Merge branch 'master' into xrdssi

Doxyfile

@@ -161,14 +161,16 @@ src/XrdCl/XrdClURL.hh \
 src/XrdCl/XrdClAnyObject.hh \
 src/XrdCl/XrdClXRootDResponses.hh \
 src/XrdCl/XrdClFile.hh \
-src/XrdFileCache/XrdFileCache.hh \
-src/XrdFileCache/XrdFileCacheFactory.hh \
-src/XrdFileCache/XrdFileCachePrefetch.hh \
-src/XrdFileCache/XrdFileCacheInfo.hh \
-src/XrdFileCache/XrdFileCacheIOFileBlock.hh \
-src/XrdFileCache/XrdFileCacheIOEntireFile.hh \
-src/XrdFileCache/XrdFileCacheStats.hh \
 src/XrdFileCache/XrdFileCacheDecision.hh
+src/XrdFileCache/XrdFileCacheFile.hh
+src/XrdFileCache/XrdFileCache.hh
+src/XrdFileCache/XrdFileCacheInfo.hh
+src/XrdFileCache/XrdFileCacheIOEntireFile.hh
+src/XrdFileCache/XrdFileCacheIOFileBlock.hh
+src/XrdFileCache/XrdFileCacheIO.hh
+src/XrdFileCache/XrdFileCachePrint.hh
+src/XrdFileCache/XrdFileCacheStats.hh
+src/XrdFileCache/XrdFileCacheTrace.hh
 
 FILE_PATTERNS          = *.hh
 RECURSIVE              = YES

cmake/FindOpenSSL.cmake

@@ -46,6 +46,9 @@ endif()
 
 set ( CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES} )
 
+check_function_exists(TLS_method HAVE_TLS)
+compiler_define_if_found(HAVE_TLS HAVE_TLS)
+
 check_function_exists(TLSv1_2_method HAVE_TLS12)
 compiler_define_if_found(HAVE_TLS12 HAVE_TLS12)
 

docs/PreReleaseNotes.txt

@@ -5,13 +5,3 @@ XRootD
 Prerelease Notes
 ================
 
-+ **New Features**
-  * Allow specifying a different timeout for null cached entries; fixes #413
-
-+ **Major bug fixes**
-
-+ **Minor bug fixes**
-  * Fix memory leak in sss protocol.
-  * Allow hostnames to begin with a digit.
-
-+ **Miscellaneous**

docs/ReleaseNotes.txt

@@ -6,6 +6,71 @@ Release Notes
 =============
 
 
+-------------
+Version 4.6.0
+-------------
+
++ **New Features**
+  * **[XrdCms]** Add non-blocking sends to avoid slow links.
+  * **[XrdFileCache]** File caching proxy V2 (and new pss async interface).
+
++ **Major bug fixes**
+  * **[XrdCeph]** Account for return Ceph xattr return codes.
+  * **[XrdCeph]** Fixed initialization of Ceph clusters when stripers are not used.
+  * **[XrdCrypto]** Improved determination of X509 certificate type, 
+                    including proxy version
+  * **[XrdHttp]** Fix memory leak in Bridge protocol (affects HTTP).
+  * **[XrdSecgsi]** Several improvements in the way CRLs are checked and reloaded.
+  * **[XrdCl]** Protect against spurious wakeups in SyncResponseHandler.
+  * **[XrdCl]** On read-timeout, if the stream is broken, make sure the request and 
+                its handler are not double deleted.
+
++ **Minor bug fixes**
+  * **[XrdCl]** Check if the file was correctly closed upon ZipArchiveReader destruction.
+  * **[Server]** Add limits for prepare requests.
+  * **[Server]** Delete buffers when the buffer manager is deleted. Fixes #414
+  * **[Server]** Do not double count overlapping spaces. Fixes #425 
+  * **[XrdHttp]** Allow unauthenticated https clients.
+  * **[XrdHttp]** Make Xrdhttp secure by default (rejecting proxy cert in the absence 
+                  of a proper SecXtractor plugin)
+
++ **Miscellaneous**
+  * **[XrdSecgsi]** Re-activate xrdgsitest
+  * **[RPM]** Include xrdgsitest in xrootd-client-devel package.
+  * **[XrdFileCache]** Add example of filecache configuration.
+
+-------------
+Version 4.5.0
+-------------
+
++ **New Features**
+  * **[XrdCms]** Allow specifying a different timeout for null cached entries; fixes #413
+  * **[XProtocol/XrdSec/Server/XrdCl]** Implement request signing.
+  * **[XrdCl]** Add ZIP extracting capability to xrdcp.
+  * **[XrdCl]** Include the release number in client Login request cgi.
+  * **[XrdCl]** Add support for spaces in file names for mv operation.
+
++ **Major bug fixes**
+  * **[XrdCrypto/Secgsi]** Fix XrdCryptosslMsgDigest::Init ; set 'sha256' as
+                           default algorithm.
+  * **[XrdCl]** Use posix semaphores for fedora >= 22. Disable
+                omit-frame-ponter for gcc >= 4.9.3 if custom semaphores are used.
+
++ **Minor bug fixes**
+  * **[XrdSecsss]** Fix memory leak in sss protocol.
+  * **[XrdNet]** Allow hostnames to begin with a digit.
+  * **[XrdCl]** Fix segfault in case a user cannot be mapped to a home directory.
+  * **[XrdCl]** Make sure a socket is always associated with a proper poller
+                object (not null).
+  * **[XrdCl]** Fix deadlock in XrdCl::PollerBuiltIn during finalize.
+  * **[XrdCrypto]** Do not use md5 checksum on OSX platform.
+
++ **Miscellaneous**
+  * **[RPM]** Include xrdacctest in xrootd-server package.
+  * **[RPM]** Add conditional BuildRequires for ceph >= 11.
+  * **[RPM]** Use compat-openssl10-devel for fedora>=26.
+  * **[XrdCl]** Make sure the Log class can be used by any client plugin implementation.
+
 -------------
 Version 4.4.0
 -------------

