Write and Read authorization error

21

Hi!
I have no idea to load public key.
I reset package about mgm.
The log about AliceToken was appeared, but cannot load public key. So it is not still worked.
This is /var/log/eos/mgm/xrdlog.mgm, there are something about XrdAliceTokenAcc.

++++++ (c) 2008 CERN/IT-DM-SMD AliceTokenAcc (Alice Token Access Authorization) v 1.0
=====> alicetokenacc.multiprocess: 32
=====> alicetokenacc.truncateprefix: /eos/hu/alice
=====> alicetokenacc.noauthzhost: localhost
=====> alicetokenacc.noauthzhost: grid01.aligrid.hiroshima-u.ac.jp
=====> XrdAliceTokenAcc: No Authorizationfile set via environment variable 'TTOKENAUTHZ_AUTHORIZATIONFILE'
=====> XrdAliceTokenAcc: Using Authorizationfile '/etc/grid-security/xrootd/TkAuthz.Authorization'!
=====> XrdAliceTokenAcc: Public key in use is /etc/grid-security/xrootd/pubkey.pem
=====> XrdAliceTokenAcc: Cannot load public key !
------ AliceTokenAcc Initialization Failed!
251002 21:26:59 3178901 MgmOfs_Config: Failed to get external authorization plugin object!

Keys is not broken.

[root@grid04 ~]# clush -w grid[04,05] "openssl rsa -in /etc/grid-security/xrootd/privkey.pem -check -noout"
grid04: RSA key ok
[root@grid04 ~]# diff -s <(openssl rsa -in /etc/grid-security/xrootd/privkey.pem -pubout) /etc/grid-security/xrootd/pubkey.pem
writing RSA key
Files /dev/fd/63 and /etc/grid-security/xrootd/pubkey.pem are identical

This is output details of files and directories about XrdAliceToken

[root@grid04 ~]# clush -w grid[04,05] "ls -l /etc/grid-security/xrootd/pubkey.pem"
grid04: -rw-r--r--. 1 daemon daemon 451 Oct  2 19:35 /etc/grid-security/xrootd/pubkey.pem
[root@grid04 ~]# clush -w grid[04,05] "ls -l /etc/grid-security/xrootd/privkey.pem"
grid04: -rw-------. 1 daemon daemon 1704 Oct  2 19:35 /etc/grid-security/xrootd/privkey.pem
[root@grid04 ~]# clush -w grid[04,05] "stat /etc/grid-security/xrootd/TkAuthz.Authorization"
grid04:   File: /etc/grid-security/xrootd/TkAuthz.Authorization
grid04:   Size: 285             Blocks: 8          IO Block: 4096   regular file
grid04: Device: fd00h/64768d    Inode: 201597734   Links: 1
grid04: Access: (0644/-rw-r--r--)  Uid: (    2/  daemon)   Gid: (    2/  daemon)
grid04: Context: system_u:object_r:etc_t:s0
grid04: Access: 2025-10-02 17:39:40.475518797 +0900
grid04: Modify: 2025-09-04 01:08:49.067335343 +0900
grid04: Change: 2025-10-02 17:28:57.509875035 +0900
grid04:  Birth: 2025-09-04 01:08:49.067335343 +0900
[root@grid04 ~]# clush -w grid[04,05] "stat /etc/grid-security/xrootd/"
grid04:   File: /etc/grid-security/xrootd/
grid04:   Size: 138             Blocks: 0          IO Block: 4096   directory
grid04: Device: fd00h/64768d    Inode: 201566276   Links: 2
grid04: Access: (0600/drw-------)  Uid: (    2/  daemon)   Gid: (    2/  daemon)
grid04: Context: system_u:object_r:etc_t:s0
grid04: Access: 2025-10-02 19:40:51.392713944 +0900
grid04: Modify: 2025-10-02 19:35:15.088040860 +0900
grid04: Change: 2025-10-02 19:35:15.088040860 +0900
grid04:  Birth: 2025-05-10 17:04:24.781787639 +0900
[root@grid04 ~]# clush -w grid[04,05] "stat /etc/grid-security/xrootd/"
grid04:   File: /etc/grid-security/xrootd/
grid04:   Size: 138             Blocks: 0          IO Block: 4096   directory
grid04: Device: fd00h/64768d    Inode: 201566276   Links: 2
grid04: Access: (0700/drwx------)  Uid: (    2/  daemon)   Gid: (    2/  daemon)
grid04: Context: system_u:object_r:etc_t:s0
grid04: Access: 2025-10-02 19:40:51.392713944 +0900
grid04: Modify: 2025-10-02 19:35:15.088040860 +0900
grid04: Change: 2025-10-02 21:26:26.392938103 +0900
grid04:  Birth: 2025-05-10 17:04:24.781787639 +0900
[root@grid04 ~]# clush -w grid[04,05] "stat /etc/grid-security/"
grid04:   File: /etc/grid-security/
grid04:   Size: 112             Blocks: 0          IO Block: 4096   directory
grid04: Device: fd00h/64768d    Inode: 167773889   Links: 5
grid04: Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
grid04: Context: system_u:object_r:etc_t:s0
grid04: Access: 2025-10-02 17:17:03.193608562 +0900
grid04: Modify: 2024-01-25 22:38:21.000000000 +0900
grid04: Change: 2025-10-02 15:01:11.435492309 +0900
grid04:  Birth: 2025-05-10 17:03:39.546607021 +0900
22

Hello, Takuma.

I thought all issues were resolved after the ATCF and didn’t consider checking the community page.

I assume you’ve already addressed the matter—could you please update me on the current status?

If the issue has been resolved, could you please check the box below to indicate that it has been resolved?

Regards,

– Geonmo

23

Hi Geonmo,

Sorry, I completely forgot to check this content after the ATCF.
I have solved this issue by resetting the all files in the grid-security/xrootd.

And, Hiroshima storage system is working now.

Thanks a lot for every supports.
Takuma

24

Hello Takuma.

It’s Prasun from Kolkata Tier2, India.

We have face same issues i.e. User authentication failed; Decryption key not found. Also error “3010 - Permission Denied Error” and “[3005] Unable to Unable to give access - user access restricted - unauthorized identity used ; Permission denied” error.

