Fail to use EOS on client

Site Administrators
1

Hello,
I’ve finished setting up the eos server and tried to start using eos on the client side but ran into some problems.

Here’s the reference link for how I configured the client:
https://eos-docs.web.cern.ch/diopside/manual/using.html

I need you to help me understand the following:
(1) How does the SSS key work between the client and the server?
(2) How to configure the SSS key between the client and the server correctly so that the client can fuse mount EOS?

Here is my setup steps:

  1. Enable token issue(node1 as server)
    [root@node1 ~]# eos space config default space.token.generation=1
    success: setting token.generation=1
    [root@node1 ~]#
    [root@node1 ~]# ll /etc/eos.keytab # copy this file to node2(fst node) and node3(client node)
    -r-------- 1 daemon root 280 Apr 1 11:12 /etc/eos.keytab
    [root@node1 ~]# cat /etc/eos.keytab # copy this file to node2(fst node) and node3(client node)
    0 u:daemon g:daemon n:eosmaster N:7352057697975402497 c:1711784326 e:0 f:0 k:2b90fd53380ff00623239e02bb82c8252dbde4da83cdeda1542de79ae8cb3493
    0 u:eostest g:eostest n:eostest N:5506672669367468033 c:1282122142 e:0 k:0123456789012345678901234567890123456789012345678901234567890123
    [root@node1 ~]#
    [root@node1 ~]# EOS_MGM_TOKEN_KEYFILE=/etc/eos/token.key
    [root@node1 ~]# export XrdSecSSSKT=$HOME/.eos.keytab
    [root@node1 ~]# export XrdSecPROTOCOL=sss

2.Create token and check token(node1 as server)
[root@node1 ~]# eos mkdir /eos/test
[root@node1 ~]# eos token --path /eos/test --permission rwxq --owner root --group root --tree
zteos64:MDAwMDAyMGN4nON6z8jFUlReUShweM_KDWxSLEX5-SVKYFKD0YhTPzW_WL8ktbjEgtFLxdzQJNEi1cBINzUtzUzX0DA1VdfSPMlAN83ELMki2SDJ0NDEJGg-Y7Rvfp6CY0GRgoKhgqGplYG5lYGxgpGBkUmsQmlmipVBNMjwWIV0JHZJZkpqXokViKNnYmZsbmhlbGnkkJOfnJiTkV9copCXmJtqBXQKyCUKKXlWCgVF-SVWxcXFCokFBVYKIDVWCNUp-bmJmXkQAQhbIT0130qhuDQl38pQSMHC-L3drlR1_cjQdhbHZedT0ksyH15xmBpc_F7IJmmdV4rUiAsThcOn_j5kBwA6F64s
[root@node1 ~]# eos token --token zteos64:MDAwMDAyMGN4nON6z8jFUlReUShweM_KDWxSLEX5-SVKYFKD0YhTPzW_WL8ktbjEgtFLxdzQJNEi1cBINzUtzUzX0DA1VdfSPMlAN83ELMki2SDJ0NDEJGg-Y7Rvfp6CY0GRgoKhgqGplYG5lYGxgpGBkUmsQmlmipVBNMjwWIV0JHZJZkpqXokViKNnYmZsbmhlbGnkkJOfnJiTkV9copCXmJtqBXQKyCUKKXlWCgVF-SVWxcXFCokFBVYKIDVWCNUp-bmJmXkQAQhbIT0130qhuDQl38pQSMHC-L3drlR1_cjQdhbHZedT0ksyH15xmBpc_F7IJmmdV4rUiAsThcOn_j5kBwA6F64s
{
“token”: {
“permission”: “rwxq”,
“expires”: “1711955523”,
“owner”: “root”,
“group”: “root”,
“generation”: “1”,
“path”: “/eos/test”,
“allowtree”: true,
“vtoken”: “”,
“voucher”: “714a8e02-eff6-11ee-97b0-f46b8c0b1144”,
“requester”: “[Mon Apr 1 15:07:03 2024] uid:0[root] gid:0[root] tident:root.46371:392@localhost name:eostest dn: prot:sss app: host:localhost domain:localdomain geo: sudo:1”,
“origins”:
},
“signature”: “ODPvPrplJy9ZVYcEQabPZGd0aeHUQJVTc+8SPGKuSmQ=”,
“serialized”: “CgRyd3hxEMO8qbAGGgRyb290IgRyb290KAEyCS9lb3MvdGVzdDgBSiQ3MTRhOGUwMi1lZmY2LTExZWUtOTdiMC1mNDZiOGMwYjExNDRSnwFbTW9uIEFwciAgMSAxNTowNzowMyAyMDI0XSB1aWQ6MFtyb290XSBnaWQ6MFtyb290XSB0aWRlbnQ6cm9vdC40NjM3MTozOTJAbG9jYWxob3N0IG5hbWU6ZW9zdGVzdCBkbjogcHJvdDpzc3MgYXBwOiBob3N0OmxvY2FsaG9zdCBkb21haW46bG9jYWxkb21haW4gZ2VvOiBzdWRvOjE=”,
“seed”: 2084529475
}
[root@node1 ~]#
[root@node1 ~]# TOKEN=“zteos64:MDAwMDAyMGN4nON6z8jFUlReUShweM_KDWxSLEX5-SVKYFKD0YhTPzW_WL8ktbjEgtFLxdzQJNEi1cBINzUtzUzX0DA1VdfSPMlAN83ELMki2SDJ0NDEJGg-Y7Rvfp6CY0GRgoKhgqGplYG5lYGxgpGBkUmsQmlmipVBNMjwWIV0JHZJZkpqXokViKNnYmZsbmhlbGnkkJOfnJiTkV9copCXmJtqBXQKyCUKKXlWCgVF-SVWxcXFCokFBVYKIDVWCNUp-bmJmXkQAQhbIT0130qhuDQl38pQSMHC-L3drlR1_cjQdhbHZedT0ksyH15xmBpc_F7IJmmdV4rUiAsThcOn_j5kBwA6F64s”
[root@node1 ~]#
[root@node1 ~]# env EOSAUTHZ=$TOKEN eos whoami
Virtual Identity: uid=0 (0,3,99,1001) gid=0 (0,4,99,1001) [authz:sss] sudo* host=localhost domain=localdomain
{
“token”: {
“permission”: “rwxq”,
“expires”: “1711955523”,
“owner”: “root”,
“group”: “root”,
“generation”: “1”,
“path”: “/eos/test”,
“allowtree”: true,
“vtoken”: “”,
“origins”:
},
}
[root@node1 ~]#

