Write and Read authorization error

tamatsum · August 8, 2025, 10:24am

Hello!!
I am checking my site configuration by using testSE command. Is there anything missing in the authentication settings?

ALICE::HIROSHIMA::EOS
  Open write test: could write,  (NOT OK), please check authorization configuration
  Open read test: reading worked (NOT OK) please check authorization configuration
  Open delete test: delete worked (NOT OK)
  Authenticated write test: could write (expected)
  Authenticated read: file read back ok (expected)
  Authenticated delete: delete worked ok (expected)

On open write test, everyone can write and read and delete. This is a problem, so I checked authorization configurations on 3 mgm nodes.

[root@grid04 xrootd]# ll /etc/grid-security/xrootd/
total 12
-rw-------. 1 daemon daemon 812 Jun 11 21:38 TkAuthz.Authorization
-rw-------. 1 daemon daemon 887 Jan 25  2024 privkey.pem
-rw-------. 1 daemon daemon 765 Jan 25  2024 pubkey.pem

TkAuthz.Authorization

KEY     VO:*    PRIVKEY:/etc/grid-security/xrootd/privkey.pem   PUBKEY:/etc/grid-security/xrootd/pubkey.pem

RULE    PATH:/                   AUTHZ:delete|read|write|write-once|    NOAUTHZ:|                               VO:*|       CERT:*

EXPORT  PATH:/  VO:*    ACCESS:ALLOW    CERT:*

xrd.cf.mgm
mgmofs.authorize 1

mgmofs.fs /
mgmofs.targetport 1095

mgmofs.centraldrain true

mgmofs.authlib /usr/lib64/libXrdAliceTokenAcc.so
mgmofs.authorize 1

alicetokenacc.multiprocess 32

alicetokenacc.truncateprefix /eos/hu/alice
alicetokenacc.noauthzhost    localhost
alicetokenacc.noauthzhost    localhost.localdomain
# MGMs
alicetokenacc.noauthzhost   grid04.aligrid.hiroshima-u.ac.jp
alicetokenacc.noauthzhost   grid05.aligrid.hiroshima-u.ac.jp
alicetokenacc.noauthzhost   grid06.aligrid.hiroshima-u.ac.jp

# FSTs
alicetokenacc.noauthzhost   nfs11.aligrid.hiroshima-u.ac.jp
alicetokenacc.noauthzhost   nfs12.aligrid.hiroshima-u.ac.jp
alicetokenacc.noauthzhost   nfs13.aligrid.hiroshima-u.ac.jp

Best regards,
Takuma

GeonmoRyu · August 14, 2025, 5:15am

Hello, Takuma.

Could you share “eos vid ls”?

In the early days, I didn’t know about vid, so I had trouble writing and reading. I’m wondering if this is related.

Regards,

– Geonmo

tamatsum · August 14, 2025, 9:31am

Hello Ryu,

This is my eos vid ls.

`[root@grid04 ~]# eos vid ls`
`https:“”:gid => root`
`https:“”:uid => root`
`publicaccesslevel: => 1024`
`sss:“”:gid => root`
`sss:“”:uid => root`
`sudoer                 => uids(daemon)`
`tokensudo              => always`
`unix:“”:gid => alice`
`unix:“”:uid => aliprod`

This looks not good… every user from outside can write and read as suder…

Best regards,
Takuma

asevcenc · August 14, 2025, 11:48am

Hi Takuma! that sudoer entry is ok (i have it the same) only the unix part is different:
I have them this way:

you should try to set these vid setting from within the eos shell to keep the exact content (without escaping problems)

GeonmoRyu · August 14, 2025, 1:24pm

Hello, Takuma

If the message displayed by vid ls is blank as shown above, it may need to be checked.

However, if you deliberately deleted it during the transfer, is normal.

Our site only has localhost and vobox listed in the alicetokenacc.noauthzhost setting, and FST or MGM are not registered. After all, FST and MGM are authenticated by sss.

Are you running testSE on a server registered in noauthzhost? Although I’m not sure, why don’t you try testing it without that option?

Regards,

– Geonmo

tamatsum · August 14, 2025, 3:12pm

Hello Geonmo and Adrian,

In eos console,

EOS Console [root://localhost] |/> vid ls
https:"<pwd>":gid => root
https:"<pwd>":uid => root
publicaccesslevel: => 1024
sss:"<pwd>":gid => root
sss:"<pwd>":uid => root
sudoer                 => uids(daemon)
tokensudo              => always
unix:"<pwd>":gid => alice
unix:"<pwd>":uid => aliprod

It looks same.
I’m testing from my PC which is not registered for alicetokenacc.noauthzhost.
I delete MGM and FST from alicetokenacc.noauthzhost and test it again, but no change,

Best regards,
Takuma

tamatsum · August 19, 2025, 10:09pm

Hello,

I tried testSE and checked xrdlog.fst.
jalien and nobody opened file. (Nobody is local account?)