Error Details

[root@eos-mgm ~]# eos root://eoskolkata.tier2-kol.res.in whoami
error: errc=3010 msg=“[ERROR] Error response: permission denied” (errc=3010) (Unknown error 3010)
[root@eos-mgm ~]# eos root://localhost whoami
Virtual Identity: uid=0 (0,3,65534) gid=0 (0,4,65534) [authz:sss] sudo* host=localhost domain=localdomain
[root@eos-mgm ~]#

As per your config file i.e. xrd.cf.mgm and xrd.cf.fst ; eos vid ls, TkAuthz.Authorization; , we had change and cross-check our config file also. Then, 3010 error and 3005 error are close on xrdlog.mgm. But till we are got 3010 error when copy and write the any files from /eos/alicekolkata/grid to local box and vice-versa by xrdcp and eoscp.

So, can you help us, what you had do in your configuration. If possible can you share the config files i.e. /etc/sysconfig/eos and eos_env; /etc/eos/config (for MGM and FST; however xrd.cf.mgm and xrd.cf.fst are already shared). Is there any role or requirement of “eos access ls” and “eos gateway”?

So, Please suggest us accordingly.

Regards
Prasun

25

Hi Prasun,

It has been a while since we configured our Hiroshima Tier-2 site, so I might have forgotten some small details, but I hope this helps :crossed_fingers:

We checked our configuration.
This is our eos_env file.

eos_env 
[root@grid04 sysconfig]# cat eos_env
# Make sure that EOS-xrootd libs can be directly found
LD_LIBRARY_PATH=/opt/eos/xrootd/lib64

# Should we run with another limit on the core file size other than the default?
DAEMON_COREFILE_LIMIT=unlimited

# Preload jemalloc
LD_PRELOAD=/usr/lib64/libjemalloc.so

# Disable the KRB5 replay cache
KRB5RCACHETYPE=none

EOS_FST_POSIX_FALLOCATE=1

# What roles should the xroot daemon run for. For each role you can overwrite the default options using a dedicate sysconfig file e.g. /etc/sysconfig/xrd.<role>.
# The role based mechanism allows for multiple xrd's running with different options to be controlled via the same systemd script

#-------------------------------------------------------------------------------
# EOS roles - Systemd Services
#-------------------------------------------------------------------------------
XRD_ROLES="mq mgm"

#-------------------------------------------------------------------------------
# EOS Configuration
#-------------------------------------------------------------------------------

# The fully qualified hostname of current MGM
EOS_MGM_HOST='eos.aligrid.hiroshima-u.ac.jp'

# The fully qualified hostname of target MGM
# EOS_MGM_HOST_TARGET="grid05.aligrid.hiroshima-u.ac.jp"

# The EOS instance name N.B.! It MUST start with "eos" and then some alphanumeric characters
# This is important since there are some special files and directories created inside the /eos/<instance_name> subtree
# indispensable for the proper functioning of the instance.
EOS_INSTANCE_NAME='eoshu'

# The EOS configuration to load after daemon start
EOS_AUTOLOAD_CONFIG=default

# The EOS broker URL ; FOR FST USAGE USE THE FQDN OF THE MQ!!!!!
#20250805
EOS_BROKER_URL="root://eos.aligrid.hiroshima-u.ac.jp:1097//eos/"
#EOS_BROKER_URL="root://localhost:1097//eos/"

# The EOS host geo location tag used to sort hosts into geographical (rack) locations
# !!! REQUIRED !!! list of ":" separated tokens of up to 8 chars
EOS_GEOTAG="HU::ALICE"

# The fully qualified hostname of MGM master1
EOS_MGM_MASTER1='eos.aligrid.hiroshima-u.ac.jp'

# The fully qualified hostname of MGM master2
EOS_MGM_MASTER2='eos.aligrid.hiroshima-u.ac.jp'

# The alias which selects master 1 or 2
EOS_MGM_ALIAS='eos.aligrid.hiroshima-u.ac.jp'

# In HA mode, presence of this env enables the redirection of the read traffic from the slaves to the master
# EOS_HA_REDIRECT_READS=1

# The mail notification in case of fail-over
EOS_MAIL_CC="matsumoto@quark.hiroshima-u.ac.jp"
EOS_NOTIFY="mail -s $(date +%s)-$(hostname)-eos-notify $EOS_MAIL_CC"

# Enable core dumps initiated internally
#EOS_CORE_DUMP

# Disable shutdown/signal handlers for debugging
#EOS_NO_SHUTDOWN

# Enable coverage report signal handler
#EOS_COVERAGE_REPORT

# Enable QoS support
#EOS_ENABLE_QOS=""

# Allow UTF-8 path names excluding only CR,LF
#EOS_UTF8=""

# Add secondary group information from database/LDAP (set to 1 to enable)
#EOS_SECONDARY_GROUPS=0

# Do subtree accounting on directories (set to 1 to enable)
EOS_NS_ACCOUNTING=1

# Do sync time propagation (set to 1 to enable)
#EOS_SYNCTIME_ACCOUNTING=0

# Use std::shared_timed_mutex for the RWMutex implementation - uncomment to enable.
EOS_USE_SHARED_MUTEX=1

# By default statvfs reports the total space if the path deepness is < 4; If you want to report only quota accouting you can define
# EOS_MGM_STATVFS_ONLY_QUOTA=1

# If you only want to report the space acacounting you can define
# EOS_MGM_STATVFS_ONLY_SPACE=1

# If variable defined then enable the use of xrootd connection pool
# i.e. create/share different physical connections for transfers to the same destination xrootd server. By default this is disabled.
# This applies both in context of the MGM server when it comes to TPC jobs and also on the FST server for FST to FST transfers.
# EOS_XRD_USE_CONNECTION_POOL=1

# When xrootd connection pool is enabled, one can control the maximum number of physical connection that can be established with the destination server.
# The min value is 1 and the max 1024. By default this 1024.
# EOS_XRD_CONNECTION_POOL_SIZE=64

EOS_USE_MQ_ON_QDB=1
#-------------------------------------------------------------------------------
# FST Configuration
#-------------------------------------------------------------------------------

# Disable 'sss' enforcement to allow generic TPC
EOS_FST_NO_SSS_ENFORCEMENT=1

# Network interface to monitor (default eth0)
EOS_FST_NETWORK_INTERFACE="ens1f0np0"

# Specify in seconds how often FSTs should query for new delete operations
EOS_FST_DELETE_QUERY_INTERVAL=300

# Disable fast boot and always do a full resync when a fs is booting (default off)
# EOS_FST_NO_FAST_BOOT=0

# If variable defined then enable the use of xrootd connection pool i.e. create/share different physical connections for queries done from the FST
# to the MGM in the CallManager method. By default this is disabled.
# EOS_FST_CALL_MANAGER_XRD_POOL=1

