Remove VID Policy "Tident"

Site Administrators
1

Hi ,

We accidentally entered an incorrect EOS VID policy i.e. :-

tident:“keosteam@eos-mgm”:gid => keosteam
tident:“keosteam@eos-mgm”:uid => keosteam

However, we are unable to delete it and are receiving an error. We used the following parameters to delete it:-

[root@eos-slave ~]# eos -b vid rm vid:tident:“keosteam@eos-mgm”:gid
error: nothing has been removed (errc=22) (Invalid argument)
[root@eos-slave ~]# eos -b vid rm vid:tident:“keosteam@eos-mgm”:gid
error: nothing has been removed (errc=22) (Invalid argument)
[root@eos-slave ~]# eos -b vid rm vid:tident:“*”:gid
error: nothing has been removed (errc=22) (Invalid argument)
[root@eos-slave ~]# eos -b vid rm vid:tident:“”:gid
error: nothing has been removed (errc=22) (Invalid argument)
[root@eos-slave ~]# eos -b vid rm tident:“”:gid
error: nothing has been removed (errc=22) (Invalid argument)
[root@eos-slave ~]#

We followed Elvin’s topic i.e. EOS vid and unix authentication - #4 by esindril (June 2021) on deleting the EOS VID policy.

So, please help to sort out..

Regards

Prasun

2

Hi Prasun,

Try first entering the eos console and then issuing the vid rm command. In this way it’s easier since yo don’t need to do any escaping of the special characters. Therefore do:

eos

vid rm tident:“keosteam@eos-mgm”:gid

vid rm tident:“keosteam@eos-mgm”:uid

Cheers,
Elvin

3

Hi Elvin,

We have run suggestion as you suggested, but it’s not work. Output are below:-

============

EOS Console [root://localhost] |/> vid rm tident:“keosteam@eos-mgm”:uid
error: nothing has been removed (errc=22) (Invalid argument)
EOS Console [root://localhost] |/> vid rm tident:“keosteam@eos-mgm”:gid
error: nothing has been removed (errc=22) (Invalid argument)
EOS Console [root://localhost] |/> exit
[root@eos-mgm ~]# eos vid rm tident:“keosteam@eos-mgm”:uid
error: nothing has been removed (errc=22) (Invalid argument)
[root@eos-mgm ~]# eos vid rm tident:“keosteam@eos-mgm”:gid
error: nothing has been removed (errc=22) (Invalid argument)
[root@eos-mgm ~]#

[root@eos-mgm ~]# eos vid rm tident:“@eos-mgm*“:gid
error: nothing has been removed (errc=22) (Invalid argument)
[root@eos-mgm ~]# eos vid rm tident:”*@eos-mgm”:uid
error: nothing has been removed (errc=22) (Invalid argument)

============================

The xrdlog.mgm shows tident errors i.e.

+++++++++++

tident= sec=unix uid=10367 gid=1395 name=jalien geo=“” xt=“” ob=“” user access restricted - unauthorized identity vid.uid=10367, vid.gid=1395, vid.host=“aliendb7.cern.ch”, vid.tident=“jalien.2103400:657@aliendb7.cern.ch” for path=“/13/28236/b6d8d535-194d-11f1-9620-b47af1a61b9a” user@domain=“10367@cern.ch”
260306 16:48:30 time=1772795910.032266 func=Emsg level=ERROR logid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007fc7f99ff640 source=XrdMgmOfs:864 tident= sec= uid=0 gid=0 name= geo=“” xt=“” ob=“” Unable to give access - user access restricted - unauthorized identity used ; Permission denied
260306 16:48:30 time=1772795910.032544 func=FSctl level=ERROR logid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007fca355ee640 source=Fsctl:252 tident= sec=sss uid=65534 gid=65534 name=eosnobody geo=“” xt=“” ob=“” user access restricted - unauthorized identity vid.uid=65534, vid.gid=65534, vid.host=“eos06.tier2-kol.res.in”, vid.tident=“daemon.3979724:395@eos06” for path=“/” user@domain=“nobody@tier2-kol.res.in”

