Hi EOS community,
I have some trouble since a long time configuring the CMS with GSI authentication where some users have their DN can be mapped to their account and the others, when they have a proxy with voms attributes, have to be mapped to an CMS pool account.
For example, I have :
# grep sec.prot /etc/xrd.cf.mgm|grep gsi
sec.protocol gsi -crl:0 -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem -gridmap:/etc/grid-security/grid-mapfile -d:0 -gmapopt:2 -vomsat:1 -moninfo:1
sec.protbind * only gsi sss unix
# eos vid ls|grep voms
voms:"/cms:":gid => gridcms
voms:"/cms:":uid => cmspool
voms:"/cms:lcgadmin":uid => cmss
voms:"/cms:production":uid => cmsp
[root@lyoeosmgm1 ~]# eos vid ls|grep gsi
gsi:"<pwd>":gid => root
gsi:"<pwd>":uid => root
I have tried some things in the /etc/grid-security/grid-mapfile
, like :
"/O=GRID-FR/C=FR/O=CNRS/OU=IPNL/CN=Denis Pugnere" pugnere
"/*" nobody
With this, when I copy a file to my EOS instance with a valid proxy in the CMS VO, I can’t be mapped to the cmspool account :
$ voms-proxy-init --voms cms
Enter GRID pass phrase for this identity:
Contacting voms2.cern.ch:15002 [/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch] "cms"...
Remote VOMS server contacted succesfully.
When I copy a file, I have user access restricted - unauthorized identity used
:
$ date ; xrdcp -f file:///etc/hosts root://lyoeosmgm1.in2p3.fr//eos/lyoeos.in2p3.fr/scratch/$(uuidgen)
Tue Nov 17 15:23:41 CET 2020
[0B/0B][100%][==================================================][0B/s]
Run: [ERROR] Server responded with an error: [3010] Unable to give access - user access restricted - unauthorized identity used ; Permission denied (destination)
The logs in the MGM (4.8.27), show :
201117 15:23:41 41000 XrootdXeq: pugnere.54899:428@lyoui1 pub IPv4 login as pugnere
201117 15:23:41 time=1605623021.700325 func=stat level=ERROR logid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx unit=mgm@lyoeosmgm1.in2p3.fr:1094 tid=00007f92f8bfd700 source=Stat:83 tident=<single-exec> sec=gsi uid=50001 gid=50000 name=pugnere geo="" user access restricted - unauthorized identity vid.uid=50001, vid.gid=50000, vid.host="lyoui1.in2p3.fr", vid.tident="pugnere.54899:428@lyoui1" for path="/eos/lyoeos.in2p3.fr/scratch/53f53330-66ed-4f20-9cda-68d3cf3a934c" user@domain="cmss@in2p3.fr"
201117 15:23:41 time=1605623021.700393 func=Emsg level=ERROR logid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx unit=mgm@lyoeosmgm1.in2p3.fr:1094 tid=00007f92f8bfd700 source=XrdMgmOfs:1186 tident=<single-exec> sec= uid=0 gid=0 name= geo="" Unable to give access - user access restricted - unauthorized identity used ; Permission denied
201117 15:23:41 time=1605623021.701546 func=IdMap level=INFO logid=static.............................. unit=mgm@lyoeosmgm1.in2p3.fr:1094 tid=00007f92f8bfd700 source=Mapping:993 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=gsi sec.name="pugnere" sec.host="lyoui1.in2p3.fr" sec.vorg="cms" sec.grps="/cms" sec.role="lcgadmin" sec.info="/O=GRID-FR/C=FR/O=CNRS/OU=IPNL/CN=Denis Pugnere" sec.app="" sec.tident="pugnere.54899:428@lyoui1" vid.uid=50001 vid.gid=50000
201117 15:23:41 time=1605623021.701606 func=open level=ERROR logid=7e059f0a-28e0-11eb-b3de-7845c4fc35a5 unit=mgm@lyoeosmgm1.in2p3.fr:1094 tid=00007f92f8bfd700 source=XrdMgmOfsFile:393 tident=pugnere.54899:428@lyoui1 sec=gsi uid=50001 gid=50000 name=pugnere geo="" user access restricted - unauthorized identity vid.uid=50001, vid.gid=50000, vid.host="lyoui1.in2p3.fr", vid.tident="pugnere.54899:428@lyoui1" for path="/eos/lyoeos.in2p3.fr/scratch/53f53330-66ed-4f20-9cda-68d3cf3a934c" user@domain="cmss@in2p3.fr"
201117 15:23:41 time=1605623021.701629 func=Emsg level=ERROR logid=7e059f0a-28e0-11eb-b3de-7845c4fc35a5 unit=mgm@lyoeosmgm1.in2p3.fr:1094 tid=00007f92f8bfd700 source=XrdMgmOfsFile:3175 tident=pugnere.54899:428@lyoui1 sec=gsi uid=50001 gid=50000 name=pugnere geo="" Unable to give access - user access restricted - unauthorized identity used ; Permission denied
201117 15:23:41 41000 XrootdXeq: pugnere.54899:428@lyoui1 disc 0:00:00
$ eos root://lyoeosmgm1.in2p3.fr whoami
error: errc=3010 msg="[ERROR] Error response: Permission denied" (errc=3010) (Unknown error 3010)
Does the catchup :
"/*" nobody
is needed in the /etc/grid-security/grid-mapfile
file ?
My primary goal is the make CMS grid accounts working, and if possible, also with someindividual GSI DN mapped to local accounts.
I must have missed something…
Thanks for your help,
Denis