Is there a reason not to use GSI authentication for xrdcp operations from random hosts?
I installed xroot on my Mac so I could transfer files from it to a test EOS instance. I can’t use Unix auth since my uid will not be the same and we aren’t using krb for EOS right now. I figured the least intrusive thing would be to use GSI authentication since I have my cert on the Mac and the MGM is set up to allow GSI auth from anywhere:
#Anyone can perform securely authenticated actions
sec.protbind * only gsi sss krb5
The problem is, I get a zero-length file on the instance and then a “file exists” error ending the operation. If I use ‘-f’ I get a ‘redirect limit has been reached’ error. What I believe is happening is the MGM is accepting the GSI credential and somehow communication between the MGM and FST is not set up properly to transfer the actual file contents. I can do ‘xrdfs root://… ls’ operations just fine.
So two questions. Is there a reason NOT to use this kind of setup? If it is acceptable, what needs to be done to allow this to work properly?
It is also possible I’m not too clear on how GSI auth works and I’m just missing something.
Thanks.
–
Dan Szkola
FNAL