-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
davix-client fails to follow redirection => missing urlencoding in xrdhttp-redirection? #577
Comments
Hi,
at a first sight I'd agree with you. I can have a deeper look tomorrow.
For the records, which version of Davix are you using? Have you
also tried with curl ?
Thank you very much for the report
Fabrizio
…On 04.09.17 18:51, olifre wrote:
I am only 99% sure this is an xrootd issue, so I am first reporting this
here...
Following setup (all xrootd 4.7):
* Manager |xrootd.somedomain| with ip address: |IPv4ADDRESSOFMGR|
* Data server |xrootd001.somedomain| with ip address: |IPv4ADDRESSOFDS|
* Some client to test, with ip address |IPv4ADDRESSOFCLIENT|
Both servers contain in their configuration (amongst some authentication
stuff):
|all.manager xrootd.somedomain:1213 all.role server all.role manager if
xrootd.somedomain http.selfhttps2http yes desthttps no if exec xrootd
xrd.protocol XrdHttp /usr/lib64/libXrdHttp.so fi http.secretkey REDACTED |
Now I run:
|davix-ls --debug -P Grid
https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk/ |
I get (abbreviated a bit):
|> PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk/ HTTP/1.1 > Host:
xrootd.somedomain:1094 [... Lots of SSL handling which goes well...] <
HTTP/1.1 302 Redirect < Content-Length: 0 < Location:
http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk/?xrdhttptk=s6Q7i5fjNHzy17b/z/2hXA==&xrdhttptime=1504543303&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=REDACTED
|
So far, so good, self-redirection to http with a temporary key. Please
note that the redacted |xrdhttpdn| is nicely URL escaped.
Now, I see:
|> PROPFIND
/beegfs/grid/atlas/atlaslocalgroupdisk/?xrdhttptk=s6Q7i5fjNHzy17b/z/2hXA==&xrdhttptime=1504543303&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=REDACTED
HTTP/1.1 > User-Agent: libdavix/0.6.4 neon/0.0.29 |
Still fine, also here, the redacted |xrdhttpdn| is nicely URL escaped.
Now, I receive:
|< HTTP/1.1 302 Redirect < Content-Length: 0 < Location:
http://xrootd001.physik.uni-bonn.de:1094/beegfs/grid/atlas/atlaslocalgroupdisk/?xrdhttptk=s6Q7i5fjNHzy17b/z/2hXA==&xrdhttptime=1504543303&xrdhttpname=Oliver
Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED
|
Here:
* xrdhttphost is not urlencoded.
* xrdhttpdn is not urlencoded.
Now, davix shows:
|(Davix::HttpRequest) Error: Impossible to get the new redirected
destination |
and gives up - no request ever hits the data server.
Am I missing something, or is this a bug in xrdhttp?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#577>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AD7YjglL-Z5hIyXKlO92ITL8aGAoFowdks5sfCqXgaJpZM4PMHkn>.
------------------------------------------------------------------------
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|
I did that just now, here we go... Looks the same...
After that, curl (as it was told) still performs the last, broken request, but receives an empty reply from the server. |
Hi,
I am quite puzzled by your trace, because that field is quoted by the
code exactly in the same way as the others. So it may be something that is not
so evident. I am going to setup a small cluster to debug this.
In the meantime, could you please rerun your test once after having set
http.trace all
in the config file ?
I am interested in the redirector log line that says " XrdHttpReq::Redir Redirecting to ...".
Is that URL correctly quoted ? It should be.
At the same time, you may want to try working around this issue, by disabling
https in the redirector, and enabling it only in the data servers. This would
also have the advantage of spreading the load of the SSL handshake through
many machines, hence removing a performance bottleneck.
Cheers
Fabrizio
…On 09/04/2017 08:42 PM, olifre wrote:
For the records, which version of Davix are you using?
|$ davix-ls --version Version: 0.6.6- |
Have you also tried with curl ?
I did that just now, here we go... Looks the same...
|curl -E /tmp/x509up_u1000 -X PROPFIND -vkL https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk [ ... lots of
SSL stuff ... ] > PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk HTTP/1.1 > Host: xrootd.somedomain:1094 [...] < HTTP/1.1 302
Redirect < Content-Length: 0 < Location:
http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED
[...] > PROPFIND
/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED
HTTP/1.1 [...] < HTTP/1.1 302 Redirect < Content-Length: 0 < Location:
http://xrootd001.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver
Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED |
After that, curl (as it was told) still performs the last, broken request, but receives an empty reply from the server.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#577 (comment)>, or mute
the thread <https://github.com/notifications/unsubscribe-auth/AD7YjpzSSKrcImbfT1zOtvkGn5qk6hgDks5sfESGgaJpZM4PMHkn>.
