davix-client fails to follow redirection => missing urlencoding in xrdhttp-redirection?

[olifre]

I am only 99% sure this is an xrootd issue, so I am first reporting this here...

Following setup (all xrootd 4.7):

• Manager xrootd.somedomain with ip address: IPv4ADDRESSOFMGR
• Data server xrootd001.somedomain with ip address: IPv4ADDRESSOFDS
• Some client to test, with ip address IPv4ADDRESSOFCLIENT

Both servers contain in their configuration (amongst some authentication stuff):

all.manager xrootd.somedomain:1213
all.role server
all.role manager if xrootd.somedomain
http.selfhttps2http yes
desthttps no
if exec xrootd
xrd.protocol XrdHttp /usr/lib64/libXrdHttp.so
fi
http.secretkey REDACTED

Now I run:

davix-ls --debug -P Grid https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk/

I get (abbreviated a bit):

> PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk/ HTTP/1.1
> Host: xrootd.somedomain:1094
[... Lots of SSL handling which goes well...]
< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location: http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk/?xrdhttptk=s6Q7i5fjNHzy17b/z/2hXA==&xrdhttptime=1504543303&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=REDACTED

So far, so good, self-redirection to http with a temporary key. Please note that the redacted xrdhttpdn is nicely URL escaped.

Now, I see:

> PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk/?xrdhttptk=s6Q7i5fjNHzy17b/z/2hXA==&xrdhttptime=1504543303&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=REDACTED HTTP/1.1
> User-Agent: libdavix/0.6.4 neon/0.0.29

Still fine, also here, the redacted xrdhttpdn is nicely URL escaped.

Now, I receive:

< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location: http://xrootd001.physik.uni-bonn.de:1094/beegfs/grid/atlas/atlaslocalgroupdisk/?xrdhttptk=s6Q7i5fjNHzy17b/z/2hXA==&xrdhttptime=1504543303&xrdhttpname=Oliver Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED

Here:

• xrdhttphost is not urlencoded.
• xrdhttpdn is not urlencoded.

Now, davix shows:

(Davix::HttpRequest) Error: Impossible to get the new redirected destination

and gives up - no request ever hits the data server.

Am I missing something, or is this a bug in xrdhttp?

[xrootd-dev]

Hi, at a first sight I'd agree with you. I can have a deeper look tomorrow. For the records, which version of Davix are you using? Have you also tried with curl ? Thank you very much for the report Fabrizio

…

On 04.09.17 18:51, olifre wrote: I am only 99% sure this is an xrootd issue, so I am first reporting this here... Following setup (all xrootd 4.7): * Manager |xrootd.somedomain| with ip address: |IPv4ADDRESSOFMGR| * Data server |xrootd001.somedomain| with ip address: |IPv4ADDRESSOFDS| * Some client to test, with ip address |IPv4ADDRESSOFCLIENT| Both servers contain in their configuration (amongst some authentication stuff): |all.manager xrootd.somedomain:1213 all.role server all.role manager if xrootd.somedomain http.selfhttps2http yes desthttps no if exec xrootd xrd.protocol XrdHttp /usr/lib64/libXrdHttp.so fi http.secretkey REDACTED | Now I run: |davix-ls --debug -P Grid https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk/ | I get (abbreviated a bit): |> PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk/ HTTP/1.1 > Host: xrootd.somedomain:1094 [... Lots of SSL handling which goes well...] < HTTP/1.1 302 Redirect < Content-Length: 0 < Location: http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk/?xrdhttptk=s6Q7i5fjNHzy17b/z/2hXA==&xrdhttptime=1504543303&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=REDACTED | So far, so good, self-redirection to http with a temporary key. Please note that the redacted |xrdhttpdn| is nicely URL escaped. Now, I see: |> PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk/?xrdhttptk=s6Q7i5fjNHzy17b/z/2hXA==&xrdhttptime=1504543303&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=REDACTED HTTP/1.1 > User-Agent: libdavix/0.6.4 neon/0.0.29 | Still fine, also here, the redacted |xrdhttpdn| is nicely URL escaped. Now, I receive: |< HTTP/1.1 302 Redirect < Content-Length: 0 < Location: http://xrootd001.physik.uni-bonn.de:1094/beegfs/grid/atlas/atlaslocalgroupdisk/?xrdhttptk=s6Q7i5fjNHzy17b/z/2hXA==&xrdhttptime=1504543303&xrdhttpname=Oliver Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED | Here: * xrdhttphost is not urlencoded. * xrdhttpdn is not urlencoded. Now, davix shows: |(Davix::HttpRequest) Error: Impossible to get the new redirected destination | and gives up - no request ever hits the data server. Am I missing something, or is this a bug in xrdhttp? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#577>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7YjglL-Z5hIyXKlO92ITL8aGAoFowdks5sfCqXgaJpZM4PMHkn>. ------------------------------------------------------------------------ Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1

[olifre]

For the records, which version of Davix are you using?

