[gridftp-user] Problems using CAS credentials with GridFTP enabled

kugrid globus kugrid.globus at gmail.com
Wed Apr 19 23:14:52 CDT 2006 

Dear Mr Kettimuthu,

        Thank you so much. It's finally working now.
I should thank you 10 days before. But you know, I just
find out where was wrong right now.
1)I did not run gridftp server every time.
2)I use user 'globus' to run it, but he can't read host's CA.
finally, I use root to run gridftp server and set
GLOBUS_HOSTNAME to 192.168.111.3 . It's working now.
        Thank you again.

Sincerely,
kugrid

On 4/9/06, Raj Kettimuthu <kettimut at mcs.anl.gov> wrote:
> On Sat, 8 Apr 2006, kugrid globus wrote:
> > Mr Kettimuthu,
> >
> >       Thank you for your help. (Because I run everything on one
> > machine right now, but different user has different CA.) I set env
> > GLOBUS_HOSTNAME to 192.168.111.3 use the user globus (who start the
> > grid-container). But, I still got
> > the same mistake.
>
> Please set GLOBUS_HOSTNAME to 192.168.111.3 where you run the
> globus-gridftp-server.
>
> >       I tried run this command as "james":
> >  globus-url-copy -dbg gsiftp://192.168.111.3/tmp/foo.2.txt
> > file:///home/james/foo.22.txt
> >      That will copy the file to the /home/james/. And also if I tried
> > some users like "tester" who doen't in the "readGroup" at CAS
> > database, he will not copy that  file. It seemed do the same job what
> > I want.
>
> This may be because you have an entry for user 'james' in the grid-mapfile
> and there is no entry for user 'tester'.
>
> >      But are these two commands  same? (with or without "cas-wrap -p casProxy")
> >      Thank you for you time.
>
> with "cas-wrap -p casProxy" proxy generated with cas-proxy-init (casProxy)
> will be used and without "cas-wrap -p casProxy" the proxy generated with
> grid-proxy-init will be used.
>
>
> >
> > Sincerely,
> >
> > On 4/7/06, Raj Kettimuthu <kettimut at mcs.anl.gov> wrote:
> > >
> > > On Fri, 7 Apr 2006, kugrid globus wrote:
> > >
> > > > Mr Kettimuthu,
> > > >
> > > >      Thank you for your reply. I did what you suggested.
> > > >
> > > > 1)I added "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"
> > > > as a new object with the namespace_nickname="FTPDirectoryTree".
> > > > 2) grand user group "readGroup" file read permissions: (see following)
> > > > 3) cas-proxy-init -c
> > > > "https://192.168.111.3:8443/wsrf/services/CASService" -s
> > > > "/O=Globus/OU=GT4CA-tirari.liih.org/CN=host/tirari.liih.org" -p
> > > > casProxy -debug
> > > >
> > > > I got:
> > > > ~~~~~~~~~~~~~~~~~~~~~~~
> > > > CAS client to generate restrictd proxy with CAS assertions.
> > > > instanceURL https://192.168.111.3:8443/wsrf/services/CASService
> > > > lifetime 86400
> > > > tag cas
> > > > new proxyFilename casProxy
> > > > policyFileName null
> > > > ......
> > > > <AuthorizationDecisionStatement Decision="Permit"
> > > > Resource="FTPDirectoryTree|ftp://192.168.111.3/tmp/foo.2.txt"><Subject><NameIdentifier
> > > > Format="#X509SubjectName"
> > > > ...
> > > > <Action Namespace="file">read</Action><Action
> > > > Namespace="cas">grantAll</Action></AuthorizationDecisionStatement>
> > > > ......
> > > > Completed successfully. Proxy written to casProxy
> > > > ~~~~~~~~~~~~~~~~~~~~~~
> > > > 4) cas-wrap -p casProxy globus-url-copy -dbg
> > > > gsiftp://192.168.111.3/tmp/foo.2.txt file:///home/james/foo.22.txt
> > > > but I got exactly the same result as before.
> > >
> > > Please try setting env GLOBUS_HOSTNAME to 192.168.111.3 on the node where
> > > you run the gridftp server. This should fix you problem. Let me know how
> > > it goes.
> > >
> > > >
> > > > I have some questions right now:
> > > > a) you said "FTPDirectoryTree is the namespace expected by the gridftp server."
> > > > so ,is it correct that after I bootstrap the CAS,  "FTPDirectoryTree"
> > > > was add into
> > > > the namespace_table, with the basename '.' ? should I do some modify about it?
> > >
> > > You did the right thing here.
> > >
> > > >
> > > > b)when I add new object , should I add
> > > > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"
> > > > or "gsiftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"?
> > >
> > >  "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt"
> > >
> > > >
> > > > c)at the server machine, what is the correct permissions for this
> > > > /tmp/foo.2.txt file?
> > > > I used globus4user created the file, and gave the permissions as :