--------------------------------------------------------------------------------------------------------------------------------
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|
Hi again,
it seems that I am not able to reproduce your issue in my setup. I have one redirector (port 1095)
and one data server (port 1094). In my case the redirections are properly quoted,
and the client is happy.
I'd like to understand your case, though. Do you see any obvious hint
for differences between our setups ? Would you mind sending me a debug log (-d) of the
manager xrootd daemon showing the initialization and just one of these strange interactions ?
Cheers
f
---------------------------------------------------------- here a summary
$ davix-http -X PROPFIND --trace header -P grid davs://littlexrdhttp.cern.ch:1095/auth.log --retry 0
HTTP session to https://littlexrdhttp.cern.ch:1095 begins.
PROPFIND /auth.log HTTP/1.1
User-Agent: libdavix/0.6.6 neon/0.0.29
Keep-Alive:
Connection: Keep-Alive
TE: trailers
Host: littlexrdhttp.cern.ch:1095
< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location:
http://[::ffff:128.142.135.19]:1095/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051
<
HTTP session to http://[::ffff:128.142.135.19]:1095 begins.
PROPFIND
/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051
HTTP/1.1
User-Agent: libdavix/0.6.6 neon/0.0.29
Keep-Alive:
Connection: Keep-Alive
TE: trailers
Host: [::ffff:128.142.135.19]:1095
< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location:
http://littlexrdhttp.cern.ch:1094/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051
<
HTTP session to http://littlexrdhttp.cern.ch:1094 begins.
PROPFIND
/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051
HTTP/1.1
User-Agent: libdavix/0.6.6 neon/0.0.29
Keep-Alive:
Connection: Keep-Alive
TE: trailers
Host: littlexrdhttp.cern.ch:1094
.... and then it gets the correct response
----------------------------------------------------------------------------
…On 09/05/2017 02:08 PM, Fabrizio Furano wrote:
Hi,
I am quite puzzled by your trace, because that field is quoted by the
code exactly in the same way as the others. So it may be something that is not
so evident. I am going to setup a small cluster to debug this.
In the meantime, could you please rerun your test once after having set
http.trace all
in the config file ?
I am interested in the redirector log line that says " XrdHttpReq::Redir Redirecting to ...".
Is that URL correctly quoted ? It should be.
At the same time, you may want to try working around this issue, by disabling
https in the redirector, and enabling it only in the data servers. This would
also have the advantage of spreading the load of the SSL handshake through
many machines, hence removing a performance bottleneck.
Cheers
Fabrizio
On 09/04/2017 08:42 PM, olifre wrote:
> For the records, which version of Davix are you using?
>
> |$ davix-ls --version Version: 0.6.6- |
>
> Have you also tried with curl ?
> I did that just now, here we go... Looks the same...
>
> |curl -E /tmp/x509up_u1000 -X PROPFIND -vkL https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk [ ... lots of
> SSL stuff ... ] > PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk HTTP/1.1 > Host: xrootd.somedomain:1094 [...] < HTTP/1.1 302
> Redirect < Content-Length: 0 < Location:
> http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED
> [...] > PROPFIND
> /beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED
> HTTP/1.1 [...] < HTTP/1.1 302 Redirect < Content-Length: 0 < Location:
> http://xrootd001.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver
> Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED |
>
> After that, curl (as it was told) still performs the last, broken request, but receives an empty reply from the server.
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub <#577 (comment)>, or mute
> the thread <https://github.com/notifications/unsubscribe-auth/AD7YjpzSSKrcImbfT1zOtvkGn5qk6hgDks5sfESGgaJpZM4PMHkn>.
>
>
> --------------------------------------------------------------------------------------------------------------------------------
>
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-DEV list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|
Got it. My little cluster was running my personal fork, built by our section's build system.
If I install the packages from epel-testing then I get the same error as you.
I suspect some issues in passing through the pull request or merges or whatever. In they they should be the same code.
< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location:
http://littlexrdhttp.cern.ch:1094/auth.log?xrdhttptk=1KyxUOcw66gr1cIEZlHbEA==&xrdhttptime=1504623851&xrdhttpname=/DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=furano/CN=644746/CN=Fabrizio
Furano&xrdhttpvorg=atlas&xrdhttphost=[::ffff:188.184.88.253]&xrdhttpdn=/DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=furano/CN=644746/CN=Fabrizio Furano/CN=489070051
<
…On 09/05/2017 03:58 PM, Fabrizio Furano wrote:
Hi again,
it seems that I am not able to reproduce your issue in my setup. I have one redirector (port 1095)
and one data server (port 1094). In my case the redirections are properly quoted,
and the client is happy.