$ davix-ls --version                                                                                    
Version: 0.6.6-

Have you also tried with curl ?

I did that just now, here we go... Looks the same...

curl -E /tmp/x509up_u1000 -X PROPFIND -vkL https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk
[ ... lots of SSL stuff ... ]
> PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk HTTP/1.1
> Host: xrootd.somedomain:1094
[...]
< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location: http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED
[...]
> PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED HTTP/1.1
[...]
< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location: http://xrootd001.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED

After that, curl (as it was told) still performs the last, broken request, but receives an empty reply from the server.

[xrootd-dev]

Hi, I am quite puzzled by your trace, because that field is quoted by the code exactly in the same way as the others. So it may be something that is not so evident. I am going to setup a small cluster to debug this. In the meantime, could you please rerun your test once after having set http.trace all in the config file ? I am interested in the redirector log line that says " XrdHttpReq::Redir Redirecting to ...". Is that URL correctly quoted ? It should be. At the same time, you may want to try working around this issue, by disabling https in the redirector, and enabling it only in the data servers. This would also have the advantage of spreading the load of the SSL handshake through many machines, hence removing a performance bottleneck. Cheers Fabrizio

…

On 09/04/2017 08:42 PM, olifre wrote: For the records, which version of Davix are you using? |$ davix-ls --version Version: 0.6.6- | Have you also tried with curl ? I did that just now, here we go... Looks the same... |curl -E /tmp/x509up_u1000 -X PROPFIND -vkL https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk [ ... lots of SSL stuff ... ] > PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk HTTP/1.1 > Host: xrootd.somedomain:1094 [...] < HTTP/1.1 302 Redirect < Content-Length: 0 < Location: http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED [...] > PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED HTTP/1.1 [...] < HTTP/1.1 302 Redirect < Content-Length: 0 < Location: http://xrootd001.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED | After that, curl (as it was told) still performs the last, broken request, but receives an empty reply from the server. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#577 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7YjpzSSKrcImbfT1zOtvkGn5qk6hgDks5sfESGgaJpZM4PMHkn>. -------------------------------------------------------------------------------------------------------------------------------- Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1

[xrootd-dev]

Hi again, it seems that I am not able to reproduce your issue in my setup. I have one redirector (port 1095) and one data server (port 1094). In my case the redirections are properly quoted, and the client is happy. I'd like to understand your case, though. Do you see any obvious hint for differences between our setups ? Would you mind sending me a debug log (-d) of the manager xrootd daemon showing the initialization and just one of these strange interactions ? Cheers f

---------------------------------------------------------- here a summary $ davix-http -X PROPFIND --trace header -P grid davs://littlexrdhttp.cern.ch:1095/auth.log --retry 0 HTTP session to https://littlexrdhttp.cern.ch:1095 begins.

PROPFIND /auth.log HTTP/1.1 User-Agent: libdavix/0.6.6 neon/0.0.29 Keep-Alive: Connection: Keep-Alive TE: trailers Host: littlexrdhttp.cern.ch:1095

< HTTP/1.1 302 Redirect < Content-Length: 0 < Location: http://[::ffff:128.142.135.19]:1095/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051 < HTTP session to http://[::ffff:128.142.135.19]:1095 begins.

PROPFIND

/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051 HTTP/1.1

User-Agent: libdavix/0.6.6 neon/0.0.29 Keep-Alive: Connection: Keep-Alive TE: trailers Host: [::ffff:128.142.135.19]:1095

< HTTP/1.1 302 Redirect < Content-Length: 0 < Location: http://littlexrdhttp.cern.ch:1094/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051 < HTTP session to http://littlexrdhttp.cern.ch:1094 begins.