xrdlog.fst

250820 06:01:38 2021834 XrootdXeq: jalien.3595834:59@aliendb10.cern.ch pub IP46 login as jalien
250820 06:01:38 time=1755637298.912179 func=open                     level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:183              tident=jalien.3595834:59@aliendb10.cern.ch sec=unix  uid=0 gid=0 name=jalien geo="" xt="" ob="" path=/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e info=cap.msg=<...>&cap.sym=<...>&eos.app=JCentral&eos.clientinfo=zbase64:MDAwMDAwNzN4nBXIQQ6EIAxA0avMBWzExIUkPQxCKzUKpEDM3F7Zvf9zoWS14QJm/Um2+4OSeKj6SAHnwfYvhHtnJqUwRlHJGIhdv9rob4uSb5i4mgXcJYdKgCiaa5TbTR2ch7NYM2/rCzFxKI8=&mgm.id=00001935&mgm.logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044&mgm.replicahead=0&mgm.replicaindex=0&oss.asize=10&scitag.flow=336&tried=nfs11.aligrid.hiroshima-u.ac.jp&triedrc=srverr open_mode=100200
250820 06:01:38 time=1755637298.912310 func=ProcessCapOpaque         level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:2560             tident=jalien.3595834:59@aliendb10.cern.ch sec=(null) uid=65534 gid=65534 name=(null) geo="" xt="" ob="" capability=&mgm.access=create&mgm.ruid=10367&mgm.rgid=1395&mgm.uid=99&mgm.gid=99&mgm.path=/eos/hu/alice/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e&mgm.manager=grid05.aligrid.hiroshima-u.ac.jp:1094&mgm.fid=00001935&mgm.cid=514&mgm.sec=unix|jalien|aliendb10.cern.ch||jalien|||JCentral&mgm.lid=1048578&mgm.bookingsize=10&mgm.targetsize=10&mgm.fsid=2&cap.valid=1755640896
250820 06:01:38 time=1755637298.912449 func=open                     level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:543              tident=jalien.3595834:59@aliendb10.cern.ch sec=(null) uid=10367 gid=1395 name=nobody geo="" xt="" ob="" path=/eos2/00000000/00001935 open-mode=100300 create-mode=41a4 layout-name=plain oss-opaque=&mgm.lid=1048578&mgm.bookingsize=10
250820 06:01:38 time=1755637298.912458 func=fileOpen                 level=INFO  logid=b310dd32-7d3f-11f0-b3b2-3cecefb4a746 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=LocalIo:70                     tident=<service> sec=      uid=0 gid=0 name= geo="" xt="" ob="" flags=100300 path=/eos2/00000000/00001935
250820 06:01:38 time=1755637298.912993 func=open                     level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:820              tident=jalien.3595834:59@aliendb10.cern.ch sec=(null) uid=10367 gid=1395 name=nobody geo="" xt="" ob="" open-duration=0.819ms path="/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e" fxid=00001935 path::print=0.188ms creation::barrier=0.044ms layout::exists=0.004ms clone::fst=0.051ms layout::open=0.010ms layout::opened=0.219ms get::localfmd=0.001ms resync::localfmd=0.123ms layout::stat=0.002ms full::mutex=0.001ms layout::fallocate=0.001ms layout::fallocated=0.008ms fileio::object=0.137ms open::accounting=0.028ms end=0.002ms open=0.819ms
250820 06:01:38 time=1755637298.913007 func=stat                     level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:1312             tident=jalien.3595834:59@aliendb10.cern.ch sec=      uid=10367 gid=1395 name=nobody geo="" xt="" ob="" path=/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e fxid=00001935 size=0 mtime=1755637298.106172880
250820 06:01:39 time=1755637299.418251 func=_close_wr                level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:1671             tident=jalien.3595834:59@aliendb10.cern.ch sec=      uid=10367 gid=1395 name=nobody geo="" xt="" ob="" viaDelete=0 writeDelete=0 mIsCreation=1
250820 06:01:39 time=1755637299.418275 func=VerifyChecksum           level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:3427             tident=jalien.3595834:59@aliendb10.cern.ch sec=      uid=10367 gid=1395 name=nobody geo="" xt="" ob="" (write) checksum type="adler" checksum hex="14b8033b" requested-checksum hex="-none-"
250820 06:01:39 time=1755637299.419503 func=_close                   level=INFO  logid=static.............................. unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:1592             tident= sec=(null) uid=0 gid=0 name=- geo="" xt="" ob="" msg="log=b1a555ae-7d3f-11f0-aa10-40a6b741b044&path=/eos/hu/alice/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e&fstpath=/eos2/00000000/00001935&ruid=10367&rgid=1395&td=jalien.3595834:59@aliendb10.cern.ch&host=nfs12.aligrid.hiroshima-u.ac.jp&lid=1048578&fid=6453&fsid=2&ots=1755637298&otms=912&cts=1755637299&ctms=419&nrc=0&nwc=1&rb=0&rb_min=0&rb_max=0&rb_sigma=0.00&rv_op=0&rvb_min=0&rvb_max=0&rvb_sum=0&rvb_sigma=0.00&rs_op=0&rsb_min=0&rsb_max=0&rsb_sum=0&rsb_sigma=0.00&rc_min=0&rc_max=0&rc_sum=0&rc_sigma=0.00&wb=10&wb_min=10&wb_max=10&wb_sigma=0.00&sfwdb=0&sbwdb=0&sxlfwdb=0&sxlbwdb=0&nfwds=0&nbwds=0&nxlfwds=0&nxlbwds=0&usage=0.42&iot=507.318&idt=505.200&lrt=0.000&lrvt=0.000&lwt=0.059&ot=0.819&ct=1.240&rt=0.00&rvt=0.00&wt=0.05&osize=0&csize=10&delete_on_close=0&prio_c=2&prio_l=4&prio_d=1&forced_bw=0&ms_sleep=0&ior_err=0&iow_err=0&sec.prot=unix&sec.name=jalien&sec.host=aliendb10.cern.ch&sec.vorg=&sec.grps=jalien&sec.role=&sec.info=&sec.app=JCentral"
250820 06:01:39 time=1755637299.419512 func=_close                   level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:1615             tident=jalien.3595834:59@aliendb10.cern.ch sec=      uid=10367 gid=1395 name=nobody geo="" xt="" ob="" msg="done close" rc=0 errc=0
250820 06:01:39 2021834 XrootdXeq: jalien.3595834:59@aliendb10.cern.ch disc 0:00:01
250820 06:01:42 time=1755637302.100698 func=Report                   level=ERROR logid=FstOfsStorage unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe86fffd640 source=Report:56                      tident=<service> sec=      uid=0 gid=0 name= geo="" xt="" ob="" msg="cannot send report broadcast"
250820 06:01:43 2024503 XrootdXeq: jalien.3596895:60@aliendb10.cern.ch pub IP46 login as jalien
250820 06:01:43 time=1755637303.273704 func=open                     level=INFO  logid=b4e99568-7d3f-11f0-8124-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:183              tident=jalien.3596895:60@aliendb10.cern.ch sec=unix  uid=0 gid=0 name=jalien geo="" xt="" ob="" path=/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e info=cap.msg=<...>&cap.sym=<...>&eos.app=JCentral&eos.clientinfo=zbase64:MDAwMDAwNzN4nBXIQQ6EIAxA0at4ARs0uhiSHgahHTpRIAVi5vbK7v2fCyWrDQ3s2yTZHjdK4qHqIwU0g+1fCI/OTEphjKKSMRC7frbR7xYl3zBxXVZwp3xVAkTRXKNcbu7gPPyKXcxnfwAx1yiQ&mgm.id=00001935&mgm.logid=b4e99568-7d3f-11f0-8124-40a6b741b044&mgm.mtime=1755637299&mgm.replicahead=0&mgm.replicaindex=0&scitag.flow=336 open_mode=0
250820 06:01:43 time=1755637303.273850 func=ProcessCapOpaque         level=INFO  logid=b4e99568-7d3f-11f0-8124-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:2560             tident=jalien.3596895:60@aliendb10.cern.ch sec=(null) uid=65534 gid=65534 name=(null) geo="" xt="" ob="" capability=&mgm.access=read&mgm.ruid=10367&mgm.rgid=1395&mgm.uid=99&mgm.gid=99&mgm.path=/eos/hu/alice/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e&mgm.manager=grid05.aligrid.hiroshima-u.ac.jp:1094&mgm.fid=00001935&mgm.cid=514&mgm.sec=unix|jalien|aliendb10.cern.ch||jalien|||JCentral&mgm.lid=1048578&mgm.bookingsize=1024&mgm.fsid=2&cap.valid=1755640902
250820 06:01:43 time=1755637303.274057 func=open                     level=INFO  logid=b4e99568-7d3f-11f0-8124-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:543              tident=jalien.3596895:60@aliendb10.cern.ch sec=(null) uid=10367 gid=1395 name=nobody geo="" xt="" ob="" path=/eos2/00000000/00001935 open-mode=0 create-mode=180 layout-name=plain oss-opaque=&mgm.lid=1048578&mgm.bookingsize=0
250820 06:01:43 time=1755637303.274071 func=fileOpen                 level=INFO  logid=b5aa65cc-7d3f-11f0-a549-3cecefb4a746 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=LocalIo:70                     tident=<service> sec=      uid=0 gid=0 name= geo="" xt="" ob="" flags=0 path=/eos2/00000000/00001935
250820 06:01:43 time=1755637303.274232 func=open                     level=INFO  logid=b4e99568-7d3f-11f0-8124-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:731              tident=jalien.3596895:60@aliendb10.cern.ch sec=(null) uid=10367 gid=1395 name=nobody geo="" xt="" ob="" msg="layout size" fxid=00001935 disk_size=10 db_size= 10
250820 06:01:43 time=1755637303.274266 func=open                     level=INFO  logid=b4e99568-7d3f-11f0-8124-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:820              tident=jalien.3596895:60@aliendb10.cern.ch sec=(null) uid=10367 gid=1395 name=nobody geo="" xt="" ob="" open-duration=0.572ms path="/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e" fxid=00001935 path::print=0.272ms creation::barrier=0.077ms layout::exists=0.005ms clone::fst=0.015ms layout::open=0.016ms layout::opened=0.074ms get::localfmd=0.000ms resync::localfmd=0.085ms layout::stat=0.001ms layout::stat=0.000ms fileio::object=0.026ms open::accounting=0.000ms end=0.001ms open=0.572ms
250820 06:01:43 time=1755637303.274276 func=stat                     level=INFO  logid=b4e99568-7d3f-11f0-8124-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:1312             tident=jalien.3596895:60@aliendb10.cern.ch sec=      uid=10367 gid=1395 name=nobody geo="" xt="" ob="" path=/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e fxid=00001935 size=10 mtime=1755637299.31271450
250820 06:01:43 time=1755637303.527083 func=VerifyChecksum           level=INFO  logid=b4e99568-7d3f-11f0-8124-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:3492             tident=jalien.3596895:60@aliendb10.cern.ch sec=      uid=10367 gid=1395 name=nobody geo="" xt="" ob="" msg="read checksum info" xs_type=adler xs_computed=14b8033b xs_local=14b8033b fxid=00001935 fsid=2
250820 06:01:43 time=1755637303.779632 func=VerifyChecksum           level=INFO  logid=b4e99568-7d3f-11f0-8124-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:3492             tident=jalien.3596895:60@aliendb10.cern.ch sec=      uid=10367 gid=1395 name=nobody geo="" xt="" ob="" msg="read checksum info" xs_type=adler xs_computed=14b8033b xs_local=14b8033b fxid=00001935 fsid=2
250820 06:01:43 time=1755637303.779662 func=_close                   level=INFO  logid=static.............................. unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:1592             tident= sec=(null) uid=0 gid=0 name=- geo="" xt="" ob="" msg="log=b4e99568-7d3f-11f0-8124-40a6b741b044&path=/eos/hu/alice/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e&fstpath=/eos2/00000000/00001935&ruid=10367&rgid=1395&td=jalien.3596895:60@aliendb10.cern.ch&host=nfs12.aligrid.hiroshima-u.ac.jp&lid=1048578&fid=6453&fsid=2&ots=1755637303&otms=273&cts=1755637303&ctms=779&nrc=1&nwc=0&rb=10&rb_min=10&rb_max=10&rb_sigma=0.00&rv_op=0&rvb_min=0&rvb_max=0&rvb_sum=0&rvb_sigma=0.00&rs_op=0&rsb_min=0&rsb_max=0&rsb_sum=0&rsb_sigma=0.00&rc_min=0&rc_max=0&rc_sum=0&rc_sigma=0.00&wb=0&wb_min=0&wb_max=0&wb_sigma=0.00&sfwdb=0&sbwdb=0&sxlfwdb=0&sxlbwdb=0&nfwds=0&nbwds=0&nxlfwds=0&nxlbwds=0&usage=0.13&iot=505.954&idt=505.282&lrt=0.081&lrvt=0.000&lwt=0.000&ot=0.572&ct=0.019&rt=0.06&rvt=0.00&wt=0.00&osize=10&csize=10&delete_on_close=0&prio_c=2&prio_l=4&prio_d=1&forced_bw=0&ms_sleep=0&ior_err=0&iow_err=0&sec.prot=unix&sec.name=jalien&sec.host=aliendb10.cern.ch&sec.vorg=&sec.grps=jalien&sec.role=&sec.info=&sec.app=JCentral"
250820 06:01:43 time=1755637303.779669 func=_close                   level=INFO  logid=b4e99568-7d3f-11f0-8124-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe874bff640 source=XrdFstOfsFile:1615             tident=jalien.3596895:60@aliendb10.cern.ch sec=      uid=10367 gid=1395 name=nobody geo="" xt="" ob="" msg="done close" rc=0 errc=0
250820 06:01:44 2024503 XrootdXeq: jalien.3596895:60@aliendb10.cern.ch disc 0:00:02