I'd like to understand your case, though. Do you see any obvious hint
for differences between our setups ? Would you mind sending me a debug log (-d) of the
manager xrootd daemon showing the initialization and just one of these strange interactions ?
Cheers
f
---------------------------------------------------------- here a summary
$ davix-http -X PROPFIND --trace header -P grid davs://littlexrdhttp.cern.ch:1095/auth.log --retry 0
HTTP session to https://littlexrdhttp.cern.ch:1095 begins.
> PROPFIND /auth.log HTTP/1.1
> User-Agent: libdavix/0.6.6 neon/0.0.29
> Keep-Alive:
> Connection: Keep-Alive
> TE: trailers
> Host: littlexrdhttp.cern.ch:1095
>
< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location:
http://[::ffff:128.142.135.19]:1095/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051
<
HTTP session to http://[::ffff:128.142.135.19]:1095 begins.
> PROPFIND
/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051
HTTP/1.1
> User-Agent: libdavix/0.6.6 neon/0.0.29
> Keep-Alive:
> Connection: Keep-Alive
> TE: trailers
> Host: [::ffff:128.142.135.19]:1095
>
< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location:
http://littlexrdhttp.cern.ch:1094/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051
<
HTTP session to http://littlexrdhttp.cern.ch:1094 begins.
> PROPFIND
/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051
HTTP/1.1
> User-Agent: libdavix/0.6.6 neon/0.0.29
> Keep-Alive:
> Connection: Keep-Alive
> TE: trailers
> Host: littlexrdhttp.cern.ch:1094
>
.... and then it gets the correct response
----------------------------------------------------------------------------
On 09/05/2017 02:08 PM, Fabrizio Furano wrote:
> Hi,
>
> I am quite puzzled by your trace, because that field is quoted by the
> code exactly in the same way as the others. So it may be something that is not
> so evident. I am going to setup a small cluster to debug this.
>
> In the meantime, could you please rerun your test once after having set
>
> http.trace all
>
> in the config file ?
> I am interested in the redirector log line that says " XrdHttpReq::Redir Redirecting to ...".
> Is that URL correctly quoted ? It should be.
>
> At the same time, you may want to try working around this issue, by disabling
> https in the redirector, and enabling it only in the data servers. This would
> also have the advantage of spreading the load of the SSL handshake through
> many machines, hence removing a performance bottleneck.
>
> Cheers
> Fabrizio
>
>
>
> On 09/04/2017 08:42 PM, olifre wrote:
>> For the records, which version of Davix are you using?
>>
>> |$ davix-ls --version Version: 0.6.6- |
>>
>> Have you also tried with curl ?
>> I did that just now, here we go... Looks the same...
>>
>> |curl -E /tmp/x509up_u1000 -X PROPFIND -vkL https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk [ ... lots of
>> SSL stuff ... ] > PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk HTTP/1.1 > Host: xrootd.somedomain:1094 [...] < HTTP/1.1 302
>> Redirect < Content-Length: 0 < Location:
>> http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED
>> [...] > PROPFIND
>> /beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED
>> HTTP/1.1 [...] < HTTP/1.1 302 Redirect < Content-Length: 0 < Location:
>> http://xrootd001.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver
>> Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED |
>>
>> After that, curl (as it was told) still performs the last, broken request, but receives an empty reply from the server.
>>
>> —
>> You are receiving this because you commented.
>> Reply to this email directly, view it on GitHub <#577 (comment)>, or mute
>> the thread <https://github.com/notifications/unsubscribe-auth/AD7YjpzSSKrcImbfT1zOtvkGn5qk6hgDks5sfESGgaJpZM4PMHkn>.
>>
>>
>> --------------------------------------------------------------------------------------------------------------------------------
>>
>> Use REPLY-ALL to reply to list
>>
>> To unsubscribe from the XROOTD-DEV list, click the following link:
>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-DEV list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|
Hi, many thanks for taking the effort to try to reproduce! I have uploaded the logfiles as "gists" here on github, produced using Here the log from the redirector: And here the one from the data server: And here the full config file I use: I will of course change the secret key again before entering production with that ;). |
Ah, that's good news - at least you don't need to hack through my logs then. By the way, I am using epel (not epel-testing) and xrootd-stable and wlcg repositories here. Let me know if you need the exact source used for one of the packages, then I can check. |
Hi, I think I found it
It's a tiny bug, linked to enabling the https2http redirection in a manager xrootd.
