security/certificates -X POST -H 'Content-Type: application/macaroon-request' -d '{"caveats": ["activity:UPLOAD,DELETE,DOWNLOAD,UPLOAD,LIST,MANAGE"], "validity": "PT3000M"}' "$DST" | jq -r '.macaroon')
echo $TDST
curl -L -v --capath /etc/grid-security/certificates -H "Authorization: Bearer $TDST" $DST.$RANDOM --upload /etc/hosts
when I do not map explicitly the my DN in gridmap-file and left the VID to make the mapping ( which is also configured in the first case).
I got
Secgsi GRIDmap file: /etc/grid-security/grid-mapfile
Secgsi GRIDmap option: trymap,usedn
Secgsi GRIDmap cache entries expiration (secs): 1
=====> sec.protocol gsi -crl:0 -cert:/etc/grid-security/daemon/hostcert.pem -key:/etc/grid-security/daemon/hostkey.pem -gridmap:/etc/grid-security/grid-mapfile -d:2 -gmapopt:11 -vomsat:1 -moninfo:1 -gmapto:1
=====> http.gridmap /etc/grid-security/grid-mapfile
230426 16:52:14 time=1682520734.060240 func=IdMap level=INFO logid=static… unit=mgm@grid23.lal.in2p3.fr:1094 tid=00007fa2c8c08700 source=Mapping:1000 tident= sec=(null) uid=99 gid=99 name=- geo=“” sec.prot=https sec.name=“” sec.host=“[::ffff:134.158.72.161]” sec.vorg=“” sec.grps=“” sec.role=“” sec.info=“” sec.app=“http” sec.tident=“http” vid.uid=99 vid.gid=99
230426 16:52:14 time=1682520734.064782 func=IdMap level=INFO logid=static… unit=mgm@grid23.lal.in2p3.fr:1094 tid=00007fa2c8c08700 source=Mapping:1000 tident= sec=(null) uid=99 gid=99 name=- geo=“” sec.prot=https sec.name=“99” sec.host=“[::ffff:134.158.72.161]” sec.vorg=“” sec.grps=“” sec.role=“” sec.info=“” sec.app=“http” sec.tident=“http” vid.uid=99 vid.gid=99
230426 17:00:01 time=1682521201.697935 func=IdMap level=INFO logid=static… unit=mgm@grid23.lal.in2p3.fr:1094 tid=00007fa2c8c08700 source=Mapping:1000 tident= sec=(null) uid=99 gid=99 name=- geo=“” sec.prot=sss sec.name=“daemon” sec.host=“localhost” sec.vorg=“” sec.grps=“daemon” sec.role=“” sec.info=“” sec.app=“” sec.tident=“root.2259243:465@localhost” vid.uid=0 vid.gid=0
and the upload is failed
I have :
> case a) 230426 16:50:54 2251795 sysMacaroonGen: ID=51665f92-325d-476d-be8e-9522ffc30cb1, resource=/eos/grif/dteam/alekos, protocol=gsi, name=dtes, host=[::ffff:134.158.72.161], vorg=dteam, role=NULL, groups=/dteam, endorsements=/dteam/Role=NULL/Capability=NULL, base_activities=activity:READ_METADATA,UPLOAD,DOWNLOAD,DELETE,MANAGE,UPDATE_METADATA,LIST, user_caveat=activity:UPLOAD,DELETE,DOWNLOAD,UPLOAD,LIST,MANAGE, expires=2023-04-27T14:50:54Z
and
`case b) 230426 16:52:13 2253305 sysMacaroonGen: ID=cfad8c1d-df97-4662-bbbb-2b688b32c13f, resource=/eos/grif/dteam/alekos, protocol=gsi, name=719340ae.0, host=[::ffff:134.158.72.161], vorg=dteam, role=NULL, groups=/dteam, endorsements=/dteam/Role=NULL/Capability=NULL, base_activities=activity:READ_METADATA,UPLOAD,DOWNLOAD,DELETE,MANAGE,UPDATE_METADATA,LIST, user_caveat=activity:UPLOAD,DELETE,DOWNLOAD,UPLOAD,LIST,MANAGE, expires=2023-04-27T14:52:13Z`
eos vid ls |grep dteam
voms:“/dteam:”:gid => dteam
voms:“/dteam:”:uid => dte000
thus we could not remove completely the grid-mapfile for some DN as the upload with macaroon failed
this behaviour is lack of functionality or bug ?
thank you in advance
best
e.v.