About open:

jalien

250820 06:01:38 time=1755637298.912179 func=open                     level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:183              tident=jalien.3595834:59@aliendb10.cern.ch sec=unix  uid=0 gid=0 name=jalien geo="" xt="" ob="" path=/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e info=cap.msg=<...>&cap.sym=<...>&eos.app=JCentral&eos.clientinfo=zbase64:MDAwMDAwNzN4nBXIQQ6EIAxA0avMBWzExIUkPQxCKzUKpEDM3F7Zvf9zoWS14QJm/Um2+4OSeKj6SAHnwfYvhHtnJqUwRlHJGIhdv9rob4uSb5i4mgXcJYdKgCiaa5TbTR2ch7NYM2/rCzFxKI8=&mgm.id=00001935&mgm.logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044&mgm.replicahead=0&mgm.replicaindex=0&oss.asize=10&scitag.flow=336&tried=nfs11.aligrid.hiroshima-u.ac.jp&triedrc=srverr open_mode=100200

nobody

250820 06:01:38 time=1755637298.912449 func=open                     level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:543              tident=jalien.3595834:59@aliendb10.cern.ch sec=(null) uid=10367 gid=1395 name=nobody geo="" xt="" ob="" path=/eos2/00000000/00001935 open-mode=100300 create-mode=41a4 layout-name=plain oss-opaque=&mgm.lid=1048578&mgm.bookingsize=10

summery

250820 06:01:38 time=1755637298.912993 func=open                     level=INFO  logid=b1a555ae-7d3f-11f0-aa10-40a6b741b044 unit=fst@nfs12.aligrid.hiroshima-u.ac.jp:1095 tid=00007fe886ffb640 source=XrdFstOfsFile:820              tident=jalien.3595834:59@aliendb10.cern.ch sec=(null) uid=10367 gid=1395 name=nobody geo="" xt="" ob="" open-duration=0.819ms path="/14/60346/ad5b521d-7d3f-11f0-9071-024282dad15e" fxid=00001935 path::print=0.188ms creation::barrier=0.044ms layout::exists=0.004ms clone::fst=0.051ms layout::open=0.010ms layout::opened=0.219ms get::localfmd=0.001ms resync::localfmd=0.123ms layout::stat=0.002ms full::mutex=0.001ms layout::fallocate=0.001ms layout::fallocated=0.008ms fileio::object=0.137ms open::accounting=0.028ms end=0.002ms open=0.819ms

Is the cause that the file can be opened by nobody?
Or this is normal action?