PROPFIND

/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051 HTTP/1.1

User-Agent: libdavix/0.6.6 neon/0.0.29 Keep-Alive: Connection: Keep-Alive TE: trailers Host: littlexrdhttp.cern.ch:1094

.... and then it gets the correct response ----------------------------------------------------------------------------

…

On 09/05/2017 02:08 PM, Fabrizio Furano wrote: Hi, I am quite puzzled by your trace, because that field is quoted by the code exactly in the same way as the others. So it may be something that is not so evident. I am going to setup a small cluster to debug this. In the meantime, could you please rerun your test once after having set http.trace all in the config file ? I am interested in the redirector log line that says " XrdHttpReq::Redir Redirecting to ...". Is that URL correctly quoted ? It should be. At the same time, you may want to try working around this issue, by disabling https in the redirector, and enabling it only in the data servers. This would also have the advantage of spreading the load of the SSL handshake through many machines, hence removing a performance bottleneck. Cheers Fabrizio On 09/04/2017 08:42 PM, olifre wrote: > For the records, which version of Davix are you using? > > |$ davix-ls --version Version: 0.6.6- | > > Have you also tried with curl ? > I did that just now, here we go... Looks the same... > > |curl -E /tmp/x509up_u1000 -X PROPFIND -vkL https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk [ ... lots of > SSL stuff ... ] > PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk HTTP/1.1 > Host: xrootd.somedomain:1094 [...] < HTTP/1.1 302 > Redirect < Content-Length: 0 < Location: > http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED > [...] > PROPFIND > /beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED > HTTP/1.1 [...] < HTTP/1.1 302 Redirect < Content-Length: 0 < Location: > http://xrootd001.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver > Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED | > > After that, curl (as it was told) still performs the last, broken request, but receives an empty reply from the server. > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub <#577 (comment)>, or mute > the thread <https://github.com/notifications/unsubscribe-auth/AD7YjpzSSKrcImbfT1zOtvkGn5qk6hgDks5sfESGgaJpZM4PMHkn>. > > > -------------------------------------------------------------------------------------------------------------------------------- > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-DEV list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1

[xrootd-dev]

Got it. My little cluster was running my personal fork, built by our section's build system. If I install the packages from epel-testing then I get the same error as you. I suspect some issues in passing through the pull request or merges or whatever. In they they should be the same code. < HTTP/1.1 302 Redirect < Content-Length: 0 < Location: http://littlexrdhttp.cern.ch:1094/auth.log?xrdhttptk=1KyxUOcw66gr1cIEZlHbEA==&xrdhttptime=1504623851&xrdhttpname=/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=furano/CN=644746/CN=Fabrizio Furano&xrdhttpvorg=atlas&xrdhttphost=[::ffff:188.184.88.253]&xrdhttpdn=/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=furano/CN=644746/CN=Fabrizio Furano/CN=489070051 <