++++++++++++++++

Current vid policies are below:-

[root@eos-mgm ~]# eos vid ls
https:“”:gid => root
https:“”:uid => root
publicaccesslevel: => 1024
sss:“”:gid => root
sss:“”:uid => root
sudoer => uids(daemon)
tident:“keosteam@eos-mgm”:gid => keosteam
tident:“keosteam@eos-mgm”:uid => keosteam
tokensudo => always
unix:“”:gid => 1395
unix:“”:uid => 10367
unix:“vuid:1000”:gid => keosteam
voms:“/ops:”:gid => 20001
voms:“/ops:”:uid => 20001
voms:“ops:/ops”:gid => 20001
voms:“ops:/ops”:uid => 20001
[root@eos-mgm ~]#

++++++++++++++++++++

So, suggest.

Regards

Prasun

4

Hi Prasun,

I tried running some similar commands on my setup running 5.3.32 and things work as expected, see below. What eos version are you running on the MGM?

$ eos vid set map -tident keosteam@eos-mgm vuid:99 vgid:99
success: set vid [  eos.rgid=0 eos.ruid=0 mgm.cmd=vid mgm.subcmd=set mgm.vid.auth=tident mgm.vid.cmd=map mgm.vid.gid=99 mgm.vid.key=<key> mgm.vid.pattern=keosteam@eos-mgm mgm.vid.uid=99 ]
$ eos vid ls | grep keos
tident:"keosteam@eos-mgm":gid => 99
tident:"keosteam@eos-mgm":uid => 99
$ eos
EOS Console [root://localhost] |/eos/dev/replica/> vid rm tident:"keosteam@eos-mgm":gid
success: rm vid [  eos.rgid=0 eos.ruid=0 mgm.cmd=vid mgm.subcmd=rm mgm.vid.key=tident:"keosteam@eos-mgm":gid]
EOS Console [root://localhost] |/eos/dev/replica/> vid rm tident:"keosteam@eos-mgm":uid
success: rm vid [  eos.rgid=0 eos.ruid=0 mgm.cmd=vid mgm.subcmd=rm mgm.vid.key=tident:"keosteam@eos-mgm":uid]

Cheers,
Elvin

5

Hi Elvin,

You are right. I am running from outside of the eos console, so it’s give error. Then I had running from eos console, it’s go successful.

Thank Again.

Prasun

6

Hi Adrian ,

Again Hi,

We have faces very complicated issue in Our Kolkata EOS2 i.e “Permission Denied and Access Restricted”. We had search many topics in eos community website and trying sort out with the help of resolution given it. But, unable sort out.

EOS version is 5.3.27.

