Your EOS MGM doesn’t have the right credentials for contacting the CTA frontend. Your cta-frontend-xrootd.conf (or equivalent) should have a line like this;
The SSS key referenced in ctafrontend_server_sss.keytab should be present (it may have to be the last entry actually) in the -c argument in the EOS file (/etc/eos.keytab in the example).
I see No mount rules in your error message. For a user to be authorised to use the system they must be mapped by a requestermountrule or a groupmountrule to a mountpolicy.
The scripts we use to set up our CI are a good source for understanding how this fits together.
[root@tpm03 ~]# xrdcp /root/stagetape root://localhost//eos/users/test/
[0B/0B][100%][==================================================][0B/s]
Run: [ERROR] Server responded with an error: [3010] Unable to update file - fobidden by ACL /eos/users/test/stagetape; Operation not permitted (destination)
not sure but it looks to me the tapeserver/frontend doesn’t fetch the updated mount rules?
So you believe the mount rules are fine? Then you may have encountered a known issue we’re working on. Does the problem persist after a restart of the CTA frontend?
Just a quick one, what should be the correct ACLs for the eos folder with the cta attributes? Still getting the ACL error even after configuring a non-root user.
The acls should be as you have them, assuming there’s an entry now for your non-root user (u:<your_user>:rwx+dp) and they have a mount rule and mount policy associated.
Unfortunately not yet. Perhaps it has sth to do with EOS.
[root@tpm03 ~]# xrdcp -f -v -d1 /root/stagetape root://localhost//eos/users/test/
[0B/0B][100%][==================================================][0B/s]
Run: [ERROR] Server responded with an error: [3010] Unable to open file /eos/users/test/stagetape; Operation not permitted (destination)
however:
[root@tpm03 ~]# eos cp /root/stagetape /eos/users/test/stagetape
[eoscp] stagetape Total 0.00 MB |====================| 100.00 % [0.0 MB/s]
error: [SUCCESS]
error: failed copying path=root://localhost//eos/users/test/stagetape
#WARNING [eos-cp] copied 0/1 files and 0 B in 0.05 seconds with 0 B/s
and:
[root@tpm03 ~]# eos ls -y /eos/users/test
d0::t0 -rw-r----- 0 root root 0 Oct 8 17:11 stage
d0::t0 -rw-r----- 0 root root 0 Oct 8 17:49 stagetape
First a general comment - please be careful with anything that might be modifying a file already on CTA. In general we arrange the ACLs so this is not possible. Deletions, updates and writes have different permissions, and the use case we want to support is that a user can write but not subsequently modify a file. Sometimes for testing we relax this though.
So, please send the output of the following, performed as your end user.
eos whoami
eos attr ls /eos/users/test
eos ls -dl /eos/users/test
eos rm /eos/users/test/stage
eos rm /eos/users/test/stagetape
eos cp /root/stagetape /eos/users/test
These permissions errors are coming from EOS, so check /var/log/eos/mgm/xrdlog.mgm for clues. You could also check /var/log/cta/cta-frontend.log, I suspect the archive request is not getting that far but this should be confirmed.
[smeyer@tpm03]~% eos whoami
Secsss (getKeyTab): Unable to open /etc/eos.keytab; Permission denied
Unable to open keytab file.
Secsss (getKeyTab): Unable to open /etc/eos.keytab; Permission denied
Unable to open keytab file.
What you’ve done should be enough, as long as Kerberos itself is configured correctly. We need to get to a point where you can kinit and then run eos whoami and see that you’re mapped to 34570 (assuming that’s your uid).
On the MGM config (typically /etc/xrd.cf.mgm) you need