Best regards,
Takuma

asevcenc · August 20, 2025, 5:43am

Hi Takuma! To check ALICE authorization you should check the logs on mgm (see which one is the elected master, in eos status section services:) for loglines that start with XrdAliceTokenAcc::

example from mine:
[Wednesday 20.08.25 08:43] root@mgm2 : /var/log/eos/mgm $
tail -n 100 xrdlog.mgm | grep XrdAliceTokenAcc
250820 08:43:25 2540 XrdAliceTokenAcc::Access: [ 2540 ] Time for Authz decoding: 0.278 ms / 0.272ms =>/11/50304/273c8637-7d88-11f0-800d-b640737227d3
250820 08:43:25 2540 XrdAliceTokenAcc::Access: [ 2540 ] access granted for path /11/50304/273c8637-7d88-11f0-800d-b640737227d3
250820 08:43:25 2546 XrdAliceTokenAcc::Access: [ 2546 ] Time for Authz decoding: 0.279 ms / 0.273ms =>/14/18230/5b6dc8e9-7d88-11f0-800d-728b7646c7c4
250820 08:43:25 2546 XrdAliceTokenAcc::Access: [ 2546 ] access granted for path /14/18230/5b6dc8e9-7d88-11f0-800d-728b7646c7c4
250820 08:43:26 2552 XrdAliceTokenAcc::Access: [ 2552 ] Time for Authz decoding: 0.27 ms / 0.265ms =>/13/22598/81ff6676-7d88-11f0-800c-ac1f6b56e0e6
250820 08:43:26 2552 XrdAliceTokenAcc::Access: [ 2552 ] access granted for path /13/22598/81ff6676-7d88-11f0-800c-ac1f6b56e0e6
250820 08:43:26 2558 XrdAliceTokenAcc::Access: [ 2558 ] Time for Authz decoding: 0.274 ms / 0.269ms =>/09/55458/04ede434-7d88-11f0-800d-7e24b071327d
250820 08:43:26 2558 XrdAliceTokenAcc::Access: [ 2558 ] access granted for path /09/55458/04ede434-7d88-11f0-800d-7e24b071327d
250820 08:43:27 2564 XrdAliceTokenAcc::Access: [ 2564 ] Time for Authz decoding: 0.267 ms / 0.261ms =>/10/39541/5e370d5f-7d88-11f0-800d-b63a6b13a56a
250820 08:43:27 2564 XrdAliceTokenAcc::Access: [ 2564 ] access granted for path /10/39541/5e370d5f-7d88-11f0-800d-b63a6b13a56a
250820 08:43:27 2570 XrdAliceTokenAcc::Access: [ 2570 ] Time for Authz decoding: 0.265 ms / 0.26ms =>/13/16414/9854d7f4-7d88-11f0-800d-fa163e4e6054
250820 08:43:27 2570 XrdAliceTokenAcc::Access: [ 2570 ] access granted for path /13/16414/9854d7f4-7d88-11f0-800d-fa163e4e6054

GeonmoRyu · August 20, 2025, 6:16am

Hello, Takuma.

I found a difference between our configuration and yours.

On TkAuthz.Authorization, we set “CERT:IGNORE”.

RULE     PATH:/ AUTHZ:delete|read|write|write-once| NOAUTHZ:| VO:| CERT:IGNORE

However, you configured it as "CERT:*". This could be the root cause of the issue. Instead, you might want to use CERT:IGNORE or one of the options recommended by ChatGPT. Here’s an example:

# Key mapping: necessary VO only
KEY     VO:alice   PRIVKEY:/etc/grid-security/xrootd/privkey.pem   PUBKEY:/etc/grid-security/xrootd/pubkey.pem

# Subdirectory should be set first
RULE    PATH:/public            AUTHZ:write|delete|write-once   NOAUTHZ:read      VO:alice   CERT:*/CN=trusted-issuer
# Root directory should be set last
RULE    PATH:/                  AUTHZ:read|write|delete|write-once                 VO:alice   CERT:*/CN=trusted-issuer

# EXPORT can be rejected
EXPORT  PATH:/public            VO:alice   ACCESS:ALLOW   CERT:*/CN=trusted-issuer
EXPORT  PATH:/                  VO:alice   ACCESS:DENY    CERT:*

Also, in my configuration, it seems that regular users can still access the directory and view the list of files. However, read and write operations are restricted. I’m not entirely sure if this permission setup is correct.

GeonmoRyu · August 20, 2025, 7:08am

tamatsum:

KEY     VO:*    PRIVKEY:/etc/grid-security/xrootd/privkey.pem   PUBKEY:/etc/grid-security/xrootd/pubkey.pem

RULE    PATH:/                   AUTHZ:delete|read|write|write-once|    NOAUTHZ:|                               VO:*|       CERT:*

EXPORT  PATH:/  VO:*    ACCESS:ALLOW    CERT:*

After reviewing the details again, it seems that CERT:IGNORE is actually a less secure setting.

It is likely that limitations from other RULE entries or overlapping configurations caused the observed behavior. I will check the details further.

However, we used below configuration like as “https://github.com/cern-eos/xrootd-alicetokenacc/blob/xrootd4/.authz/xrootd/TkAuthz.Authorization”.

EXPORT   PATH:/ VO:*     ACCESS:ALLOW CERT:*
RULE     PATH:/ AUTHZ:delete|read|write|write-once| NOAUTHZ:| VO:*| CERT:IGNORE
RULE     PATH:/eos/alice/user/ AUTHZ:| NOAUTHZ:delete|read|write|write-once| VO:*| CERT:IGNORE
KEY VO:* PRIVKEY:/etc/grid-security/xrootd/privkey.pem PUBKEY:/etc/grid-security/xrootd/pubkey.pem

Regards,

– Geonmo

GeonmoRyu · August 20, 2025, 7:37am

Sorry to bother you, but could you additionally provide the “sec”-related settings in the xrd.cf.mgm configuration?

I want to check if options like sec.protocol or sec.protobind are different from ours.

# UNIX authentication
sec.protocol unix
# SSS authentication
sec.protocol sss -c /etc/eos.keytab -s /etc/eos.keytab

sec.protbind * only sss unix
sec.protbind localhost.localdomain sss unix
sec.protbind localhost sss unix

Regards,

– Geonmo

asevcenc · August 20, 2025, 7:59am

Hi guys! So, for reference this is the upstream eos setting

I have these:

cat /etc/grid-security/xrootd/TkAuthz.AuthorizationKEY VO:*    PRIVKEY:/etc/grid-security/xrootd/privkey.pem   PUBKEY:/etc/grid-security/xrootd/pubkey.pem

RULE    PATH:/eos/alice/ops/     AUTHZ:|                                NOAUTHZ:delete|read|write|write-once|   VO:ops      CERT:*RULE    PATH:/ops/               AUTHZ:|                                NOAUTHZ:delete|read|write|write-once|   VO:ops      CERT:*RULE    PATH:/eos/alice/dteam/   AUTHZ:|                                NOAUTHZ:delete|read|write|write-once|   VO:dteam    CERT:*RULE    PATH:/dteam/             AUTHZ:|                                NOAUTHZ:delete|read|write|write-once|   VO:dteam    CERT:*RULE    PATH:/                   AUTHZ:delete|read|write|write-once|    NOAUTHZ:|                               VO:|       CERT:

EXPORT  PATH:/  VO:*    ACCESS:ALLOW    CERT:*

as for settings in xrd.cf.mgm:

UNIX authentication

sec.protocol unix

SSS authentication

sec.protocol sss -c /etc/eos.keytab -s /etc/eos.keytabsec.protbind localhost.localdomain sss unixsec.protbind localhost sss unixsec.protbind * only sss unix

tamatsum · August 20, 2025, 10:46am

Hello Geonmo and Adrian !