On xrdlog of mgm has below error:-

=============

tident=jalien.2501661:425@pcapiserv10.cern.ch sec=unix uid=10367 gid=1395 name=jalien geo=“” xt=“” ob=“” user access restricted - unauthorized identity vid.uid=10367, vid.gid=1395, vid.host=“pcapiserv10.cern.ch”, vid.tident=“jalien.2501661:425@pcapiserv10.cern.ch” for path=“/15/38775/4aca1b9f-1d52-11f1-9620-b47af1a61b9a” user@domain=“10367@cern.ch”
260311 19:33:13 time=1773237793.879333 func=Emsg level=ERROR logid=0b91c9b8-1d53-11f1-bbba-e4434b664554 unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007f56431f9640 source=XrdMgmOfsFile:3754 tident=jalien.2501661:425@pcapiserv10.cern.ch sec=unix uid=10367 gid=1395 name=jalien geo=“” xt=“” ob=“” Unable to give access - user access restricted - unauthorized identity used ; Permission denied
260311 19:33:13 21302 XrootdXeq: jalien.1883546:401@aliendb3.cern.ch disc 0:00:01
260311 19:33:13 time=1773237793.948274 func=IdMap level=INFO logid=static… unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007f56419ed640 source=Mapping:1070 tident= sec=(null) uid=0 gid=0 name=- geo=“” xt=“” ob=“” sec.prot=unix sec.name=“jalien” sec.host=“pcapiserv10.cern.ch” sec.vorg=“” sec.grps=“jalien” sec.role=“” sec.info=“” sec.app=“transfer-3rd” sec.tident=“jalien.2501668:426@pcapiserv10.cern.ch” vid.uid=10367 vid.gid=1395 sudo=0 gateway=0
260311 19:33:13 time=1773237793.948371 func=open level=ERROR logid=0b9c5392-1d53-11f1-81a7-e4434b664554 unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007f56419ed640 source=XrdMgmOfsFile:538 tident=jalien.2501668:426@pcapiserv10.cern.ch sec=unix uid=10367 gid=1395 name=jalien geo=“” xt=“” ob=“” user access restricted - unauthorized identity vid.uid=10367, vid.gid=1395, vid.host=“pcapiserv10.cern.ch”, vid.tident=“jalien.2501668:426@pcapiserv10.cern.ch” for path=“/12/32845/2805d6a9-1d52-11f1-9620-b47af1a61b9a” user@domain=“10367@cern.ch”
260311 19:33:13 time=1773237793.948400 func=Emsg level=ERROR logid=0b9c5392-1d53-11f1-81a7-e4434b664554 unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007f56419ed640 source=XrdMgmOfsFile:3754 tident=jalien.2501668:426@pcapiserv10.cern.ch sec=unix uid=10367 gid=1395 name=jalien geo=“” xt=“” ob=“” Unable to give access - user access restricted - unauthorized identity used ; Permission denied
260311 19:33:14 20803 XrootdXeq: jalien.2501654:417@pcapiserv10.cern.ch disc 0:00:01
260311 19:33:14 21273 XrootdXeq: jalien.2501654:407@pcapiserv10.cern.ch disc 0:00:02
260311 19:33:14 20801 XrootdXeq: alienmas.2750302:353@aliendb06g.cern.ch disc 0:00:05
260311 19:33:14 21270 XrootdXeq: jalien.1883553:405@aliendb3.cern.ch disc 0:00:02
260311 19:33:14 21271 XrootdXeq: jalien.2501661:425@pcapiserv10.cern.ch disc 0:00:01
260311 19:33:14 21303 XrootdXeq: jalien.2501661:409@pcapiserv10.cern.ch disc 0:00:02
260311 19:33:14 21283 XrootdXeq: jalien.2501668:426@pcapiserv10.cern.ch disc 0:00:01
260311 19:33:14 21289 XrootdXeq: jalien.2501668:419@pcapiserv10.cern.ch disc 0:00:02
260311 19:33:14 20800 XrootdXeq: User authentication failed; Decryption key not found.
260311 19:33:14 21293 XrootdXeq: alienmas.3594513:403@aliendb10.cern.ch disc 0:00:05
260311 19:33:14 20800 XrootdXeq: alienmas.2750356:429@aliendb06g.cern.ch pub IP46 login as alienmaster
260311 19:33:14 time=1773237794.393529 func=IdMap level=INFO logid=static… unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007f5642ff8640 source=Mapping:1070 tident= sec=(null) uid=0 gid=0 name=- geo=“” xt=“” ob=“” sec.prot=unix sec.name=“alienmaster” sec.host=“alientest06.cern.ch” sec.vorg=“” sec.grps=“alienmaster” sec.role=“” sec.info=“” sec.app=“transfer-3rd” sec.tident=“alienmas.1765131:400@alientest06.cern.ch” vid.uid=10367 vid.gid=1395 sudo=0 gateway=0
260311 19:33:14 time=1773237794.393624 func=open level=ERROR logid=0be04476-1d53-11f1-a7e9-e4434b664554 unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007f5642ff8640 source=XrdMgmOfsFile:538 tident=alienmas.1765131:400@alientest06.cern.ch sec=unix uid=10367 gid=1395 name=alienmaster geo=“” xt=“” ob=“” user access restricted - unauthorized identity vid.uid=10367, vid.gid=1395, vid.host=“alientest06.cern.ch”, vid.tident=“alienmas.1765131:400@alientest06.cern.ch” for path=“/03/18460/03be983c-1d52-11f1-9620-b47af1a61b9a” user@domain=“10367@cern.ch”
260311 19:33:14 time=1773237794.393653 func=Emsg level=ERROR logid=0be04476-1d53-11f1-a7e9-e4434b664554 unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007f5642ff8640 source=XrdMgmOfsFile:3754 tident=alienmas.1765131:400@alientest06.cern.ch sec=unix uid=10367 gid=1395 name=alienmaster geo=“” xt=“” ob=“” Unable to give access - user access restricted - unauthorized identity used ; Permission denied