# If CallManager xrootd connection pool is enabled one can set the maxium size of the pool of connections.
# The min value is 1, the max value is 32. By default the value is 10.
# EOS_FST_CALL_MANAGER_XRD_POOL_SIZE=16

# If variable defined use asynchronous (double-buffered) reading in TPCs - By default it is undefined = disabled
# EOS_FST_TPC_READASYNC=1

# Modify the TPC key validity which by default is 120 seconds
# EOS_FST_TPC_KEY_VALIDITY_SEC=120

# Control the asynchronous callback on close, if undefined or 0 then disabled, else if 1 then enabled.
# EOS_FST_ASYNC_CLOSE=0

# When asynchronous callback on close is enabled, one can use the following env variable to control
# the minimum size of files for which this gets triggered. If not specified then the values is 0 bytes.
# EOS_FST_ASYNC_CLOSE_MIN_SIZE_BYTES=0

# Enable internal stacktrace printing in the logs - this is useful especially for container environments where abrtd is not running
# EOS_FST_ENABLE_STACKTRACE=1

# Enable async writes between replicas - this can improve the performance for FSTs with long latency.
# EOS_FST_REPLICA_ASYNC_WRITE=1

# If this variable is present then deletion requests coming from the Fsck engine are actually
# performed as a move on the file system mount in a special directory called .eosdeletions. By default disabled.
# EOS_FST_FSCK_DELETE_BY_MOVE=1

# This variable overwrites the FST hostname in MGM redirection - use it when the internal name is different from the external name
# EOS_FST_ALIAS=""

# This variable overwrites the FST port in MGM redirection - use it when the internal name is different from the external name
# EOS_FST_PORT_ALIAS=1094

# Enable XrdIo read-ahead functionality. By default disabled ie. 0.
# EOS_FST_XRDIO_READAHEAD=0

# Force disable XrdIo read-ahead even if this is enabled by using the above env variable or through the fst.readahead opaque information.
# By default disabled ie. 0 This can be useful in case read-ahead needs to be disabled instance wide.
# EOS_FST_XRDIO_READAHEAD_FORCE_DISABLE=0

# In case XrdIo read-ahead is enabled this can control the number of blocks that are pre-fetched. By default this is set to 2.
# EOS_FST_XRDIO_READAHEAD_BLOCKS=2

# In case XrdIo read-ahead is enabled this controls the block size of requests that are pre-fetched. By default this is set to 1024*1024 (1MB).
# EOS_FST_XRDIO_READAHEAD_BLOCK_SIZE=1024*1024

# XFS filesystems will use file allocation, other filesystems like EXT4 and BTRFS will not use fallocation
# unless the following variable is defined (the value is not considered)

#-------------------------------------------------------------------------------
# GRPC Configuration
#-------------------------------------------------------------------------------

# GRPC port - set to 0 toi disable GRPC
# EOS_MGM_GRPC_PORT=50051

# GRPC security - define to enable SSL server
# EOS_MGM_GRPC_SSL_CERT
# EOS_MGM_GRPC_SSL_KEY
# EOS_MGM_GRPC_SSL_CA

#-------------------------------------------------------------------------------
# REST API dedicated GRPC service
#-------------------------------------------------------------------------------

# Enable the REST API support. The effect of this env variable depends if the code has been built with grpc-gateway (eos-grpc-gateway) support or not.
# To have a fully functional REST API both conditions (built-in support and env variable set to 1) need to be satisfied. Disabled by default i.e. 0.
EOS_MGM_ENABLE_REST_API=1

# Set the port for the internal GRPC server handling the REST API requests. Default value is 500054.
EOS_MGM_REST_GRPC_PORT=50054

#-------------------------------------------------------------------------------
# FUSEX Configuration
#-------------------------------------------------------------------------------

# Listener port of the ZMQ server used by FUSEx)
# EOS_MGM_FUSEX_PORT=1100

# Maximum number of 'listable' children
# EOS_MGM_FUSEX_MAX_CHILDREN=32768

#-------------------------------------------------------------------------------
# QuarkDB Configuration
#-------------------------------------------------------------------------------
EOS_USE_QDB_MASTER=1

#-------------------------------------------------------------------------------
# MGM TTY Console Broadcast Configuration
#-------------------------------------------------------------------------------

# define the log file where you want to grep
EOS_TTY_BROADCAST_LISTEN_LOGFILE="/var/log/eos/mgm/xrdlog.mgm"

# define the log file regex you want to broad cast to all consoles
EOS_TTY_BROACAST_EGREP="\"CRIT|ALERT|EMERG|PROGRESS\""

#-------------------------------------------------------------------------------
# MGM Namespace Preset Size - this can safe memory for large namespaces if you know an upper limit for the namespace size
#-------------------------------------------------------------------------------
# EOS_NS_DIR_SIZE=1000000
# EOS_NS_FILE_SIZE=1000000

# ------------------------------------------------------------------
# MGM Boot options
# ------------------------------------------------------------------

# uncomment to avoid mmaping a changelog file
# EOS_NS_BOOT_NOMMAP

# uncomment to speed up the scanning phase skipping CRC32 computation
EOS_NS_BOOT_NOCRC32=1

# uncomment to allow a multi-threaded boot process using maximum number of cores available
EOS_NS_BOOT_PARALLEL=1

# ------------------------------------------------------------------
# MGM FUSE configuration
# ------------------------------------------------------------------

# uncomment to change the minimum needed size available to create a new file
# EOS_MGM_FUSE_BOOKING_SIZE = 5368709120

# ------------------------------------------------------------------
# MGM 'xrdfs query space' configuration
# ------------------------------------------------------------------

# uncoment to set the EOS space name to be used by 'xrdfs query space' commands that do not explicitly specify an EOS space name
EOS_MGM_STATVFS_DEFAULT_SPACE="default"

# ------------------------------------------------------------------
# MGM Directory Listing Cache configuration

# set to 0 to disable listing cache for 'xrdfs ls' and 'eos ls', or a number with the number of dirs to cache
# EOS_MGM_LISTING_CACHE=1024

# ------------------------------------------------------------------
# MGM OIDC configuration
# ------------------------------------------------------------------

# by default the sub field is mapped from OIDC tokens
# EOS_MGM_OIDC_MAP_FIELD=sub

# by default (undefined) the server certificate and hostname are verified, to skip this, define
# EOS_MGM_OIDC_INSECURE=1

# ------------------------------------------------------------------
# MGM token generation configuration
# ------------------------------------------------------------------

# by default the token generation key is derived from an sss key
# EOS_MGM_TOKEN_KEYFILE=/etc/eos/token.key

# ------------------------------------------------------------------
# MGM Device Tracking
# ------------------------------------------------------------------
# change the interval at which the MGM takes out compressed JSON S.M.A.R.T info and publishes them
EOS_MGM_DEVICES_PUBLISHING_INTERVAL=900

# ------------------------------------------------------------------
# MGM SciToken Cache
# ------------------------------------------------------------------
XDG_CACHE_HOME=/var/tmp/

We also ran some tests from our MGM serve.

