XRootD GSI/VOMS lost on an EOS instance


For some reason that I cannnot understand, the GSI/VOMS access to our EOSCTA dev instance is lost. The error that appears on the client is

-bash-4.2$ xrdcp random_100MB root://antares-dev.stfc.ac.uk//eos/antaresdev/prod/dteam/george/random_100MB
[ERROR] Server responded with an error: [3010] Unable to give access - user access restricted - unauthorized identity used ; Permission denied

Looking at the MGM log, I can see that VOMS attribute extraction and the mapping to an existing user is successful. However, I did notice the following line that I cannot see in the logs of our other instances where XRootD GSI access works without an issue.

240508 10:19:37 time=1715159977.833706 func=stat level=ERROR logid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx unit=mgm@antares-eos14.scd.rl.ac.uk:1094 tid=00007f3b58636700 source=Stat:87 tident= sec=gsi uid=36300 gid=24311 name=dteam001 geo=“” user access restricted - unauthorized identity vid.uid=36300, vid.gid=24311, vid.host=“lcgui06.gridpp.rl.ac.uk”, vid.tident="georgep.1060063:410@lcgui06.gridpp.rl.ac.uk" for path=“/eos/antaresdev/prod/dteam/george/random_100MB” user@domain=“dteam001@gridpp.rl.ac.uk

followed by

240508 10:19:37 time=1715159977.834516 func=Emsg level=ERROR logid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx unit=mgm@antares-eos14.scd.rl.ac.uk:1094 tid=00007f3b58636700 source=XrdMgmOfs:844 tident= sec= uid=0 gid=0 name= geo=“” Unable to give access - user access restricted - unauthorized identity used ; Permission denied

Can you please give me a clue what to do?

Following another post (Gsi pool account mapping), I tried this

redis-cli -p 9999 hdel eos-config:default “global:/config/eosantaresdev/mgm#AllowedUsers”

but it didnt work.


Hi Geroge,

You should never update the configuration directly in QuarkDB as this has no effect on the current configuration loaded in the MGM. In general, you should never touch QuarkDB directly but always through the MGM.

Probably doing eos access ls and if the dteam001 is not in the list of allowed uses will explain the issues that you have. Also what are the permissions on the directory you are trying to access?
eos ls -lrta /eos/antaresdev/prod/dteam/george/
eos attr ls /eos/antaresdev/prod/dteam/george/


Hi Elvin,

Good to know about not messing with QuarkDB directly -fortunatelly this is only a dev instance!

Dir permissions look ok to me

[root@antares-eos14 ~]# eos ls -lrta /eos/antaresdev/prod/dteam/george/
drwxrwxr-+ 1 dteam001 dteam 20516438016 Mar 26 12:04 .
drwxrwxr-+ 1 dteam001 dteam 5571635506159 Mar 26 12:04 …

[root@antares-eos14 ~]# eos attr ls /eos/antaresdev/prod/dteam/george/

I did notice that this user has been added (not present on any other of our EOS instances)

[root@antares-eos14 ~]# eos access ls

Allowd Users …

[ 01 ] alicesgm
[root@antares-eos14 ~]#

How can I remove this rule? Maybe this will fix the issue…


Indeed, after removing the user evertyhing works again!