[gridftp-user] Problems using CAS credentials with GridFTP enabled
Raj Kettimuthu
kettimut at mcs.anl.gov
Sun Apr 9 12:54:13 CDT 2006
On Sat, 8 Apr 2006, kugrid globus wrote:
> Mr Kettimuthu,
>
> Thank you for your help. (Because I run everything on one
> machine right now, but different user has different CA.) I set env
> GLOBUS_HOSTNAME to 192.168.111.3 use the user globus (who start the
> grid-container). But, I still got
> the same mistake.
Please set GLOBUS_HOSTNAME to 192.168.111.3 where you run the
globus-gridftp-server.
> I tried run this command as "james":
> globus-url-copy -dbg gsiftp://192.168.111.3/tmp/foo.2.txt
> file:///home/james/foo.22.txt
> That will copy the file to the /home/james/. And also if I tried
> some users like "tester" who doen't in the "readGroup" at CAS
> database, he will not copy that file. It seemed do the same job what
> I want.
This may be because you have an entry for user 'james' in the grid-mapfile
and there is no entry for user 'tester'.
> But are these two commands same? (with or without "cas-wrap -p casProxy")
> Thank you for you time.
with "cas-wrap -p casProxy" proxy generated with cas-proxy-init (casProxy)
will be used and without "cas-wrap -p casProxy" the proxy generated with
grid-proxy-init will be used.
>
> Sincerely,
>
> On 4/7/06, Raj Kettimuthu <kettimut at mcs.anl.gov> wrote:
> >
> > On Fri, 7 Apr 2006, kugrid globus wrote:
> >
> > > Mr Kettimuthu,
> > >
> > > Thank you for your reply. I did what you suggested.
> > >
> > > 1)I added "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"
> > > as a new object with the namespace_nickname="FTPDirectoryTree".
> > > 2) grand user group "readGroup" file read permissions: (see following)
> > > 3) cas-proxy-init -c
> > > "https://192.168.111.3:8443/wsrf/services/CASService" -s
> > > "/O=Globus/OU=GT4CA-tirari.liih.org/CN=host/tirari.liih.org" -p
> > > casProxy -debug
> > >
> > > I got:
> > > ~~~~~~~~~~~~~~~~~~~~~~~
> > > CAS client to generate restrictd proxy with CAS assertions.
> > > instanceURL https://192.168.111.3:8443/wsrf/services/CASService
> > > lifetime 86400
> > > tag cas
> > > new proxyFilename casProxy
> > > policyFileName null
> > > ......
> > > <AuthorizationDecisionStatement Decision="Permit"
> > > Resource="FTPDirectoryTree|ftp://192.168.111.3/tmp/foo.2.txt"><Subject><NameIdentifier
> > > Format="#X509SubjectName"
> > > ...
> > > <Action Namespace="file">read</Action><Action
> > > Namespace="cas">grantAll</Action></AuthorizationDecisionStatement>
> > > ......
> > > Completed successfully. Proxy written to casProxy
> > > ~~~~~~~~~~~~~~~~~~~~~~
> > > 4) cas-wrap -p casProxy globus-url-copy -dbg
> > > gsiftp://192.168.111.3/tmp/foo.2.txt file:///home/james/foo.22.txt
> > > but I got exactly the same result as before.
> >
> > Please try setting env GLOBUS_HOSTNAME to 192.168.111.3 on the node where
> > you run the gridftp server. This should fix you problem. Let me know how
> > it goes.
> >
> > >
> > > I have some questions right now:
> > > a) you said "FTPDirectoryTree is the namespace expected by the gridftp server."
> > > so ,is it correct that after I bootstrap the CAS, "FTPDirectoryTree"
> > > was add into
> > > the namespace_table, with the basename '.' ? should I do some modify about it?
> >
> > You did the right thing here.
> >
> > >
> > > b)when I add new object , should I add
> > > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"
> > > or "gsiftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"?
> >
> > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"
> >
> > >
> > > c)at the server machine, what is the correct permissions for this
> > > /tmp/foo.2.txt file?
> > > I used globus4user created the file, and gave the permissions as :
> > > -rw-r--r-- 1 globus4user globus4user 60 Apr 2 17:56 foo.2.txt.
> > > new user's name is james, not belong globus4user's group. is it correct?