[root@grid04 ~]# eos root://localhost whoami
Virtual Identity: uid=0 (0,2,3,65534) gid=0 (0,2,4,65534) [authz:sss] sudo* host=localhost domain=localdomain
[root@grid04 ~]# eos root://eos.aligrid.hiroshima-u.ac.jp whoami
Virtual Identity: uid=2 (2,65534) gid=2 (2,65534) [authz:sss] sudo* host=grid04.aligrid.hiroshima-u.ac.jp domain=aligrid.hiroshima-u.ac.jp

Next, We ran whoami to your eoskolkata server from Hiroshima.

[root@grid04 ~]# eos root://eoskolkata.tier2-kol.res.in whoami
Virtual Identity: uid=10367 (10367,65534) gid=1395 (1395) [authz:unix] host=grid04.aligrid.hiroshima-u.ac.jp domain=aligrid.hiroshima-u.ac.jp

You successfully recognized us as aliprod.

Could you check eos vid ls and /var/log/eos/mgm/xrdlog.mgm?
This is the eos vid ls output of our site.

[root@grid04 ~]# eos vid ls
https:"<pwd>":gid => root
https:"<pwd>":uid => root
publicaccesslevel: => 1024
sss:"<pwd>":gid => root
sss:"<pwd>":uid => root
sudoer                 => uids(daemon)
tokensudo              => always
unix:"<pwd>":gid => alice
unix:"<pwd>":uid => aliprod

Hope this helps you solve the issue.

Cheers,
Takuma

Our xrd.cf.mgm is here.

xrd.cf.mgm 
[root@grid04 etc]# cat xrd.cf.mgm
###########################################################
set myName = ALICE::Hiroshima::EOS
all.sitename ALICE::Hiroshima::EOS

###########################################################
xrootd.fslib libXrdEosMgm.so
xrootd.seclib libXrdSec.so
xrootd.async off nosf
xrootd.chksum adler32
###########################################################

xrd.sched mint 8 maxt 256 idle 60
xrd.timeout hail 30 idle 300 kill 20 read 20

###########################################################
# caused this line?
all.export / nolock
all.role manager

###########################################################
xrd.port 1094

###########################################################
oss.fdlimit * max

###########################################################
# UNIX authentication
sec.protocol unix

# SSS authentication
sec.protocol sss -c /etc/eos.keytab -s /etc/eos.keytab
sec.protbind localhost.localdomain sss unix
sec.protbind localhost sss unix
sec.protbind * only sss unix

# for debug
xrd.trace all
ofs.trace all
mgmofs.trace all
acc.trace all
###########################################################
mgmofs.fs /
mgmofs.targetport 1095

mgmofs.centraldrain true

mgmofs.authlib /usr/lib64/libXrdAliceTokenAcc.so
mgmofs.authorize 1

alicetokenacc.multiprocess 32

alicetokenacc.truncateprefix /eos/hu/alice
alicetokenacc.noauthzhost    localhost
#alicetokenacc.noauthzhost    localhost.localdomain
# VOBOX
alicetokenacc.noauthzhost    grid01.aligrid.hiroshima-u.ac.jp
# MGMs
#alicetokenacc.noauthzhost   grid04.aligrid.hiroshima-u.ac.jp
#alicetokenacc.noauthzhost   grid05.aligrid.hiroshima-u.ac.jp
#alicetokenacc.noauthzhost   grid06.aligrid.hiroshima-u.ac.jp

# FSTs
#alicetokenacc.noauthzhost   nfs11.aligrid.hiroshima-u.ac.jp
#alicetokenacc.noauthzhost   nfs12.aligrid.hiroshima-u.ac.jp
#alicetokenacc.noauthzhost   nfs13.aligrid.hiroshima-u.ac.jp

###########################################################
#mgmofs.trace all debug

# this URL can be overwritten by EOS_BROKER_URL defined in /etc/sysconfig/eos
mgmofs.broker root://eos.aligrid.hiroshima-u.ac.jp:1097//eos/

# this name can be overwritten by EOS_INSTANCE_NAME defined in /etc/sysconfig/eos
mgmofs.instance eoshu

# configuration, namespace , transfer and authentication export directory
mgmofs.configdir /var/eos/config
mgmofs.metalog /var/eos/md
mgmofs.txdir /var/eos/tx
mgmofs.authdir /var/eos/auth
mgmofs.archivedir /var/eos/archive
mgmofs.qosdir /var/eos/qos

# report store path
mgmofs.reportstorepath /var/eos/report

# this defines the default config to load
mgmofs.autoloadconfig default
mgmofs.autosaveconfig true

# QoS configuration file
# mgmofs.qoscfg /var/eos/qos/qos.conf

###########################################################
# Config Engine Configuration
mgmofs.cfgtype quarkdb

# this has to be defined if we have a failover configuration via alias - can be overwritten by EOS_MGM_ALIAS in /etc/sysconfig/eos
mgmofs.alias eos.aligrid.hiroshima-u.ac.jp
###########################################################
# Set the FST gateway host and port
# mgmofs.fstgw someproxy.cern.ch:3001

#-------------------------------------------------------------------------------
# Configuration for the authentication plugin EosAuth
#-------------------------------------------------------------------------------
# Set the number of authentication worker threads running on the MGM
mgmofs.auththreads 16

# Set the front end port number for incoming authentication requests
#mgmofs.authport 15555

# By default we listen only on localhost connections - set to 0 if you want to allow remote access
#mgmofs.authlocal 1

#-------------------------------------------------------------------------------
# Set the namespace plugin implementation
#-------------------------------------------------------------------------------
mgmofs.nslib /usr/lib64/libEosNsQuarkdb.so

# Quarkdb custer configuration used for the namespace
mgmofs.qdbcluster grid04.aligrid.hiroshima-u.ac.jp:7777 grid05.aligrid.hiroshima-u.ac.jp:7777 grid06.aligrid.hiroshima-u.ac.jp:7777
mgmofs.qdbpassword_file /etc/quarkdb.pass