docs/man/xrdgsitest.1

@@ -0,0 +1,173 @@
+.TH xrdgsitest 1 "__VERSION__"
+.SH NAME
+xrdgsitest - test crypto functionality relevant for the GSI implementation
+.SH SYNOPSIS
+.nf
+
+\fBxrdgsitest\fR [\fB-h\fR, \fB--help\fR] [\fB-v\fR, \fB--verbose\fR]
+.fi
+.br
+.ad l
+.SH DESCRIPTION
+The \fBxrdgsitest\fR utility runs a few tests of the crypto functionality implemented in XrdCrypto relevant
+for the XrdSecgsi module, i.e. handling of certificates, proxies, chains, verification and similar actions.
+.br
+.SH OPTIONS
+.B -h, --help
+display help
+.TP
+.B -v, --verbose
+Print very detailed information about the tests.
+
+.SH FILES
+The program needs access to a user certificate file and its private key, and the related CA file(s); the CRL
+is downloaded using the information found in the CA certificate. 
+The location of the files are the standard ones and they can modified by the standard environment variables:
+.TP 3
+X509_USER_CERT  [$HOME/.globus/usercert.pem]       user certificate
+.TP 3
+X509_USER_KEY   [$HOME/.globus/userkey.pem]        user private key
+.TP 3
+X509_USER_PROXY [/tmp/x509up_u<uid>]               user proxy
+.TP 3
+X509_CERT_DIR   [/etc/grid-security/certificates/] CA certificates and CRL directories
+.SH OUTPUT
+The output is a list of PASSED/FAILED test similar to
+.TP
+$ xrdgsitest
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Crypto functionality tests for GSI ----------------------------------------------
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Loading EEC .............................................................  PASSED
+.br
+|| Loading User Proxy ......................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Recreate the proxy certificate --------------------------------------------------
+.br
+Enter PEM pass phrase:
+.br
+|| Recreating User Proxy ...................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Load CA certificates ------------------------------------------------------------
+.br
+|| Loading CA certificate ..................................................  PASSED
+.br
+|| Loading CA certificate ..................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing ParseFile ---------------------------------------------------------------
+.br
+|| Chain reorder:  .........................................................  PASSED
+.br
+|| Chain verify:  ..........................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing ExportChain -------------------------------------------------------------
+.br
+|| Attach to X509ExportChain ...............................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing Chain Import ------------------------------------------------------------
+.br
+|| Chain reorder:  .........................................................  PASSED
+.br
+|| Chain verify:  ..........................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing GSI chain import and verification ---------------------------------------
+.br
+|| GSI chain verify:  ......................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing GSI chain copy ----------------------------------------------------------
+.br
+|| GSI chain verify:  ......................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing Cert verification -------------------------------------------------------
+.br
+|| verify cert: EE signed by CA ............................................  PASSED
+.br
+|| verify cert: PX signed by EE ............................................  PASSED
+.br
+|| verify cert: PX not signed by CA ........................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing request creation --------------------------------------------------------
+.br
+|| Creating request ........................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing request signature -------------------------------------------------------
+.br
+|| Check proxyCertInfo extension ...........................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing export of signed proxy --------------------------------------------------
+.br
+|| Saving signed proxy chain to file .......................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing CRL identification ------------------------------------------------------
+.br
+|| Check CRL distribution points extension OK ..............................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing CRL loading -------------------------------------------------------------
+.br
+--2016-12-12 19:31:36--  http://cafiles.cern.ch/cafiles/crl/CERN%20Root%20Certification%20Authority%202.crl
+.br
+Resolving cafiles.cern.ch (cafiles.cern.ch)... 137.138.4.52, 2001:1458:201:96::100:26
+.br
+Connecting to cafiles.cern.ch (cafiles.cern.ch)|137.138.4.52|:80... connected.
+.br
+HTTP request sent, awaiting response... 200 OK
+.br
+Length: 1097 (1.1K) [application/pkix-crl]
+.br
+Saving to: ‘/tmp/5168735f.0.crltmp’
+.br
+
+.br
+/tmp/5168735f.0.crltmp                100%[========================================================================>]   1.07K  --.-KB/s    in 0s      
+.br
+
+.br
+2016-12-12 19:31:36 (383 MB/s) - ‘/tmp/5168735f.0.crltmp’ saved [1097/1097]
+.br
+
+.br
+|| Loading CA1 crl .........................................................  PASSED
+.br
+|| CRL signature OK ........................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+
+.TP
+The result of each test can be interleaved with details when the verbose option is chosen.
+.SH LICENSE
+License terms can be displayed by typing "\fBxrootd -H\fR".
+.SH SUPPORT LEVEL
+The \fBxrdgsitest\fR command is supported by the xrootd collaboration.
+Contact information can be found at
+.ce
+http://xrootd.org/contact.html