3.Use token with sss security (node3 as client)
[root@node3 ~]# export XrdSecSSSKT=$HOME/.eos.keytab
[root@node3 ~]# export XrdSecPROTOCOL=sss
[root@node3 ~]# export XrdSecsssENDORSEMENT=“zteos64:MDAwMDAyMGN4nON6z8jFUlReUShweM_KDWxSLEX5-SVKYFKD0YhTPzW_WL8ktbjEgtFLxdzQJNEi1cBINzUtzUzX0DA1VdfSPMlAN83ELMki2SDJ0NDEJGg-Y7Rvfp6CY0GRgoKhgqGplYG5lYGxgpGBkUmsQmlmipVBNMjwWIV0JHZJZkpqXokViKNnYmZsbmhlbGnkkJOfnJiTkV9copCXmJtqBXQKyCUKKXlWCgVF-SVWxcXFCokFBVYKIDVWCNUp-bmJmXkQAQhbIT0130qhuDQl38pQSMHC-L3drlR1_cjQdhbHZedT0ksyH15xmBpc_F7IJmmdV4rUiAsThcOn_j5kBwA6F64s”

  1. Fuse mount eos with eosxd
    [root@node3 ~]# mount -t fuse eosxd -ofsname=node1.cern.ch:/eos/test/ /tmp/eos/

fsname=‘node1.cern.ch:/eos/test/’

-o allow_other enabled on shared mount

-o big_writes enabled

no config file - running on default values

no config file for local overwrites

extracted remote mount dir from fsname is ‘/eos/test/’

extracted connection host from fsname is ‘node1.cern.ch’

enabling swapping inodes with md-cache in ‘/var/cache/eos/fusex/md-cache/’

File descriptor limit: 524288 soft, 524288 hard

allowing max read-ahead buffers of 134217728 bytes

allowing max write-back buffers of 134217728 bytes

concurrent mount detect enabled, lock prefix /var/run/eos/fusex/mount.-tmp-eos

dead mount detected - forcing ‘umount -l /tmp/eos/’

Disabling nagle algorithm (XRD_NODELAY=1)

Setting MALLOC_CONF=dirty_decay_ms:0

[root@node3 ~]#

Best wishes,
P