#-------------------------------------------------------------------------------
# Configuration for the MGM workflow engine
#-------------------------------------------------------------------------------

# The SSI protocol buffer endpoint for notification messages from "proto" workflow actions
#mgmofs.protowfendpoint HOSTNAME.2NDLEVEL.TOPLEVEL:10955
#mgmofs.protowfresource /SSI_RESOURCE

# Use gRPC?
# mgmofs.protowfusegrpc true

if exec xrootd
    xrd.protocol XrdHttp:8443 libXrdHttp.so
    http.exthandler EosMgmHttp libEosMgmHttp.so eos::mgm::http::redirect-to-https=1
    http.trace  false

    # host cert required !!!
    http.exthandler xrdtpc libXrdHttpTPC.so
    xrd.tls  /etc/grid-security/hostcert.pem /etc/grid-security/hostkey.pem
    xrd.tlsca  certdir /etc/grid-security/certificates/

    # X509 Stuff
    # http.secxtractor  libXrdVoms.so
    # http.gridmap  /etc/grid-security/grid-mapfile

    # Macaroons
    # mgmofs.macaroonslib  libXrdMacaroons.so libXrdAccSciTokens.so
    # macaroons.secretkey  /etc/eos.macaroon.secret
    # macaroons.trace  all
fi

xrootd.monitor all flush 60s window 30s dest files info user grid01.aligrid.hiroshima-u.ac.jp:9930
26

Hello Takuma,

Thanks for your reply.
We are check and follow your steps in xrd.cf.mgm and xrd.cf.fst as well as /etc/sysconfig/eos_env and /etc/sysconfig/eos. After changing the parameters in above mentioned files, it seem that something are quite difference in xrdlog.mgm log of mgm. But now we have faces error like -

260427 13:05:18 55577 XrootdXeq: User authentication failed; Decryption key not found.
260427 13:05:18 time=1777275318.962972 func=IdMap level=INFO logid=static… unit=mgm@eos-mgm.tier2-kol.res.in:1094 tid=00007f8b9f1fc640 source=Mapping:1070 tident= sec=(null) uid=0 gid=0 name=- geo=“” xt=“” ob=“” sec.prot=unix sec.name=“alienmaster” sec.host=“alientest02.cern.ch” sec.vorg=“” sec.grps=“alienmaster” sec.role=“” sec.info=“” sec.app=“” sec.tident=“alienmas.2991817:432@alientest02.cern.ch” vid.uid=10367 vid.gid=1395 sudo=0 gateway=0

and

[root@eos-mgm ~]# eos -b root://eos.aligrid.hiroshima-u.ac.jp whoami
error: MGM root://eos.aligrid.hiroshima-u.ac.jp not online/reachable
[root@eos-mgm ~]# eos root://localhost whoami
Virtual Identity: uid=0 (0,3,65534) gid=0 (0,4,65534) [authz:sss] sudo* host=localhost domain=localdomain
[root@eos-mgm ~]#

Also, on your output of “eos localhost whoami” i.e.
[root@grid04 ~]# eos root://localhost whoami
Virtual Identity: uid=0 (0,2,3,65534) gid=0 (0,2,4,65534) [authz:sss] sudo* host=localhost domain=localdomain
[root@grid04 ~]#

uid and gid both are contain 2 and 2 for SSS authorization. Also, both are contain 4 values i.e. 0,2,3,65534. But in our case, it not seen and contain 3 values i.e. 0,3,65534.

Please clarify it.

Also, please tell me about permission of /etc/grid-security/xrootd/*.pem. Are those files copy of hostcert.pem and hostkey.pem?

Please reply. I am waiting for you.

Thanks
Prasun

27

Hi Prasun,

Could you check ls -la /etc/eos.keytab on your server?
In our case, the ownership and permission is here.

[root@grid04 ~]# ls -la /etc/eos.keytab
-r--------. 1 daemon daemon 135 Jun 11  2025 /etc/eos.keytab

Please ensure the files are consistent across all nodes. (e.g. sha256sum /etc/eos.keytab)

On /etc/grid-security/xrootd/, I set all files from here. (like this topic)
And, these are our paermission of

[root@grid04 ~]# ll /etc/ | grep grid
drwxr-xr-x.  5 root   root      112 Nov 25 16:28 grid-security
[root@grid04 ~]# ll /etc/grid-security/ | grep xrootd
drwx------. 2 daemon   daemon     138 Oct  6  2025 xrootd

And also the *.pem files are
[root@grid04 ~]# ll /etc/grid-security/xrootd

-rw-r--r--. 1 daemon daemon 284 Oct  6  2025 TkAuthz.Authorization
-rw-r--r--. 1 daemon daemon 887 Oct  6  2025 privkey.pem
-rw-r--r--. 1 daemon daemon 765 Oct  6  2025 pubkey.pem

We set hostcert.pem and hostkey.pem on /etc/grid-security, maybe this is depend on your configuration file (xrd.cf.mgm).

Cheers,
Takuma

28

Hello Takuma,

Thanks for your reply.
I had check and found that all the parameters are same permission as you suggested.

But till the error i.e. “User authentication failed; Decryption key not found” has still seem in xrdlog.fst and xrdlog.mgm. Also, another error i.e. “Auth failed: No protocols left to try” are seem in xrdlog.mgm.

I have no clue about resolving this issue.

Thanks
Regards
Prasun

29

Again Hello Takuma,

Can you share the “/etc/sysconfig/eos_env” of FST server for Hiroshima::EOS? Another query, Are you using Token in EOS?

Regards
Prasun

30

Hi @prasun Note that /etc/sysconfig/eos_env and settings in /etc/eos are to be used different .. the /etc/eos configurations files are to be used AFAIK with eos5@ services , while the old eos@ files use the eos_env and /etc/xrd.cf. files .. see more here 4.4. Configuration — EOS DIOPSIDE documentation
What eos services are you using?
For reference my configs are these: Index of /asevcenc/eos-cfg
and i use eos@.service files (sort of as i rewrote them for my needs)

31

Dear Adrian,

We are using eos5-@service i.e. eos5-mgm@mgm and eos5-fst@fst.

==========

EOS_SERVER_VERSION=5.3.32 EOS_SERVER_RELEASE=1
EOS_CLIENT_VERSION=5.3.32 EOS_CLIENT_RELEASE=1

==========
After upgrading, EOS v5.1 to v5.3, we had configure the eos config parameters under /etc/eos/config and not touch /etc/xrd.cf.{mgm;gst;qdb}, At that time, log are filled with many permission error i.e. 3005, 3010 and etc.
But after the correction of parameters in /etc/xrd.cf.{mgm,fst, qdb) and /etc/sysconfig/eos_env,
most of error were gone.
But now, we have face error like "But till the error i.e. “User authentication failed; Decryption key not found” in xrdlog.fst and xrdlog.mgm. Also, another error i.e. “Auth failed: No protocols left to try” are seem in xrdlog.mgm.