docs/man/xrdpfc_print.8

@@ -4,7 +4,7 @@ xrdpfc_print - print content of ProxyFileCache meta data
 .SH SYNOPSIS
 .nf
 
-\fBxrdpfc_print\fR [\fIoptions\fR] \fRpath\fR
+\fBxrdpfc_print\fR [\fIoptions\fR] \fRpath ...\fR
 
 \fIoptions\fR: [\fB--config\fR \fIargs\fR] [\fB--verbose\fR] [\fB--help\fR]
 

packaging/common/xrootd-filecache-clustered.cfg

@@ -0,0 +1,90 @@
+###########################################################################
+# This is a very simple sample configuration file sufficient to start an  #
+# xrootd file caching data server using the default port 1094 and its     #
+# companion cmsd. Trying to use the xrootd will cause the client to       #
+# simply wait there is no redirector and this configuration file is       #
+# insufficient to start one. Consult the reference manuals on how to      #
+# create a usable configuration file to completely describe a functional  #
+# xrootd cluster.                                                         #
+#                                                                         #
+# On start-up the xrootd will complain about not connecting to the pipe   #
+# named '/var/spool/xrootd/.olb/olbd.admin'. This will continue until the #
+# cmsd starts. When the cmsd start is will say ' Waiting for primary      #
+# server to login.' Once xrootd is started and connects to the cmsd, the  #
+# cmsd will complain 'Unable to connect socket to localhost' because      #
+# there is no redirector. However, this shows that xrootd and cmsd have   #
+# been correctly installed.                                               #
+#                                                                         #
+# Note: You should always create a *single* configuration file and use it #
+# when starting each daemon that you need to run in the cluster!          #
+###########################################################################
+# Tell everyone who the manager is
+#
+all.manager redirector:1213
+
+# The redirector and all cmsd’s export /data red-only with the stage option. The stage
+# option requests that if the file isn’t found in the cluster the redirector should send
+# the client to a PFC server with enough space to cache the file.
+#
+all.export /data stage r/o
+
+# Configuration is different for the redirector, the server cmsd, and
+# for the server xrootd. We break those out in the if-else-fi clauses.
+#
+if redirector
+
+all.role manager
+
+# Export with stage option - if the file isn’t found in the cluster the
+# redirector sends the client to a PFC server with enough free space.
+#
+
+all.export /data stage r/o
+
+# Server’s cmsd configuration – all PFC’s are virtual data servers
+#
+
+else if exec cmsd
+
+all.role server
+
+# Export with stage option - this tells manager cmsd we can pull files from the origin
+#
+all.export /data stage r/o
+
+# The cmsd uses the standard oss plug-in to locate files in the cache.
+# oss.localroot directive should be the same as for the server.
+#
+
+oss.localroot /pfc-cache
+
+# Server’s xrootd configuration – all PFC’s are virtual data servers
+#
+else
+
+all.role server
+
+# For xrootd, load the proxy plugin and the disk caching plugin.
+#
+ofs.osslib   libXrdPss.so
+pss.cachelib libFileCache.so
+
+# The server needs to write to disk, stage not relevant
+#
+all.export /data rw
+
+
+# Tell the proxy where the data is coming from (arbitrary).
+#
+pss.origin someserver.domain.org:1094
+
+# Tell the PFC’s where the disk cache resides (arbitrary).
+#
+oss.localroot /pfc-cache
+
+# Tell the PFC’s available RAM
+#
+pfc.ram 100g
+
+fi
+