…

On 09/05/2017 03:58 PM, Fabrizio Furano wrote: Hi again, it seems that I am not able to reproduce your issue in my setup. I have one redirector (port 1095) and one data server (port 1094). In my case the redirections are properly quoted, and the client is happy. I'd like to understand your case, though. Do you see any obvious hint for differences between our setups ? Would you mind sending me a debug log (-d) of the manager xrootd daemon showing the initialization and just one of these strange interactions ? Cheers f ---------------------------------------------------------- here a summary $ davix-http -X PROPFIND --trace header -P grid davs://littlexrdhttp.cern.ch:1095/auth.log --retry 0 HTTP session to https://littlexrdhttp.cern.ch:1095 begins. > PROPFIND /auth.log HTTP/1.1 > User-Agent: libdavix/0.6.6 neon/0.0.29 > Keep-Alive: > Connection: Keep-Alive > TE: trailers > Host: littlexrdhttp.cern.ch:1095 > < HTTP/1.1 302 Redirect < Content-Length: 0 < Location: http://[::ffff:128.142.135.19]:1095/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051 < HTTP session to http://[::ffff:128.142.135.19]:1095 begins. > PROPFIND /auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051 HTTP/1.1 > User-Agent: libdavix/0.6.6 neon/0.0.29 > Keep-Alive: > Connection: Keep-Alive > TE: trailers > Host: [::ffff:128.142.135.19]:1095 > < HTTP/1.1 302 Redirect < Content-Length: 0 < Location: http://littlexrdhttp.cern.ch:1094/auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051 < HTTP session to http://littlexrdhttp.cern.ch:1094 begins. > PROPFIND /auth.log?xrdhttptk=kyIwD+udIrHZXpWvrNsFgg==&xrdhttptime=1504619409&xrdhttpname=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3A188.184.88.253%5D&xrdhttpdn=%2FDC=ch%2FDC=cern%2FOU=Organic%20Units%2FOU=Users%2FCN=furano%2FCN=644746%2FCN=Fabrizio%20Furano%2FCN=489070051 HTTP/1.1 > User-Agent: libdavix/0.6.6 neon/0.0.29 > Keep-Alive: > Connection: Keep-Alive > TE: trailers > Host: littlexrdhttp.cern.ch:1094 > .... and then it gets the correct response ---------------------------------------------------------------------------- On 09/05/2017 02:08 PM, Fabrizio Furano wrote: > Hi, > > I am quite puzzled by your trace, because that field is quoted by the > code exactly in the same way as the others. So it may be something that is not > so evident. I am going to setup a small cluster to debug this. > > In the meantime, could you please rerun your test once after having set > > http.trace all > > in the config file ? > I am interested in the redirector log line that says " XrdHttpReq::Redir Redirecting to ...". > Is that URL correctly quoted ? It should be. > > At the same time, you may want to try working around this issue, by disabling > https in the redirector, and enabling it only in the data servers. This would > also have the advantage of spreading the load of the SSL handshake through > many machines, hence removing a performance bottleneck. > > Cheers > Fabrizio > > > > On 09/04/2017 08:42 PM, olifre wrote: >> For the records, which version of Davix are you using? >> >> |$ davix-ls --version Version: 0.6.6- | >> >> Have you also tried with curl ? >> I did that just now, here we go... Looks the same... >> >> |curl -E /tmp/x509up_u1000 -X PROPFIND -vkL https://xrootd.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk [ ... lots of >> SSL stuff ... ] > PROPFIND /beegfs/grid/atlas/atlaslocalgroupdisk HTTP/1.1 > Host: xrootd.somedomain:1094 [...] < HTTP/1.1 302 >> Redirect < Content-Length: 0 < Location: >> http://[::ffff:IPv4ADDRESSOFMGR]:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED >> [...] > PROPFIND >> /beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver%20Freyermuth&xrdhttpvorg=atlas&xrdhttphost=%5B%3A%3Affff%3AIPv4ADDRESSOFCLIENT%5D&xrdhttpdn=%2FC=DE%2FO=GermanGrid%2FREMAININGPARTREDACTED >> HTTP/1.1 [...] < HTTP/1.1 302 Redirect < Content-Length: 0 < Location: >> http://xrootd001.somedomain:1094/beegfs/grid/atlas/atlaslocalgroupdisk?xrdhttptk=wgvPwlDDRrv11zRRREiz0g==&xrdhttptime=1504550035&xrdhttpname=Oliver >> Freyermuth&xrdhttpvorg=atlas&xrdhttphost=[::ffff:IPv4ADDRESSOFCLIENT]&xrdhttpdn=/C=DE/O=GermanGrid/REMAININGPARTREDACTED | >> >> After that, curl (as it was told) still performs the last, broken request, but receives an empty reply from the server. >> >> — >> You are receiving this because you commented. >> Reply to this email directly, view it on GitHub <#577 (comment)>, or mute >> the thread <https://github.com/notifications/unsubscribe-auth/AD7YjpzSSKrcImbfT1zOtvkGn5qk6hgDks5sfESGgaJpZM4PMHkn>. >> >> >> -------------------------------------------------------------------------------------------------------------------------------- >> >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-DEV list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 >> > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-DEV list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1

[olifre]

Hi,

many thanks for taking the effort to try to reproduce!

I have uploaded the logfiles as "gists" here on github, produced using -d and also explicitly setting http.trace all. The client was a usual davix-ls again.

Here the log from the redirector:
https://gist.github.com/olifre/94ca70bf2ff158b78acb3f4ef33de7b8

And here the one from the data server:
https://gist.github.com/olifre/2a2a36d19af801f09406a8ca22a7883e

And here the full config file I use:
https://gist.github.com/olifre/b4cccbafa0006fd58bc822f9256ef3a3

I will of course change the secret key again before entering production with that ;).

[olifre]

I suspect some issues in passing through the pull request or merges or whatever. In they they should be the same code.