I checked log on leader of mgm

eos status

[root@grid04 playbooks]# eos status
instance: eoshu
          health:     OK
          nodes:      fst       3 online on
          versions:   mgm       1 5.3.15-1
                      qdb
                      fst       3 5.3.16-1

services:
                      grid05.aligrid.hiroshima-u.ac.jp:1094 (active)
                      namespace [booted] [1 s]
                      qdb []

storage:  data:       default    (1.62 PB total / 0.01 PB used 1.61 PB free / 1.61 PB avail )
          meta-data:  74 files 474 directories
          groups:               3 default on
          filesystems:          3   stat
          scheduler:      80% (fill limit)

clients:  7 clients
          auth:                 1 sss   (XRoot)
                                1 unix  (JCentral)
                                1 unix  (XRoot)
          io:          IN  OUT

          fuse :      0 clients (0 active) caps 0 locked 0

                      v:
                      t:
                      h:

There are nothing about XrdAliceTokenAcc…

[root@grid05 mgm]# tail -n 1000 xrdlog.mgm | grep XrdAliceTokenAcc
[root@grid05 mgm]# cat xrdlog.mgm | grep XrdAliceTokenAcc
[root@grid05 mgm]#

on xed.cf.mgm, I use these sec- for authentication

# UNIX authentication
sec.protocol unix

# SSS authentication
sec.protocol sss -c /etc/eos.keytab -s /etc/eos.keytab
sec.protbind localhost.localdomain sss unix
sec.protbind localhost sss unix
sec.protbind * only sss unix

This time, I use this TAuthz.Authorization file.

KEY VO:*    PRIVKEY:/etc/grid-security/xrootd/privkey.pem   PUBKEY:/etc/grid-security/xrootd/pubkey.pem
RULE    PATH:/                   AUTHZ:delete|read|write|write-once|    NOAUTHZ:|                               VO:*|       CERT:*
EXPORT  PATH:/  VO:*    ACCESS:ALLOW    CERT:*

test failed due to Open write, read, … test
And I used this file using `CERT:IGNORE

KEY VO:*    PRIVKEY:/etc/grid-security/xrootd/privkey.pem   PUBKEY:/etc/grid-security/xrootd/pubkey.pem
RULE    PATH:/                   AUTHZ:delete|read|write|write-once|    NOAUTHZ:|                               VO:*|       CERT:IGNORE
EXPORT  PATH:/  VO:*    ACCESS:ALLOW    CERT:*

The test was failed due to same reason…

GeonmoRyu · August 21, 2025, 5:15am

Hello, Takuma.

If it’s not a problem, could you tell me where I can get the testSE script? I’m wondering if we can test our site with that script.

Also, have you tried testing whether you can read files directly by entering the server with the xrdfs command?

Regards,

– Geonmo

grigoras · August 21, 2025, 5:35am

Hi Geonmo,

testSE is a JAliEn command, you can use it with -v and -c to print the full xrdcp command lines and the returned output.

For KISTI the auth constraints work correctly:

> testSE -v -c ALICE::KISTI_GSDC::EOS
ALICE::KISTI_GSDC::EOS
Open write test: cannot write (expected)
/usr/bin/xrdcp exited with exit code 54: [ERROR] Server responded with an error: [3010] Unable to create /15/24317/d8e734b2-7e4f-11f0-83ef-000000000000; Permission denied (destination)
…
Authenticated write test: could write (expected)
/usr/bin/xrdcp --nopbar --verbose --force --posc --cksum md5:source /etc/hostname 'root://eos-disk.sdfarm.kr:1094//15/24317/d8e734b2-7e4f-11f0-83ef-000000000000?authz=-----BEGIN SEALED CIPHER-----
…

The only test that doesn’t pass there is reading back on HTTP but that’s a different story.

Cheers,

.costin

GeonmoRyu · August 22, 2025, 2:17am

Hello, Takuma.

According to Costin, our site, which has the same settings, is appropriately protected, but the Hiroshima site is not, so it seems that there is a problem somewhere we haven’t thought of.

Just in case, please check the directories for ownership and permissions.

For reference, ours are as follows.

EOS Console [root://localhost] |/eos/alicekistigsdc/grid/> ls -l
drwxr-sr-x 1 10367 1395 342521748747376 Jul 29 12:19 00
drwxr-sr-x 1 10367 1395 342557526998996 Aug 14 12:10 01
….
-rw-r–r-- 1 10367 1395 10485760 Feb 23 2024 file-10mb
-rw-r–r-- 1 10367 1395 10459447 Mar 14 2024 file-10mb.add
-rw-r----- 1 10367 1395 1073741824 Feb 16 2024 file-1g
-rw-r----- 1 root root 97366494 Jan 29 2024 xfer-test.dat-alice-t1-eos-mgm01
-rw-r----- 1 10367 1395 97366494 Jan 29 2024 xfer-test.dat-alice-t1-vobox02
-rw-r–r-- 1 10367 1395 97366494 Feb 15 2024 xfer-test.dat-alice-t1-vobox02.xrdcp
-rw-r----- 1 10367 1395 97366494 Jan 29 2024 xfer-test.dat-to-rbod01

I have no idea about anything else.

Regards,

– Geonmo

P.S. (Costin, thank you for the information.)

tamatsum · August 25, 2025, 9:28am

Hello Geonmo,

It looks same…
This is our directories for ownership and permissions.

EOS Console [root://localhost] |/eos/hu/> ls -l
drwxr-sr-x   1 aliprod  alice               0 Jul 17 20:33 alice
drwxr-xr-x   1 root     root            20480 Jan  1  1970 proc
EOS Console [root://localhost] |/eos/hu/> cd alice/
EOS Console [root://localhost] |/eos/hu/alice/> ls -l
drwxr-sr-x   1 aliprod  alice               0 Aug 25 10:57 00
drwxr-sr-x   1 aliprod  alice               0 Aug 22 17:57 01
drwxr-sr-x   1 aliprod  alice               0 Aug 25 06:57 02
...
drwxr-sr-x   1 aliprod  alice               0 Aug 25 08:57 13
drwxr-sr-x   1 aliprod  alice               0 Aug 24 11:57 14
drwxr-sr-x   1 aliprod  alice               0 Aug 25 07:57 15

I’ll recheck mgm and fst configuration and delirectories.