If you disable https2http in the manager (you can keep it in the data servers)
then it should just work. Please let me know.
BTW enabling https2http in a manager makes very little sense (actually it
creates overhead), and this may explain why I did not think at this
combination.
I will fix it anyway tomorrow, yet I'd say that its release priority is quite low,
as it is triggered only in the case of a 'limit' combination, and its workaround is
a fixed configuration.
Last thought... please let me know if it works now, anyway IMO one should
preferably disable https in the redirector and let it just do the redirector http->https.
Spreading this kind of load to the disk servers is certainly a more scalable approach.
Cheers
Fabrizio
…On 09/05/2017 05:14 PM, olifre wrote:
I suspect some issues in passing through the pull request or merges or whatever. In they they should be the same code.
Ah, that's good news - at least you don't need to hack through my logs then.
Good luck finding the difference between the two versions!
By the way, I am using epel (not epel-testing) and xrootd-stable and wlcg repositories here. Let me know if you need the exact
source used for one of the packages, then I can check.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#577 (comment)>, or mute
the thread <https://github.com/notifications/unsubscribe-auth/AD7Yjuo77dMklDvPeHmBpDtkqKgjPPHaks5sfWVVgaJpZM4PMHkn>.
--------------------------------------------------------------------------------------------------------------------------------
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|
Hi,
Many thanks! You are correct, removing that on the manager fixes the issue.
This would be a good point. However, if I do that, how does the redirector know which paths the connecting user is allowed to access (since authentication with client certificate will not take place)? Cheers and many thanks, |
Hi,
On 05.09.17 18:35, olifre wrote:
This would be a good point. However, if I do that, how does the
redirector know which paths the connecting user is allowed to access
(since authentication with client certificate will not take place)?
Testing that in my setup, I get a 404 from the redirector, since it does
not authorize the connecting user "none" to list any paths.
Or does it imply I have to effectively allow |l| to everybody, also
unathenticated users, on my redirector for all to-be-exported paths?
good point too. I assume that you have a vanilla xrootd setup, i.e.
one that does not have sophisticated machineries at the redirector like
eos or dpm or other name space plugins.
You can certainly allow the redirector to serve (redirections)
to any user also for listings, since the real permissions
would be checked fully by the involved data server, through https.
In the case of a vanilla clustered setup, the listings are in general
partial (hence they may be of limited usefulness), because they
will contain only the files hosted by the data server that
happens to be the destination of a redirection.
Just to compare, with the xrootd protocol instead the client
has a sophisticated logic that reconstructs on the fly a full
listing, but with a generic webdav client this is not possible.
So, is your cluster a vanilla xrootd+cmsd cluster ?
Cheers
Fabrizio
|
Hi, FWIW - we locally require auth on the redirector. The added CPU usage from the redirector, if summed across the years of running the redirector and millions of connections, probably amounts to $10 of electricity. HTTPS is dirt-cheap. No need to overthink it. Brian |
Hi,
Yes, it is. However, in our case, all servers (redirector and data servers) see exactly the same filesystem (a BeeFGS). The multiple dataservers are only used to increase the bandwidth, distribute the load and have a failover mechanism if a dataserver fails.
Many thanks for this additional input! This is good to know. Right now, our redirector VM only has a single core dedicated to it, maybe this will really suffice then. Cheers and all the best, |
To add on this issue... or maybe it is a new one?
This also seems like parsing URI encoding was broken - my full name is "Oliver Freyermuth", so somehow the space messed things up. This was after the following happened:
Things work again if I specify:
on the manager, effectively forcing double authentication (and preventing those URI parameters in the redirect to the data-server). |
Hi, It's fixed now. If the filenames have spaces the kXR_mv request needs an additional field
|
Hi, |
I am only 99% sure this is an xrootd issue, so I am first reporting this here...
Following setup (all xrootd 4.7):
xrootd.somedomain
with ip address:IPv4ADDRESSOFMGR
xrootd001.somedomain
with ip address:IPv4ADDRESSOFDS
IPv4ADDRESSOFCLIENT
Both servers contain in their configuration (amongst some authentication stuff):
Now I run:
I get (abbreviated a bit):
So far, so good, self-redirection to http with a temporary key. Please note that the redacted
xrdhttpdn
is nicely URL escaped.Now, I see:
Still fine, also here, the redacted
xrdhttpdn
is nicely URL escaped.Now, I receive:
Here:
Now, davix shows:
and gives up - no request ever hits the data server.
Am I missing something, or is this a bug in xrdhttp?
The text was updated successfully, but these errors were encountered: