[gridftp-user] Problems using CAS credentials with GridFTP enabled
kugrid globus
kugrid.globus at gmail.com
Sat Apr 8 13:05:41 CDT 2006
Mr Kettimuthu,
Thank you for your help. (Because I run everything on one
machine right now, but different user has different CA.) I set env
GLOBUS_HOSTNAME to 192.168.111.3 use the user globus (who start the
grid-container). But, I still got
the same mistake.
I tried run this command as "james":
globus-url-copy -dbg gsiftp://192.168.111.3/tmp/foo.2.txt
file:///home/james/foo.22.txt
That will copy the file to the /home/james/. And also if I tried
some users like "tester" who doen't in the "readGroup" at CAS
database, he will not copy that file. It seemed do the same job what
I want.
But are these two commands same? (with or without "cas-wrap -p casProxy")
Thank you for you time.
Sincerely,
On 4/7/06, Raj Kettimuthu <kettimut at mcs.anl.gov> wrote:
>
> On Fri, 7 Apr 2006, kugrid globus wrote:
>
> > Mr Kettimuthu,
> >
> > Thank you for your reply. I did what you suggested.
> >
> > 1)I added "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"
> > as a new object with the namespace_nickname="FTPDirectoryTree".
> > 2) grand user group "readGroup" file read permissions: (see following)
> > 3) cas-proxy-init -c
> > "https://192.168.111.3:8443/wsrf/services/CASService" -s
> > "/O=Globus/OU=GT4CA-tirari.liih.org/CN=host/tirari.liih.org" -p
> > casProxy -debug
> >
> > I got:
> > ~~~~~~~~~~~~~~~~~~~~~~~
> > CAS client to generate restrictd proxy with CAS assertions.
> > instanceURL https://192.168.111.3:8443/wsrf/services/CASService
> > lifetime 86400
> > tag cas
> > new proxyFilename casProxy
> > policyFileName null
> > ......
> > <AuthorizationDecisionStatement Decision="Permit"
> > Resource="FTPDirectoryTree|ftp://192.168.111.3/tmp/foo.2.txt"><Subject><NameIdentifier
> > Format="#X509SubjectName"
> > ...
> > <Action Namespace="file">read</Action><Action
> > Namespace="cas">grantAll</Action></AuthorizationDecisionStatement>
> > ......
> > Completed successfully. Proxy written to casProxy
> > ~~~~~~~~~~~~~~~~~~~~~~
> > 4) cas-wrap -p casProxy globus-url-copy -dbg
> > gsiftp://192.168.111.3/tmp/foo.2.txt file:///home/james/foo.22.txt
> > but I got exactly the same result as before.
>
> Please try setting env GLOBUS_HOSTNAME to 192.168.111.3 on the node where
> you run the gridftp server. This should fix you problem. Let me know how
> it goes.
>
> >
> > I have some questions right now:
> > a) you said "FTPDirectoryTree is the namespace expected by the gridftp server."
> > so ,is it correct that after I bootstrap the CAS, "FTPDirectoryTree"
> > was add into
> > the namespace_table, with the basename '.' ? should I do some modify about it?
>
> You did the right thing here.
>
> >
> > b)when I add new object , should I add
> > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"
> > or "gsiftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"?
>
> "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"
>
> >
> > c)at the server machine, what is the correct permissions for this
> > /tmp/foo.2.txt file?
> > I used globus4user created the file, and gave the permissions as :
> > -rw-r--r-- 1 globus4user globus4user 60 Apr 2 17:56 foo.2.txt.
> > new user's name is james, not belong globus4user's group. is it correct?
>
> Since you have read permission for others and user james is only trying
> to read this file, it should be fine.
>
> >
> > Thank you so much.
> > Sincerely,
> >
> >
> > On 4/6/06, Raj Kettimuthu <kettimut at mcs.anl.gov> wrote:
> > > The gridftp server never actually sees the url that you type on the
> > > globus-url-copy command line; it creates a URL string that corresponds
> > > to the file you're trying to read and then does comparisons on the
> > > objects listed in the assertion in the CAS credential. So if the
> > > gridftp server sees that you're trying to read the file /tmp/foo.2.txt on
> > > that server, it generates the URL string
> > > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt", and then
> > > looks for entries in the CAS assertion that match that URL string. So
> > > your original command line was fine, but you need to go to the CAS server
> > > and grant permissions on
> > > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt", then do
> > > another cas-proxy-init, then do your original cas-wrapped globus-url-copy
> > > again.
> > >
> > > When you do cas-proxy-init, use -debug to check the assertion has the
> > > correct resource name. You should see
> > > Resource="FTPDirectoryTree|ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt
> > >
> > > FTPDirectoryTree is the namespace expected by the gridftp server.
> > >
> > > Hope this helps.
> > >
> > > Raj
> > >
> > > On Thu, 6 Apr 2006, kugrid globus wrote:
> > >
> > > > hi, all,
> > > > I want to configure the GridFTP server working with CAS.
> > > > I followed the following website:
> > > > http://www.globus.org/toolkit/docs/4.0/security/cas/WS_AA_CAS_HOWTO_Setup_GridFTP.html
> > > >
> > > > after I setup CAS server, enable CAS support in the GridFTP server,
> > > > and create james as a new user, and add him into the readGroup, also
> > > > grand all group the permition of read file.
> > > > I want to transfer the file. I log in as james, and I did:
> > > >
> > > > 1) grid-proxy-init
> > > > 2) cas-proxy-init -p casProxy
> > > > 3) cas-wrap -p casProxy globus-url-copy -dbg
> > > > gsiftp://192.168.111.3/tmp/foo.2.txt file:///home/james/foo.22.txt
> > > >
> > > > then I got:
> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > Tag true: 2 Tag Proxy file casProxy
> > > > Proxy casProxy
> > > > Command line globus-url-copy -dbg
> > > > gsiftp://192.168.111.3/tmp/foo.2.txt file:///home/james/foo.22.txt
> > > > debug: starting to get gsiftp://192.168.111.3/tmp/foo.2.txt
> > > > ...
> > > > 220 tirari.liih.org GridFTP Server 2.1 (gcc32dbg, 1122653280-63) ready.
> > > > debug: authenticating with gsiftp://192.168.111.3/tmp/foo.2.txt
> > > > ...
> > > > 230 User james logged in.
> > > > debug: sending command:
> > > > SITE HELP
> > > > debug: response from gsiftp://192.168.111.3/tmp/foo.2.txt:
> > > > 214-The following commands are recognized:
> > > > ...
> > > > 214 End
> > > > debug: sending command:
> > > > ...
> > > > debug: response from gsiftp://192.168.111.3/tmp/foo.2.txt:
> > > > 500-Command failed. : authorization failed.
> > > > 500-globus_gsi_authz: Callout returned an error
> > > > 500-globus_callout_module: The callout returned an error
> > > > 500-globus_gsi_authz_gaa_callout.c:531: gaa_get_object_policy_info
> > > > returned GAA_S_NO_MATCHING_ENTRIES ()
> > > > 500 End.
> > > > ...
> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > It seems the user don't have the privilege to access the file.
> > > > but I did add this "ftp://192.168.111.3/tmp/foo.2.txt" into the object.
> > > > and give the "read/write/lookup/create/delete" privilege to the user group
> > > > called "readGroup". and this user "James" is in that group.
> > > > So can you tell me what's wrong with it?
> > > >
> > > > Thanks for you patience. I am eager for your help.
> > > > I really appreciate it.
> > > >
> > > >
> > >
> >
> >
>
More information about the gridftp-user
mailing list