Best regards,
Takuma

tamatsum · September 4, 2025, 2:35pm

Hi!!
We checked mgm and fst configuration and permission and ownership of derectories. And restart all eos services.
but, I can’t pass the open write/read/delete test.

testSE ALICE::Hiroshima::EOS

 >testSE ALICE::Hiroshima::EOS
ALICE::HIROSHIMA::EOS
  Open write test: could write,  (NOT OK), please check authorization configuration
  Open read test: reading worked (NOT OK) please check authorization configuration
  Open delete test: delete worked (NOT OK)
  Authenticated write test: could write (expected)
  Authenticated read: file read back ok (expected)
  Authenticated delete: delete worked ok (expected)
  Space information:
Path:  /
Total: 1.44 PB (LDAP setting: 1582914076672)
Free:  1.434 PB
Used:  5.479 TB
Chunk: 64 GB
Version: Xrootd 5.8.4
  LDAP information:
SE: seName: ALICE::HIROSHIMA::EOS
seNumber        : 428
seVersion       : 0
qos     : [test]
seioDaemons     : root://eos.aligrid.hiroshima-u.ac.jp:1094
seStoragePath   : /
seSize: : 1582914076672
seUsedSpace     : 33
seNumFiles      : 3
seMinSize       : 0
seType  : File
exclusiveUsers  : []
seExclusiveRead : []
seExclusiveWrite        : []
options:        {}

mgm services still dont read TkAuthz.Authorization. There are nothing about authorization on the mgm master log file.

[root@grid04 ~]# tail -n 100 /var/log/eos/mgm/xrdlog.mgm | grep XrdAliceTokenAcc

Any advice would be appreciated.
I attached current setting.

Thanks in advance.
Takuma

Details:
stat output relating to TkAuthz.Authorization

[root@grid04 ~]# stat /etc/grid-security/xrootd/TkAuthz.Authorization
  File: /etc/grid-security/xrootd/TkAuthz.Authorization
  Size: 285             Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 201597734   Links: 1
Access: (0600/-rw-------)  Uid: (    2/  daemon)   Gid: (    2/  daemon)
Context: system_u:object_r:etc_t:s0
Access: 2025-09-04 01:09:13.455865542 +0900
Modify: 2025-09-04 01:08:49.067335343 +0900
Change: 2025-09-04 01:09:03.011061829 +0900
 Birth: 2025-09-04 01:08:49.067335343 +0900
[root@grid04 ~]# stat /etc/grid-security/xrootd
  File: /etc/grid-security/xrootd
  Size: 72              Blocks: 0          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 201566276   Links: 2
Access: (0700/drwx------)  Uid: (    2/  daemon)   Gid: (    2/  daemon)
Context: system_u:object_r:etc_t:s0
Access: 2025-09-04 03:56:15.757465443 +0900
Modify: 2025-09-04 01:08:49.067854156 +0900
Change: 2025-09-04 01:08:49.067854156 +0900
 Birth: 2025-05-10 17:04:24.781787639 +0900
[root@grid04 ~]# stat /etc/grid-security
  File: /etc/grid-security
  Size: 112             Blocks: 0          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 167773889   Links: 5
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:etc_t:s0
Access: 2025-09-04 01:08:14.869966547 +0900
Modify: 2025-08-28 17:04:23.672717205 +0900
Change: 2025-08-28 23:43:33.549857350 +0900
 Birth: 2025-05-10 17:03:39.546607021 +0900

eos vid setting

[root@grid04 ~]# eos vid ls
https:"<pwd>":gid => root
https:"<pwd>":uid => root
publicaccesslevel: => 1024
sss:"<pwd>":gid => root
sss:"<pwd>":uid => root
sudoer                 => uids(daemon)
tokensudo              => always
unix:"<pwd>":gid => alice
unix:"<pwd>":uid => aliprod

This is configuration files for eos seicvices.

[root@grid04 ~]# cat /etc/xrd.cf.mgm | grep sec.protocol
sec.protocol unix
sec.protocol sss -c /etc/eos.keytab -s /etc/eos.keytab

xrd.cf.mgm

###########################################################
set myName = ALICE::Hiroshima::EOS
all.sitename ALICE::Hiroshima::EOS

###########################################################
xrootd.fslib libXrdEosMgm.so
xrootd.seclib libXrdSec.so
xrootd.async off nosf
xrootd.chksum adler32
###########################################################

xrd.sched mint 8 maxt 256 idle 60
xrd.timeout hail 30 idle 300 kill 20 read 20

###########################################################
# caused this line?
all.export / nolock
all.role manager

###########################################################
xrd.port 1094

###########################################################
oss.fdlimit * max

###########################################################
# UNIX authentication
sec.protocol unix

# SSS authentication
sec.protocol sss -c /etc/eos.keytab -s /etc/eos.keytab
sec.protbind localhost.localdomain sss unix
sec.protbind localhost sss unix
sec.protbind * only sss unix

###########################################################
mgmofs.fs /
mgmofs.targetport 1095

mgmofs.centraldrain true

mgmofs.authlib /usr/lib64/libXrdAliceTokenAcc.so
mgmofs.authorize 1

alicetokenacc.multiprocess 32

alicetokenacc.truncateprefix /eos/hu/alice
alicetokenacc.noauthzhost    localhost
#alicetokenacc.noauthzhost    localhost.localdomain
# VOBOX
alicetokenacc.noauthzhost    grid01.aligrid.hiroshima-u.ac.jp
# MGMs
#alicetokenacc.noauthzhost   grid04.aligrid.hiroshima-u.ac.jp
#alicetokenacc.noauthzhost   grid05.aligrid.hiroshima-u.ac.jp
#alicetokenacc.noauthzhost   grid06.aligrid.hiroshima-u.ac.jp

# FSTs
#alicetokenacc.noauthzhost   nfs11.aligrid.hiroshima-u.ac.jp
#alicetokenacc.noauthzhost   nfs12.aligrid.hiroshima-u.ac.jp
#alicetokenacc.noauthzhost   nfs13.aligrid.hiroshima-u.ac.jp

###########################################################
#mgmofs.trace all debug

# this URL can be overwritten by EOS_BROKER_URL defined in /etc/sysconfig/eos
mgmofs.broker root://eos.aligrid.hiroshima-u.ac.jp:1097//eos/

# this name can be overwritten by EOS_INSTANCE_NAME defined in /etc/sysconfig/eos
mgmofs.instance eoshu

# configuration, namespace , transfer and authentication export directory
mgmofs.configdir /var/eos/config
mgmofs.metalog /var/eos/md
mgmofs.txdir /var/eos/tx
mgmofs.authdir /var/eos/auth
mgmofs.archivedir /var/eos/archive
mgmofs.qosdir /var/eos/qos

# report store path
mgmofs.reportstorepath /var/eos/report

# this defines the default config to load
mgmofs.autoloadconfig default
mgmofs.autosaveconfig true

# QoS configuration file
# mgmofs.qoscfg /var/eos/qos/qos.conf

###########################################################
# Config Engine Configuration
mgmofs.cfgtype quarkdb

# this has to be defined if we have a failover configuration via alias - can be overwritten by EOS_MGM_ALIAS in /etc/sysconfig/eos
mgmofs.alias eos.aligrid.hiroshima-u.ac.jp
###########################################################
# Set the FST gateway host and port
# mgmofs.fstgw someproxy.cern.ch:3001