Ah, that's good news - at least you don't need to hack through my logs then.
Good luck finding the difference between the two versions!

By the way, I am using epel (not epel-testing) and xrootd-stable and wlcg repositories here. Let me know if you need the exact source used for one of the packages, then I can check.

[xrootd-dev]

Hi, I think I found it It's a tiny bug, linked to enabling the https2http redirection in a manager xrootd. If you disable https2http in the manager (you can keep it in the data servers) then it should just work. Please let me know. BTW enabling https2http in a manager makes very little sense (actually it creates overhead), and this may explain why I did not think at this combination. I will fix it anyway tomorrow, yet I'd say that its release priority is quite low, as it is triggered only in the case of a 'limit' combination, and its workaround is a fixed configuration. Last thought... please let me know if it works now, anyway IMO one should preferably disable https in the redirector and let it just do the redirector http->https. Spreading this kind of load to the disk servers is certainly a more scalable approach. Cheers Fabrizio

…

On 09/05/2017 05:14 PM, olifre wrote: I suspect some issues in passing through the pull request or merges or whatever. In they they should be the same code. Ah, that's good news - at least you don't need to hack through my logs then. Good luck finding the difference between the two versions! By the way, I am using epel (not epel-testing) and xrootd-stable and wlcg repositories here. Let me know if you need the exact source used for one of the packages, then I can check. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#577 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD7Yjuo77dMklDvPeHmBpDtkqKgjPPHaks5sfWVVgaJpZM4PMHkn>. -------------------------------------------------------------------------------------------------------------------------------- Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1

[olifre]

Hi,

If you disable https2http in the manager (you can keep it in the data servers) then it should just work. Please let me know.

Many thanks! You are correct, removing that on the manager fixes the issue.
You are also right that this option makes little sense, on second thought. Up to the point of actually testing it, my belief was that self.https2http would actually do nothing on the manager (since it is not really useful), but you are fully right, this creates one additional connection which is totally unnecessary.

Last thought... please let me know if it works now, anyway IMO one should preferably disable https in the redirector and let it just do the redirector http->https. Spreading this kind of load to the disk servers is certainly a more scalable approach.

This would be a good point. However, if I do that, how does the redirector know which paths the connecting user is allowed to access (since authentication with client certificate will not take place)?
Testing that in my setup, I get a 404 from the redirector, since it does not authorize the connecting user "none" to list any paths.
Or does it imply I have to effectively allow l to everybody, also unathenticated users, on my redirector for all to-be-exported paths?

Cheers and many thanks,
Oliver

[xrootd-dev]

Hi,

On 05.09.17 18:35, olifre wrote: This would be a good point. However, if I do that, how does the redirector know which paths the connecting user is allowed to access (since authentication with client certificate will not take place)? Testing that in my setup, I get a 404 from the redirector, since it does not authorize the connecting user "none" to list any paths. Or does it imply I have to effectively allow |l| to everybody, also unathenticated users, on my redirector for all to-be-exported paths?

good point too. I assume that you have a vanilla xrootd setup, i.e. one that does not have sophisticated machineries at the redirector like eos or dpm or other name space plugins. You can certainly allow the redirector to serve (redirections) to any user also for listings, since the real permissions would be checked fully by the involved data server, through https. In the case of a vanilla clustered setup, the listings are in general partial (hence they may be of limited usefulness), because they will contain only the files hosted by the data server that happens to be the destination of a redirection. Just to compare, with the xrootd protocol instead the client has a sophisticated logic that reconstructs on the fly a full listing, but with a generic webdav client this is not possible. So, is your cluster a vanilla xrootd+cmsd cluster ? Cheers Fabrizio

[bbockelm]

Hi,

FWIW - we locally require auth on the redirector. The added CPU usage from the redirector, if summed across the years of running the redirector and millions of connections, probably amounts to $10 of electricity.

HTTPS is dirt-cheap. No need to overthink it.

Brian

[olifre]

Hi,

So, is your cluster a vanilla xrootd+cmsd cluster ?

Yes, it is. However, in our case, all servers (redirector and data servers) see exactly the same filesystem (a BeeFGS). The multiple dataservers are only used to increase the bandwidth, distribute the load and have a failover mechanism if a dataserver fails.
Since our setup is meant mainly for R2D2 traffic, I guess the number of actual connections to the redirector will not be too huge (we use a VM as redirector right now). Since we are also an ATLAS T3 only, I think that even if we export some locations for users, they will be used by less than 100 people in total.