I have no clue about resolving this issue.
I have already cross check your parameters with Kolkata EOS.
Most are corrected.

Regards
Prasun

32

Hi Prasun,

Sorry for the late reply. I have been preoccupied with a fellowship application recently.

Regarding EOS service, we are using eos@mgm.service, eos@fst.service and xrootd@quarkdb0.service.
And our version is here.

EOS_SERVER_VERSION=5.3.19 EOS_SERVER_RELEASE=1
EOS_CLIENT_VERSION=5.3.19 EOS_CLIENT_RELEASE=1

So, we have configuration file in /etc/sysconfig/eos_env and /etc/xrd.cf.mgm and fst.
I have this configration file on FSTs.

cat /etc/sysconfig/eos_env 
# Make sure that EOS-xrootd libs can be directly found
LD_LIBRARY_PATH=/opt/eos/xrootd/lib64

# Should we run with another limit on the core file size other than the default?
DAEMON_COREFILE_LIMIT=unlimited

# Preload jemalloc
LD_PRELOAD=/usr/lib64/libjemalloc.so

# Disable the KRB5 replay cache
KRB5RCACHETYPE=none

EOS_FST_POSIX_FALLOCATE=1

# What roles should the xroot daemon run for. For each role you can overwrite the default options using a dedicate sysconfig file e.g. /etc/sysconfig/xrd.<role>.
# The role based mechanism allows for multiple xrd's running with different options to be controlled via the same systemd script

#-------------------------------------------------------------------------------
# EOS roles - Systemd Services
#-------------------------------------------------------------------------------
XRD_ROLES="fst"

#-------------------------------------------------------------------------------
# EOS Configuration
#-------------------------------------------------------------------------------

# The fully qualified hostname of current MGM
EOS_MGM_HOST='eos.aligrid.hiroshima-u.ac.jp'

# The fully qualified hostname of target MGM
# EOS_MGM_HOST_TARGET="grid05.aligrid.hiroshima-u.ac.jp"

# The EOS instance name N.B.! It MUST start with "eos" and then some alphanumeric characters
# This is important since there are some special files and directories created inside the /eos/<instance_name> subtree
# indispensable for the proper functioning of the instance.
EOS_INSTANCE_NAME='eoshu'

# The EOS configuration to load after daemon start
EOS_AUTOLOAD_CONFIG=default

# The EOS broker URL ; FOR FST USAGE USE THE FQDN OF THE MQ!!!!!
#20250805
EOS_BROKER_URL="root://eos.aligrid.hiroshima-u.ac.jp:1097//eos/"
#EOS_BROKER_URL="root://localhost:1097//eos/"

# The EOS host geo location tag used to sort hosts into geographical (rack) locations
# !!! REQUIRED !!! list of ":" separated tokens of up to 8 chars
EOS_GEOTAG="HU::ALICE"

# The fully qualified hostname of MGM master1
EOS_MGM_MASTER1='eos.aligrid.hiroshima-u.ac.jp'

# The fully qualified hostname of MGM master2
EOS_MGM_MASTER2='eos.aligrid.hiroshima-u.ac.jp'

# The alias which selects master 1 or 2
EOS_MGM_ALIAS='eos.aligrid.hiroshima-u.ac.jp'

# In HA mode, presence of this env enables the redirection of the read traffic from the slaves to the master
# EOS_HA_REDIRECT_READS=1

# The mail notification in case of fail-over
EOS_MAIL_CC="matsumoto@quark.hiroshima-u.ac.jp"
EOS_NOTIFY="mail -s $(date +%s)-$(hostname)-eos-notify $EOS_MAIL_CC"

# Enable core dumps initiated internally
#EOS_CORE_DUMP

# Disable shutdown/signal handlers for debugging
#EOS_NO_SHUTDOWN

# Enable coverage report signal handler
#EOS_COVERAGE_REPORT

# Enable QoS support
#EOS_ENABLE_QOS=""

# Allow UTF-8 path names excluding only CR,LF
#EOS_UTF8=""

# Add secondary group information from database/LDAP (set to 1 to enable)
#EOS_SECONDARY_GROUPS=0

# Do subtree accounting on directories (set to 1 to enable)
EOS_NS_ACCOUNTING=1

# Do sync time propagation (set to 1 to enable)
#EOS_SYNCTIME_ACCOUNTING=0

# Use std::shared_timed_mutex for the RWMutex implementation - uncomment to enable.
EOS_USE_SHARED_MUTEX=1

# By default statvfs reports the total space if the path deepness is < 4; If you want to report only quota accouting you can define
# EOS_MGM_STATVFS_ONLY_QUOTA=1

# If you only want to report the space acacounting you can define
# EOS_MGM_STATVFS_ONLY_SPACE=1

# If variable defined then enable the use of xrootd connection pool
# i.e. create/share different physical connections for transfers to the same destination xrootd server. By default this is disabled.
# This applies both in context of the MGM server when it comes to TPC jobs and also on the FST server for FST to FST transfers.
# EOS_XRD_USE_CONNECTION_POOL=1

# When xrootd connection pool is enabled, one can control the maximum number of physical connection that can be established with the destination server.
# The min value is 1 and the max 1024. By default this 1024.
# EOS_XRD_CONNECTION_POOL_SIZE=64

EOS_USE_MQ_ON_QDB=1
#-------------------------------------------------------------------------------
# FST Configuration
#-------------------------------------------------------------------------------

# Disable 'sss' enforcement to allow generic TPC
EOS_FST_NO_SSS_ENFORCEMENT=1

# Network interface to monitor (default eth0)
EOS_FST_NETWORK_INTERFACE="enp193s0f1"

# Specify in seconds how often FSTs should query for new delete operations
EOS_FST_DELETE_QUERY_INTERVAL=300

# Disable fast boot and always do a full resync when a fs is booting (default off)
# EOS_FST_NO_FAST_BOOT=0

# If variable defined then enable the use of xrootd connection pool i.e. create/share different physical connections for queries done from the FST
# to the MGM in the CallManager method. By default this is disabled.
# EOS_FST_CALL_MANAGER_XRD_POOL=1