#-------------------------------------------------------------------------------
# Configuration for the authentication plugin EosAuth
#-------------------------------------------------------------------------------
# Set the number of authentication worker threads running on the MGM
mgmofs.auththreads 16

# Set the front end port number for incoming authentication requests
#mgmofs.authport 15555

# By default we listen only on localhost connections - set to 0 if you want to allow remote access
#mgmofs.authlocal 1

#-------------------------------------------------------------------------------
# Set the namespace plugin implementation
#-------------------------------------------------------------------------------
mgmofs.nslib /usr/lib64/libEosNsQuarkdb.so

# Quarkdb custer configuration used for the namespace
mgmofs.qdbcluster grid04.aligrid.hiroshima-u.ac.jp:7777 grid05.aligrid.hiroshima-u.ac.jp:7777 grid06.aligrid.hiroshima-u.ac.jp:7777
mgmofs.qdbpassword_file /etc/quarkdb.pass

#-------------------------------------------------------------------------------
# Configuration for the MGM workflow engine
#-------------------------------------------------------------------------------

# The SSI protocol buffer endpoint for notification messages from "proto" workflow actions
#mgmofs.protowfendpoint HOSTNAME.2NDLEVEL.TOPLEVEL:10955
#mgmofs.protowfresource /SSI_RESOURCE

# Use gRPC?
# mgmofs.protowfusegrpc true

if exec xrootd
    xrd.protocol XrdHttp:8443 libXrdHttp.so
    http.exthandler EosMgmHttp libEosMgmHttp.so eos::mgm::http::redirect-to-https=1
    http.trace  false

    # host cert required !!!
    http.exthandler xrdtpc libXrdHttpTPC.so
    xrd.tls  /etc/grid-security/hostcert.pem /etc/grid-security/hostkey.pem
    xrd.tlsca  certdir /etc/grid-security/certificates/

    # X509 Stuff
    # http.secxtractor  libXrdVoms.so
    # http.gridmap  /etc/grid-security/grid-mapfile

    # Macaroons
    # mgmofs.macaroonslib  libXrdMacaroons.so libXrdAccSciTokens.so
    # macaroons.secretkey  /etc/eos.macaroon.secret
    # macaroons.trace  all
fi

xrootd.monitor all flush 60s window 30s dest files info user grid01.aligrid.hiroshima-u.ac.jp:9930

[root@nfs11 ~]# cat /etc/sysconfig/eos_env | grep EOS_FST_NO_SSS_ENFORCEMENT=1
EOS_FST_NO_SSS_ENFORCEMENT=1

xrd.cf.fst

###########################################################
set MGM=eos.aligrid.hiroshima-u.ac.jp
###########################################################

###########################################################
set myName = Hiroshima
all.sitename ALICE::Hiroshima::EOS

xrootd.fslib -2 libXrdEosFst.so
xrootd.async off nosf
xrd.network keepalive
xrootd.redirect $(MGM):1094 chksum

# Specify when threads are created, how many can be created, and when they should be destroyed.
# https://xrootd.web.cern.ch/doc/dev57/xrd_config.htm#_Toc171719950
xrd.sched mint 16 avlt 24 idle 60 maxt 512

# Set timeout parameters for incoming connections
# https://xrootd.web.cern.ch/doc/dev57/xrd_config.htm#_Toc171719953
xrd.timeout hail 30 kill 10 read 20 idle 600

###########################################################
xrootd.seclib libXrdSec.so
sec.protocol unix
sec.protocol sss -c /etc/eos.keytab -s /etc/eos.keytab
sec.protbind * only unix sss

###########################################################
all.export / nolock
all.trace none
all.manager localhost 2131
#ofs.trace open

###########################################################
xrd.port 1095
ofs.persist off
ofs.osslib libEosFstOss.so
ofs.tpc pgm /opt/eos/xrootd/bin/xrdcp

###########################################################
# this URL can be overwritten by EOS_BROKER_URL defined /etc/sysconfig/xrd
fstofs.broker root://eos.aligrid.hiroshima-u.ac.jp:1097//eos/
fstofs.autoboot true
fstofs.quotainterval 10
fstofs.metalog /var/eos/md/
#fstofs.authdir /var/eos/auth/
#fstofs.trace client
###########################################################

# QuarkDB cluster info needed by FSCK to perform the namespace scan
fstofs.qdbcluster grid04.aligrid.hiroshima-u.ac.jp:7777 grid05.aligrid.hiroshima-u.ac.jp:7777 grid06.aligrid.hiroshima-u.ac.jp:7777
fstofs.qdbpassword_file /etc/quarkdb.pass

# Use gRPC?
#fstofs.protowfusegrpc true

fstofs.filemd_handler attr

#-------------------------------------------------------------------------------
# Configuration for XrdHttp http(s) service
#-------------------------------------------------------------------------------
if exec xrootd
    xrd.protocol XrdHttp:8001 libXrdHttp.so
    http.exthandler EosFstHttp /usr/lib64/libEosFstHttp.so none
    http.trace  false

    # HOST CERTS REQUIRED
    #http.exthandler  xrdtpc libXrdHttpTPC.so
    #xrd.tls  /etc/grid-security/hostcert.pem /etc/grid-security/hostkey.pem
    #xrd.tlsca  certdir /etc/grid-security/certificates/
fi

xrootd.monitor all flush 60s window 30s dest files info user grid01.aligrid.hiroshima-u.ac.jp:9930

apeters · September 5, 2025, 8:23am

Hi,
can you check if you have all the dependencies like:

ldd /usr/lib64/libXrdAliceTokenAcc.so

Maybe paste the log file of the startup of the MGM.

Thanks Andreas.

tamatsum · September 5, 2025, 10:20am

Hi!

This is the output of 'ldd /usr/lib64/libXrdAliceTokenAcc.so`.

mgm(grid04)

[root@grid04 ~]# ldd /usr/lib64/libXrdAliceTokenAcc.so
        linux-vdso.so.1 (0x00007f212a02e000)
        libXrdServer.so.3 => /lib64/libXrdServer.so.3 (0x00007f2129ee8000)
        libzmq.so.5 => /lib64/libzmq.so.5 (0x00007f2129e4e000)
        libcurl.so.4 => /lib64/libcurl.so.4 (0x00007f2129dac000)
        libxml2.so.2 => /lib64/libxml2.so.2 (0x00007f2129c23000)
        libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f2129600000)
        libssl.so.3 => /lib64/libssl.so.3 (0x00007f2129b3d000)
        libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f2129200000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f2129525000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f2129b21000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f2128e00000)
        libXrdUtils.so.3 => /lib64/libXrdUtils.so.3 (0x00007f21290dc000)
        libunwind.so.8 => /lib64/libunwind.so.8 (0x00007f212950b000)
        libsodium.so.23 => /lib64/libsodium.so.23 (0x00007f21294b2000)
        libpgm-5.2.so.0 => /lib64/libpgm-5.2.so.0 (0x00007f2129469000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f2129086000)
        libnghttp2.so.14 => /lib64/libnghttp2.so.14 (0x00007f212943f000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007f2129065000)
        libssh.so.4 => /lib64/libssh.so.4 (0x00007f2128d8b000)
        libpsl.so.5 => /lib64/libpsl.so.5 (0x00007f212942b000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f2128cb0000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f212904c000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f2129045000)
        libldap.so.2 => /lib64/libldap.so.2 (0x00007f2128c4a000)
        liblber.so.2 => /lib64/liblber.so.2 (0x00007f2129034000)
        libbrotlidec.so.1 => /lib64/libbrotlidec.so.1 (0x00007f2129026000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f212900c000)
        liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f2128c1e000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f212a030000)
        libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007f2128b41000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f2128b30000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f2128b29000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f2128b15000)
        libunistring.so.2 => /lib64/libunistring.so.2 (0x00007f2128990000)
        libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007f2128937000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f2128917000)
        libbrotlicommon.so.1 => /lib64/libbrotlicommon.so.1 (0x00007f21288f4000)
        libcap.so.2 => /lib64/libcap.so.2 (0x00007f21288ea000)
        libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007f21287ae000)
        libzstd.so.1 => /lib64/libzstd.so.1 (0x00007f21286f7000)
        liblz4.so.1 => /lib64/liblz4.so.1 (0x00007f21286d3000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f21286a6000)
        libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f212866c000)
        libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007f2128646000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f21285aa000)