> > > > -rw-r--r--  1 globus4user globus4user     60 Apr  2 17:56 foo.2.txt.
> > > > new user's name is james, not belong globus4user's group. is it correct?
> > >
> > > Since you have read permission for others and user james is only trying
> > > to read this file, it should be fine.
> > >
> > > >
> > > > Thank you so much.
> > > > Sincerely,
> > > >
> > > >
> > > > On 4/6/06, Raj Kettimuthu <kettimut at mcs.anl.gov> wrote:
> > > > > The gridftp server never actually sees the url that you type on the
> > > > > globus-url-copy command line; it creates a URL string that corresponds
> > > > > to the file you're trying to read and then does comparisons on the
> > > > > objects listed in the assertion in the CAS credential.  So if the
> > > > > gridftp server sees that you're trying to read the file /tmp/foo.2.txt on
> > > > > that server, it generates the URL string
> > > > > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt", and then
> > > > > looks for entries in the CAS assertion that match that URL string.  So
> > > > > your original command line was fine, but you need to go to the CAS server
> > > > > and grant permissions on
> > > > > "ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt", then do
> > > > > another cas-proxy-init, then do your original cas-wrapped globus-url-copy
> > > > > again.
> > > > >
> > > > > When you do cas-proxy-init, use -debug to check the assertion has the
> > > > > correct resource name. You should see
> > > > > Resource="FTPDirectoryTree|ftp://<fully_qualified_domain_name_of_server>/tmp/foo.2.txt
> > > > >
> > > > > FTPDirectoryTree is the namespace expected by the gridftp server.
> > > > >
> > > > > Hope this helps.
> > > > >
> > > > > Raj
> > > > >
> > > > > On Thu, 6 Apr 2006, kugrid globus wrote:
> > > > >
> > > > > > hi, all,
> > > > > > I want to configure the GridFTP server working with CAS.
> > > > > > I followed the following  website:
> > > > > > http://www.globus.org/toolkit/docs/4.0/security/cas/WS_AA_CAS_HOWTO_Setup_GridFTP.html
> > > > > >
> > > > > > after I setup CAS server, enable CAS support in the GridFTP server,
> > > > > > and create james as a new user, and add him into the readGroup, also
> > > > > > grand all group the permition of read file.
> > > > > > I want to transfer the file. I log in as james, and I did:
> > > > > >
> > > > > > 1) grid-proxy-init
> > > > > > 2) cas-proxy-init -p casProxy
> > > > > > 3) cas-wrap -p casProxy globus-url-copy -dbg
> > > > > > gsiftp://192.168.111.3/tmp/foo.2.txt file:///home/james/foo.22.txt
> > > > > >
> > > > > > then I got:
> > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > > > Tag true: 2  Tag   Proxy file casProxy
> > > > > > Proxy casProxy
> > > > > > Command  line  globus-url-copy -dbg
> > > > > > gsiftp://192.168.111.3/tmp/foo.2.txt file:///home/james/foo.22.txt
> > > > > > debug: starting to get gsiftp://192.168.111.3/tmp/foo.2.txt
> > > > > > ...
> > > > > > 220 tirari.liih.org GridFTP Server 2.1 (gcc32dbg, 1122653280-63) ready.
> > > > > > debug: authenticating with gsiftp://192.168.111.3/tmp/foo.2.txt
> > > > > > ...
> > > > > > 230 User james logged in.
> > > > > > debug: sending command:
> > > > > > SITE HELP
> > > > > > debug: response from gsiftp://192.168.111.3/tmp/foo.2.txt:
> > > > > > 214-The following commands are recognized:
> > > > > > ...
> > > > > > 214 End
> > > > > > debug: sending command:
> > > > > > ...
> > > > > > debug: response from gsiftp://192.168.111.3/tmp/foo.2.txt:
> > > > > > 500-Command failed. : authorization failed.
> > > > > > 500-globus_gsi_authz: Callout returned an error
> > > > > > 500-globus_callout_module: The callout returned an error
> > > > > > 500-globus_gsi_authz_gaa_callout.c:531: gaa_get_object_policy_info
> > > > > > returned GAA_S_NO_MATCHING_ENTRIES ()
> > > > > > 500 End.
> > > > > > ...
> > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > > > It seems the user don't have the privilege to access the file.
> > > > > > but I did add this "ftp://192.168.111.3/tmp/foo.2.txt" into the object.
> > > > > > and give the "read/write/lookup/create/delete" privilege to the user group
> > > > > > called "readGroup". and this user "James" is in that group.
> > > > > > So can you tell me what's wrong with it?
> > > > > >
> > > > > > Thanks for you patience. I am eager for your help.
> > > > > > I really appreciate it.
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>

More information about the gridftp-user mailing list