# If CallManager xrootd connection pool is enabled one can set the maxium size of the pool of connections.
# The min value is 1, the max value is 32. By default the value is 10.
# EOS_FST_CALL_MANAGER_XRD_POOL_SIZE=16

# If variable defined use asynchronous (double-buffered) reading in TPCs - By default it is undefined = disabled
# EOS_FST_TPC_READASYNC=1

# Modify the TPC key validity which by default is 120 seconds
# EOS_FST_TPC_KEY_VALIDITY_SEC=120

# Control the asynchronous callback on close, if undefined or 0 then disabled, else if 1 then enabled.
# EOS_FST_ASYNC_CLOSE=0

# When asynchronous callback on close is enabled, one can use the following env variable to control
# the minimum size of files for which this gets triggered. If not specified then the values is 0 bytes.
# EOS_FST_ASYNC_CLOSE_MIN_SIZE_BYTES=0

# Enable internal stacktrace printing in the logs - this is useful especially for container environments where abrtd is not running
# EOS_FST_ENABLE_STACKTRACE=1

# Enable async writes between replicas - this can improve the performance for FSTs with long latency.
# EOS_FST_REPLICA_ASYNC_WRITE=1

# If this variable is present then deletion requests coming from the Fsck engine are actually
# performed as a move on the file system mount in a special directory called .eosdeletions. By default disabled.
# EOS_FST_FSCK_DELETE_BY_MOVE=1

# This variable overwrites the FST hostname in MGM redirection - use it when the internal name is different from the external name
# EOS_FST_ALIAS=""

# This variable overwrites the FST port in MGM redirection - use it when the internal name is different from the external name
# EOS_FST_PORT_ALIAS=1094

# Enable XrdIo read-ahead functionality. By default disabled ie. 0.
# EOS_FST_XRDIO_READAHEAD=0

# Force disable XrdIo read-ahead even if this is enabled by using the above env variable or through the fst.readahead opaque information.
# By default disabled ie. 0 This can be useful in case read-ahead needs to be disabled instance wide.
# EOS_FST_XRDIO_READAHEAD_FORCE_DISABLE=0

# In case XrdIo read-ahead is enabled this can control the number of blocks that are pre-fetched. By default this is set to 2.
# EOS_FST_XRDIO_READAHEAD_BLOCKS=2

# In case XrdIo read-ahead is enabled this controls the block size of requests that are pre-fetched. By default this is set to 1024*1024 (1MB).
# EOS_FST_XRDIO_READAHEAD_BLOCK_SIZE=1024*1024

# XFS filesystems will use file allocation, other filesystems like EXT4 and BTRFS will not use fallocation
# unless the following variable is defined (the value is not considered)

#-------------------------------------------------------------------------------
# GRPC Configuration
#-------------------------------------------------------------------------------

# GRPC port - set to 0 toi disable GRPC
# EOS_MGM_GRPC_PORT=50051

# GRPC security - define to enable SSL server
# EOS_MGM_GRPC_SSL_CERT
# EOS_MGM_GRPC_SSL_KEY
# EOS_MGM_GRPC_SSL_CA

#-------------------------------------------------------------------------------
# REST API dedicated GRPC service
#-------------------------------------------------------------------------------

# Enable the REST API support. The effect of this env variable depends if the code has been built with grpc-gateway (eos-grpc-gateway) support or not.
# To have a fully functional REST API both conditions (built-in support and env variable set to 1) need to be satisfied. Disabled by default i.e. 0.
EOS_MGM_ENABLE_REST_API=1

# Set the port for the internal GRPC server handling the REST API requests. Default value is 500054.
EOS_MGM_REST_GRPC_PORT=50054

#-------------------------------------------------------------------------------
# FUSEX Configuration
#-------------------------------------------------------------------------------

# Listener port of the ZMQ server used by FUSEx)
# EOS_MGM_FUSEX_PORT=1100

# Maximum number of 'listable' children
# EOS_MGM_FUSEX_MAX_CHILDREN=32768

#-------------------------------------------------------------------------------
# QuarkDB Configuration
#-------------------------------------------------------------------------------
EOS_USE_QDB_MASTER=1

#-------------------------------------------------------------------------------
# MGM TTY Console Broadcast Configuration
#-------------------------------------------------------------------------------

# define the log file where you want to grep
EOS_TTY_BROADCAST_LISTEN_LOGFILE="/var/log/eos/mgm/xrdlog.mgm"

# define the log file regex you want to broad cast to all consoles
EOS_TTY_BROACAST_EGREP="\"CRIT|ALERT|EMERG|PROGRESS\""

#-------------------------------------------------------------------------------
# MGM Namespace Preset Size - this can safe memory for large namespaces if you know an upper limit for the namespace size
#-------------------------------------------------------------------------------
# EOS_NS_DIR_SIZE=1000000
# EOS_NS_FILE_SIZE=1000000

# ------------------------------------------------------------------
# MGM Boot options
# ------------------------------------------------------------------

# uncomment to avoid mmaping a changelog file
# EOS_NS_BOOT_NOMMAP

# uncomment to speed up the scanning phase skipping CRC32 computation
EOS_NS_BOOT_NOCRC32=1

# uncomment to allow a multi-threaded boot process using maximum number of cores available
EOS_NS_BOOT_PARALLEL=1

# ------------------------------------------------------------------
# MGM FUSE configuration
# ------------------------------------------------------------------

# uncomment to change the minimum needed size available to create a new file
# EOS_MGM_FUSE_BOOKING_SIZE = 5368709120

# ------------------------------------------------------------------
# MGM 'xrdfs query space' configuration
# ------------------------------------------------------------------

# uncoment to set the EOS space name to be used by 'xrdfs query space' commands that do not explicitly specify an EOS space name
EOS_MGM_STATVFS_DEFAULT_SPACE="default"

# ------------------------------------------------------------------
# MGM Directory Listing Cache configuration

# set to 0 to disable listing cache for 'xrdfs ls' and 'eos ls', or a number with the number of dirs to cache
# EOS_MGM_LISTING_CACHE=1024

# ------------------------------------------------------------------
# MGM OIDC configuration
# ------------------------------------------------------------------

# by default the sub field is mapped from OIDC tokens
# EOS_MGM_OIDC_MAP_FIELD=sub

# by default (undefined) the server certificate and hostname are verified, to skip this, define
# EOS_MGM_OIDC_INSECURE=1

# ------------------------------------------------------------------
# MGM token generation configuration
# ------------------------------------------------------------------

# by default the token generation key is derived from an sss key
# EOS_MGM_TOKEN_KEYFILE=/etc/eos/token.key

# ------------------------------------------------------------------
# MGM Device Tracking
# ------------------------------------------------------------------
# change the interval at which the MGM takes out compressed JSON S.M.A.R.T info and publishes them
EOS_MGM_DEVICES_PUBLISHING_INTERVAL=900

# ------------------------------------------------------------------
# MGM SciToken Cache
# ------------------------------------------------------------------
XDG_CACHE_HOME=/var/tmp/

When I setup EOS system in Hiroshima Tier-2, I referred to Adrian’s configuration files.
I hope this helps.