mgm(grid05)

[root@grid05 ~]# ldd /usr/lib64/libXrdAliceTokenAcc.so
        linux-vdso.so.1 (0x00007f2ad979d000)
        libXrdServer.so.3 => /lib64/libXrdServer.so.3 (0x00007f2ad9657000)
        libzmq.so.5 => /lib64/libzmq.so.5 (0x00007f2ad95bd000)
        libcurl.so.4 => /lib64/libcurl.so.4 (0x00007f2ad951b000)
        libxml2.so.2 => /lib64/libxml2.so.2 (0x00007f2ad9392000)
        libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f2ad8e00000)
        libssl.so.3 => /lib64/libssl.so.3 (0x00007f2ad8d1a000)
        libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f2ad8a00000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f2ad8c3f000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f2ad9376000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f2ad8600000)
        libXrdUtils.so.3 => /lib64/libXrdUtils.so.3 (0x00007f2ad88dc000)
        libunwind.so.8 => /lib64/libunwind.so.8 (0x00007f2ad935c000)
        libsodium.so.23 => /lib64/libsodium.so.23 (0x00007f2ad8883000)
        libpgm-5.2.so.0 => /lib64/libpgm-5.2.so.0 (0x00007f2ad883a000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f2ad85aa000)
        libnghttp2.so.14 => /lib64/libnghttp2.so.14 (0x00007f2ad9330000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007f2ad8819000)
        libssh.so.4 => /lib64/libssh.so.4 (0x00007f2ad8535000)
        libpsl.so.5 => /lib64/libpsl.so.5 (0x00007f2ad931a000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f2ad845a000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f2ad8441000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f2ad8c38000)
        libldap.so.2 => /lib64/libldap.so.2 (0x00007f2ad83db000)
        liblber.so.2 => /lib64/liblber.so.2 (0x00007f2ad8808000)
        libbrotlidec.so.1 => /lib64/libbrotlidec.so.1 (0x00007f2ad83cd000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f2ad83b3000)
        liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f2ad8387000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f2ad979f000)
        libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007f2ad82aa000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f2ad8299000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f2ad8c2d000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f2ad8285000)
        libunistring.so.2 => /lib64/libunistring.so.2 (0x00007f2ad8100000)
        libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007f2ad80a7000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f2ad8087000)
        libbrotlicommon.so.1 => /lib64/libbrotlicommon.so.1 (0x00007f2ad8064000)
        libcap.so.2 => /lib64/libcap.so.2 (0x00007f2ad805a000)
        libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007f2ad7f1e000)
        libzstd.so.1 => /lib64/libzstd.so.1 (0x00007f2ad7e67000)
        liblz4.so.1 => /lib64/liblz4.so.1 (0x00007f2ad7e43000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f2ad7e16000)
        libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f2ad7ddc000)
        libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007f2ad7db6000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f2ad7d1a000)

mgm(grid06)

[root@grid06 ~]# ldd /usr/lib64/libXrdAliceTokenAcc.so
        linux-vdso.so.1 (0x00007f2a111fd000)
        libXrdServer.so.3 => /opt/eos/xrootd/lib64/libXrdServer.so.3 (0x00007f2a110b5000)
        libzmq.so.5 => /lib64/libzmq.so.5 (0x00007f2a1101b000)
        libcurl.so.4 => /lib64/libcurl.so.4 (0x00007f2a10f79000)
        libxml2.so.2 => /lib64/libxml2.so.2 (0x00007f2a10df0000)
        libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f2a10800000)
        libssl.so.3 => /lib64/libssl.so.3 (0x00007f2a1071a000)
        libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f2a10400000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f2a1063f000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f2a10dd4000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f2a10000000)
        libXrdUtils.so.3 => /opt/eos/xrootd//lib64/libXrdUtils.so.3 (0x00007f2a102db000)
        libunwind.so.8 => /lib64/libunwind.so.8 (0x00007f2a10dba000)
        libsodium.so.23 => /lib64/libsodium.so.23 (0x00007f2a10d5f000)
        libpgm-5.2.so.0 => /lib64/libpgm-5.2.so.0 (0x00007f2a10292000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f2a1023c000)
        libnghttp2.so.14 => /lib64/libnghttp2.so.14 (0x00007f2a10d35000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007f2a1021b000)
        libssh.so.4 => /lib64/libssh.so.4 (0x00007f2a0ff8b000)
        libpsl.so.5 => /lib64/libpsl.so.5 (0x00007f2a10d1f000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f2a0feb0000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f2a0fe97000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f2a10638000)
        libldap.so.2 => /lib64/libldap.so.2 (0x00007f2a0fe31000)
        liblber.so.2 => /lib64/liblber.so.2 (0x00007f2a1020a000)
        libbrotlidec.so.1 => /lib64/libbrotlidec.so.1 (0x00007f2a1062a000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f2a0fe17000)
        liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f2a0fdeb000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f2a111ff000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f2a0fdda000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f2a0fdd3000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f2a0fdbf000)
        libunistring.so.2 => /lib64/libunistring.so.2 (0x00007f2a0fc3a000)
        libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007f2a0fbe1000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f2a0fbc1000)
        libbrotlicommon.so.1 => /lib64/libbrotlicommon.so.1 (0x00007f2a0fb9e000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f2a0fb71000)
        libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f2a0fb37000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f2a0fa9b000)

grid04 and grid05 is same output, but grid06 is not.

libXrdServer.so.3 => /lib64/libXrdServer.so.3 (0x00007f2ad9657000)
libXrdUtils.so.3 => /lib64/libXrdUtils.so.3 (0x00007f21290dc000)

libXrdServer.so.3 => /opt/eos/xrootd/lib64/libXrdServer.so.3 (0x00007f2a110b5000)
libXrdUtils.so.3 => /opt/eos/xrootd//lib64/libXrdUtils.so.3 (0x00007f2a102db000)

Thanks in advance.
Takuma

CERN Accelerating science

Write and Read authorization error