CERN Accelerating science

EOS vid and unix authentication

Hello,

I am trying to understand how the EOS auth needs to be set up so that an external user can xrdcp a file - using simple unix authentication - to an EOS dir owned by

uid=11001(user1) gid=1100(eosusers) groups=1100(eosusers)

I know that, by default, all unix users are mapped to uid=99(nobody) gid=99(nobody) groups=99(nobody)

So, do I need to modify this mapping and if so, how? Or what else needs to be done?

Many thanks,

George

Hi George,

This actually depends on what you have defined in your vid map. In general, using the unix authentication is not a recommended setup unless you control the client machine.

Once you enable the vid mapping for unix (or even without this), you can allow unix connection from a certain hosts to use the local identity when connecting to the MGM by defining a tident mapping. For example the truncated output of eos vid ls could look like this:

tident:"unix@iota":gid => root
tident:"unix@iota":uid => root

Anyone connecting from the iota machine with unix auth will be mapped to the id advertised by the client. You can add such entries with the usual eos vid map -tident ..... You can also enable this for every unix authentication by modifying the initial rule introduced when enabling unix mapping to point to root rather than nobody - but this is definitely not recommended.

Cheers,
Elvin

Hi Elvin,

Many thanks for this. I tried successfully your suggestion in a slightly different context: issuing eos client commands (eos mkdir in particular) from a machine called cta-adm

eos vid set map -tident root@cta-adm vuid:0 vgid:0

I can’t see in the docs how to remove this mapping (there isn’y anything like “eos vid rm map…”). Do you know how?

Best,

George

1 Like

Hi George,

You can use the eos vid rm command and the key is everything before the => sign. You should be doing this from the eos console so that you don’t bother with escaping characters.

Cheers,
Elvin

Hi Elvin,

Many thanks, did work. There is still a bit to understand here…I have dfined the following mappings

tident:“georgep@lcgui05”:gid => root
tident:“georgep@lcgui05”:uid => root

and deleted the default mapping to “nobody” (vid rm unix:"":gid, vid rm unix:"":uid)

But when I try a simple xrdcp as georgep from a machine called lcgui05, I am still mapped to nobody and I get an auth error,

210630 14:32:20 time=1625059940.748231 func=IdMap level=INFO logid=static… unit=mgm@cta-eos01.scd.rl.ac.uk:1094 tid=00007efd8d0a1700 source=Mapping:993 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=unix sec.name=“georgep” sec.host=“lcgui05.gridpp.rl.ac.uk” sec.vorg="" sec.grps=“esc” sec.role="" sec.info="" sec.app="" sec.tident="georgep.78307:360@lcgui05.gridpp.rl.ac.uk" vid.uid=99 vid.gid=99
210630 14:32:20 time=1625059940.748349 func=open level=INFO logid=98933242-d9a7-11eb-8c45-1c34da4b345c unit=mgm@cta-eos01.scd.rl.ac.uk:1094 tid=00007efd8d0a1700 source=XrdMgmOfsFile:498 tident=georgep.78307:360@lcgui05.gridpp.rl.ac.uk sec=unix uid=99 gid=99 name=georgep geo="" op=write trunc=0 path=/eos/antares/test/libxrdceph.tar.gz info=oss.asize=352696

You have to add also the FQDN to the mapping:

lcgui05.gridpp.rl.ac.uk

Many thanks Andreas