FWIW - we locally require auth on the redirector. The added CPU usage from the redirector, if summed across the years of running the redirector and millions of connections, probably amounts to $10 of electricity.

HTTPS is dirt-cheap. No need to overthink it.

Many thanks for this additional input! This is good to know. Right now, our redirector VM only has a single core dedicated to it, maybe this will really suffice then.

Cheers and all the best,
Oliver

[olifre]

To add on this issue... or maybe it is a new one?
Even with https2http disabled on the manager, and http.desthttps no (and shared secret), I get a problem...
While davix-ls and davix-get and davix-put work fine, davix-move from https://manager-address/somefile.root to https://manager-address/somenewfile.root fails with:

< HTTP/1.1 409 Unknown
< Content-Length: 232
<
DAVIX(body): Read block (232 bytes):
[Renaming to relative path 'Freyermuth&xrdhttpvorg=atlasREDACTEDPROXYINFO /full/path/to/file/somefile.root' is disallowed.]
(Davix::mv) Error: HTTP 409 : Conflict, File Exist

This also seems like parsing URI encoding was broken - my full name is "Oliver Freyermuth", so somehow the space messed things up.

This was after the following happened:

> MOVE /full/path/to/file/somenewfile.root HTTP/1.1
> User-Agent: libdavix/0.6.7 neon/0.0.29
> Keep-Alive: 
> Connection: Keep-Alive
> TE: trailers
> Host: manager-name:1094
> Destination: https://manager-name:1094/full/path/to/file/somefile.root'
> 

< HTTP/1.1 302 Redirect
< Content-Length: 0
< Location: http://data-server-6:1094/full/path/to/file/somenewfile.root?xrdhttptk=XXXXXXXXXXXXXX&xrdhttptime=1524518226&xrdhttpname=%2FC=DE%2FO=GermanGrid%2FOU=UniBonn%2FCN=Oliver%20Freyermuth&xrdhttpvorg=atlas&REDACTED
< 
HTTP session to http://data-server-6:1094 begins.
> MOVE /full/path/to/file/somenewfile.root?xrdhttptk=XXXXXXXXXXXXXX&xrdhttptime=1524518226&xrdhttpname=%2FC=DE%2FO=GermanGrid%2FOU=UniBonn%2FCN=Oliver%20Freyermuth&xrdhttpvorg=atlas&REDACTED HTTP/1.1
> User-Agent: libdavix/0.6.7 neon/0.0.29
> Keep-Alive: 
> Connection: Keep-Alive
> TE: trailers
> Host: data-server-6:1094
> Destination: https://manager-name:1094/full/path/to/file/somefile.root
>

Things work again if I specify:

http.desthttps yes

on the manager, effectively forcing double authentication (and preventing those URI parameters in the redirect to the data-server).

[ffurano]

Hi, It's fixed now. If the filenames have spaces the kXR_mv request needs an additional field

---------------------------------------------------------------
-bash-4.1$ davix-ls -l https://littlexrdhttp.cern.ch:1094/ | grep small1
-rwxrwxrwx 0     11         2017-10-04 11:32:14 small1 with spaces

-bash-4.1$ davix-mv -P grid  "https://littlexrdhttp.cern.ch:1094/small1%20with%20spaces" https://littlexrdhttp.cern.ch:1094/small1  --trace header
HTTP session to https://littlexrdhttp.cern.ch:1094 begins.
> MOVE /small1%20with%20spaces HTTP/1.1
> User-Agent: libdavix/0.6.8 neon/0.0.29
> Keep-Alive: 
> Connection: Keep-Alive
> TE: trailers
> Host: littlexrdhttp.cern.ch:1094
> Destination: https://littlexrdhttp.cern.ch:1094/small1
> 

< HTTP/1.1 201 Unknown
< Content-Length: 3
< 
-bash-4.1$ 
-bash-4.1$ 
-bash-4.1$ davix-ls -l https://littlexrdhttp.cern.ch:1094/ | grep small1
-rwxrwxrwx 0     11         2017-10-04 11:32:14 small1
-bash-4.1$ 
--------------------------------------------------------

[ffurano]

Hi,
I think that these issues have been fixed by the recent commits. Please let me know if it's OK for you too.
Cheers
Fabrizio