Cheers
Takuma

33

Hi Prasun,

I hope you are doing well. First of all, I wanted to check if you have managed to resolve the EOS MGM authentication issue we discussed earlier?

If the issue still persists, I have an additional point we should verify. Looking closely at the eos root://localhost whoami results, uid=2 and gid=2 are completely missing on the eos-mgm server compared to grid04:

  • grid04: uid=0 (0,2,3,65534) gid=0 (0,2,4,65534)

  • eos-mgm: uid=0 (0,3,65534) gid=0 (0,4,65534)

I knew that uid=2/gid=2 is typically mapped to the standard system daemon account. To see if a mismatch here is causing the identity mapping failure, could you please check if the daemon account exists(of course, it already should be existed) on the eos-mgm server and what its unix UID/GID number is?

In addition, Could you please share the output of the eos vid ls command from the eos-mgm server as well? It seems we don’t have access to this information yet, and comparing it with grid04 will help us confirm if the sudoer mapping rules are identical.
sudoer => uids(daemon)

Regards,

Geonmo Ryu

34

Hi Geonmo,

Thank for your attention.
We are fine and hope that you are also fine.

I have share the output of “eos vid ls” :

=============================
[root@eos-mgm ~]# eos vid ls
https:“”:gid => root
https:“”:uid => root
publicaccesslevel: => 1024
sss:“”:gid => root
sss:“”:uid => root
sudoer => uids(daemon)
tokensudo => always
unix:“”:gid => alice
unix:“”:uid => aliprod
[root@eos-mgm ~]# eos root://localhost whoami
Virtual Identity: uid=0 (0,3,65534) gid=0 (0,4,65534) [authz:sss] sudo* host=localhost domain=localdomain
[root@eos-mgm ~]# eos root://eoskolkata.tier2-kol.res.in whoami
Virtual Identity: uid=65534 (65534) gid=65534 (65534) [authz:sss] host=eos-mgm.tier2-kol.res.in domain=tier2-kol.res.in
[root@eos-mgm ~]#

==============================

After apply the some suggestion and tips of Takuma (Who share the most of config) and Adrian Sevcenco, now Kolkata::EOS2 has seem online.

But till the some authentication issue are till live. When we try to copy the file from eos (mgm) to /tmp (locally), its show 3010 error. And if we have run eosadmin -b fs ls (from FST) , it’s show 3010 permission error.

[root@eos05 ~]# eosadmin -b fs ls
error: errc=3010 msg=“[ERROR] Error response: permission denied”
[root@eos05 ~]#

[root@eos-mgm ~]# eos -b file info /eos/alicekolkata/grid/00/65278/fbbef312-2658-11ec-ad5c-7b5f5f28be11
File: ‘/eos/alicekolkata/grid/00/65278/fbbef312-2658-11ec-ad5c-7b5f5f28be11’ Flags: 0664
Size: 40987342
Status: locations::incomplete
Modify: Wed Oct 6 09:24:17 2021 Timestamp: 1633492457.384080000
Change: Wed Oct 6 09:24:16 2021 Timestamp: 1633492456.920868148
Access: Thu Jan 1 05:30:00 1970 Timestamp: 0.000000000
Birth: Wed Oct 6 09:24:16 2021 Timestamp: 1633492456.920868148
CUid: 10367 CGid: 1395 Fxid: 040e057a Fid: 68027770 Pid: 12948 Pxid: 00003294
XStype: adler XS: a2 91 ce 6a ETAGs: “18261065460613120:a291ce6a”
Layout: raid6 Stripes: 6 Blocksize: 1M LayoutId: 20640542 Redundancy: d2::t0
#Rep: 5
┌───┬──────┬────────────────────────┬────────────────┬────────────────┬──────────┬──────────────┬────────────┬────────┬────────────────────────┐
│no.│ fs-id│ host│ schedgroup│ path│ boot│ configstatus│ drain│ active│ geotag│
└───┴──────┴────────────────────────┴────────────────┴────────────────┴──────────┴──────────────┴────────────┴────────┴────────────────────────┘
0 102 eos07.tier2-kol.res.in default.14 /xdata8 booted rw nodrain online Kolkata::EOS2
1 100 eos08.tier2-kol.res.in default.14 /xdata8 booted rw nodrain online Kolkata::EOS2
2 99 eos04.tier2-kol.res.in default.14 /xdata8 booted rw nodrain online Kolkata::EOS2
3 101 eos05.tier2-kol.res.in default.14 /xdata8 booted rw nodrain online Kolkata::EOS2
4 103 eos06.tier2-kol.res.in default.14 /xdata8 booted rw nodrain online Kolkata::EOS2

[root@eos-mgm ~]# /opt/eos/xrootd/bin/xrdcp -f -d 1 root://localhost:1094//eos/alicekolkata/grid/00/65278/fbbef312-2658-11ec-ad5c-7b5f5f28be11 /tmp/.
[0B/0B][100%][==================================================][0B/s]
Run: [ERROR] Server responded with an error: [3010] Unable to open file /eos/alicekolkata/grid/00/65278/fbbef312-2658-11ec-ad5c-7b5f5f28be11; Operation not permitted (source)

[root@eos-mgm ~]#

So, please suggest us.

Regards
Prasun Singh Roy

35

Currently eos version on fst are 5.3.19. On mgm and quarkdb , eos version are 5.3.32.

36

Dear Prasun,

After the latest changes the storage works again. Thanks a lot for that!

However it does work only because the auth plugin is not loaded correctly. In fact ALL operations are allowed without a token. You can test this with a xrdcp command, ie.

$ xrdcp -f /etc/hostname root://eoskolkata.tier2-kol.res.in:1094//00/000000/test
[5B/5B][100%][==================================================][2B/s]

Please check if the plugin is correctly loaded and it manages to find and load the storage keys. Check the permissions on the keys to make sure that the EOS daemons can read them. Failing to read the files leads to no auth being enforced so access is left wide open!

Cheers,

.costin