============================

Output of VID ls are:-

[root@eos-mgm ~]# eos vid ls
https:“”:gid => root
https:“”:uid => root
publicaccesslevel: => 1024
sss:“”:gid => root
sss:“”:uid => root
sudoer => uids(daemon)
tident:“@eos-mgm*“:gid => root
tident:”@eos-mgm”:uid => root
tident:“@eos-slave":gid => root
tident:“@eos-slave”:uid => root
tident:“@eoskolkata.tier2-kol.res.in”:gid => root
tident:"*@eoskolkata.tier2-kol.res.in”:uid => root
tokensudo => always
unix:“”:gid => 1395
unix:“”:uid => 10367
voms:“/ops:”:gid => 20001
voms:“/ops:”:uid => 20001
voms:“ops:/ops”:gid => 20001
voms:“ops:/ops”:uid => 20001
[root@eos-mgm ~]#

Output of TkAuthz.Authorization:-

EXPORT PATH:/ VO:* ACCESS:ALLOW CERT:*
RULE PATH:/ AUTHZ:delete|read|write|write-once| NOAUTHZ:| VO:| CERT:IGNORE
RULE PATH:/eos/alicekolkata/ops/ AUTHZ:| NOAUTHZ:delete|read|write|write-once| VO:ops CERT:
RULE PATH:/ops/ AUTHZ:| NOAUTHZ:delete|read|write|write-once| VO:ops CERT:*
KEY VO:* PRIVKEY:/etc/grid-security/xrootd/privkey.pem PUBKEY:/etc/grid-security/xrootd/pubkey.pem

======================

So, Please suggest us accordingly.

Regards

Prasun

7

Hi,

We are follow link “ Write and Read authorization error “ and some others link in eos-community. But, there are something not clear.

So, can any body help us to sort out .

Regards

Prasun

8

Hi @prasun ! The output is weird as the numeric uid is not translated to users. The users are needed on mgm to exist as UNIX users. In my case i have this:

eos vid ls
gsi:“”:gid => root
gsi:“”:uid => root
https:“”:gid => root
https:“”:uid => root
publicaccesslevel: => 1024
sss:“”:gid => root
sss:“”:uid => root
sudoer => uids(daemon)
tokensudo => always
unix:“”:gid => alice
unix:“”:uid => aliprod
voms:“/dteam:”:gid => dteam
voms:“/dteam:”:uid => dteam
voms:“/ops:”:gid => ops
voms:“/ops:”:uid => ops
voms:“dteam:/dteam”:gid => dteam
voms:“dteam:/dteam”:uid => dteam
voms:“ops:/ops”:gid => ops
voms:“ops:/ops”:uid => ops

in my case ignore the voms parts, those were my tryouts to have both gsi and ALICE token authentication. what is important is to have for unix authentication the aliprod/alice user defined on mgms