> >
> > Since you have read permission for others and user james is only trying
> > to read this file, it should be fine.
> >
> > >
> > > Thank you so much.
> > > Sincerely,
> > >
> > >
> > > On 4/6/06, Raj Kettimuthu <kettimut at mcs.anl.gov> wrote:
> > > > The gridftp server never actually sees the url that you type on the
> > > > globus-url-copy command line; it creates a URL string that corresponds
> > > > to the file you're trying to read and then does comparisons on the
> > > > objects listed in the assertion in the CAS credential. So if the
> > > > gridftp server sees that you're trying to read the file /tmp/foo.2.txt on
> > > > that server, it generates the URL string
> > > > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt", and then
> > > > looks for entries in the CAS assertion that match that URL string. So
> > > > your original command line was fine, but you need to go to the CAS server
> > > > and grant permissions on
> > > > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt", then do
> > > > another cas-proxy-init, then do your original cas-wrapped globus-url-copy
> > > > again.
> > > >
> > > > When you do cas-proxy-init, use -debug to check the assertion has the
> > > > correct resource name. You should see
> > > > Resource="FTPDirectoryTree|ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt
> > > >
> > > > FTPDirectoryTree is the namespace expected by the gridftp server.
> > > >
> > > > Hope this helps.
> > > >
> > > > Raj
> > > >
> > > > On Thu, 6 Apr 2006, kugrid globus wrote:
> > > >
> > > > > hi, all,
> > > > > I want to configure the GridFTP server working with CAS.
> > > > > I followed the following website:
> > > > > http://www.globus.org/toolkit/docs/4.0/security/cas/WS_AA_CAS_HOWTO_Setup_GridFTP.html
> > > > >
> > > > > after I setup CAS server, enable CAS support in the GridFTP server,
> > > > > and create james as a new user, and add him into the readGroup, also
> > > > > grand all group the permition of read file.
> > > > > I want to transfer the file. I log in as james, and I did:
> > > > >
> > > > > 1) grid-proxy-init
> > > > > 2) cas-proxy-init -p casProxy
> > > > > 3) cas-wrap -p casProxy globus-url-copy -dbg
> > > > > gsiftp://192.168.111.3/tmp/foo.2.txt file:///home/james/foo.22.txt
> > > > >
> > > > > then I got:
> > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > > Tag true: 2 Tag Proxy file casProxy
> > > > > Proxy casProxy
> > > > > Command line globus-url-copy -dbg
> > > > > gsiftp://192.168.111.3/tmp/foo.2.txt file:///home/james/foo.22.txt
> > > > > debug: starting to get gsiftp://192.168.111.3/tmp/foo.2.txt
> > > > > ...
> > > > > 220 tirari.liih.org GridFTP Server 2.1 (gcc32dbg, 1122653280-63) ready.
> > > > > debug: authenticating with gsiftp://192.168.111.3/tmp/foo.2.txt
> > > > > ...
> > > > > 230 User james logged in.
> > > > > debug: sending command:
> > > > > SITE HELP
> > > > > debug: response from gsiftp://192.168.111.3/tmp/foo.2.txt:
> > > > > 214-The following commands are recognized:
> > > > > ...
> > > > > 214 End
> > > > > debug: sending command:
> > > > > ...
> > > > > debug: response from gsiftp://192.168.111.3/tmp/foo.2.txt:
> > > > > 500-Command failed. : authorization failed.
> > > > > 500-globus_gsi_authz: Callout returned an error
> > > > > 500-globus_callout_module: The callout returned an error
> > > > > 500-globus_gsi_authz_gaa_callout.c:531: gaa_get_object_policy_info
> > > > > returned GAA_S_NO_MATCHING_ENTRIES ()
> > > > > 500 End.
> > > > > ...
> > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > > It seems the user don't have the privilege to access the file.
> > > > > but I did add this "ftp://192.168.111.3/tmp/foo.2.txt" into the object.
> > > > > and give the "read/write/lookup/create/delete" privilege to the user group
> > > > > called "readGroup". and this user "James" is in that group.
> > > > > So can you tell me what's wrong with it?
> > > > >
> > > > > Thanks for you patience. I am eager for your help.
> > > > > I really appreciate it.
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
More information about the gridftp-user
mailing list