XRootD advice needed

Wile_E_Coyote · September 10, 2022, 9:30am

I want to access ROOT files like that (note: “eosuser”, not “eospublic”):

root root://eosuser.cern.ch//eos/user/s/somebody/example/data/file.root

What would “somebody” need to do to allow other people to access such files remotely?
Assume two cases:

I have no “lxplus” account (I only know the “full path” to the files),
I have a “lxplus” account, and I can access these files when I’m logged in via ssh there (i.e., “ls /eos/user/s/somebody/example/data” works fine).

Thanks in advance,
Wile E.

eguiraud · September 10, 2022, 1:05pm

this is more a question for EOS/cernbox developers than for ROOT devs, but I think on “somebody”'s side they need to share the file with you or with an e-group you are part of (e.g. via the interface at https://cernbox.cern.ch) and then on your side you need to create a kerberos ticket that xrootd can pick up to authenticate you.

For example this is me trying to access a file in my EOS space from my laptop, from outside CERN, without and with an appropriate kerberos ticket:

~ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
~ root -l -b -q -e 'TFile::Open("root://eosuser.cern.ch//eos/user/e/eguiraud/Run2012BC_DoubleMuParked_Muons.root")'

Error in <TNetXNGFile::Open>: [ERROR] Server responded with an error: [3010] Unable to give access - user access restricted - unauthorized identity used ; Permission denied

(TFile *) nullptr

~ kinit -f eguiraud@CERN.CH
Password for eguiraud@CERN.CH:
~ root -l -b -q -e 'TFile::Open("root://eosuser.cern.ch//eos/user/e/eguiraud/Run2012BC_DoubleMuParked_Muons.root")'

(TFile *) 0x557ab8ca3680

Cheers,
Enrico

Wile_E_Coyote · September 10, 2022, 2:32pm

@eguiraud Thanks. Your solution works only for people who have an account on “lxplus” AND the Kerberos utilities (i.e., kinit) are installed on the remote machine, which is usually not the case (when I say “remote machine”, I don’t mean a laptop, of course).

In principle, I am looking for a way to let “anonymous” users access these files (and in case one also has an account on “lxplus”, without requiring kerberos).

As a side note … it’s already been asked several times … why don’t you create a plugin handler for “ssh://”?

eguiraud · September 10, 2022, 2:36pm

I am not sure that’s possible, but that’s really a question for EOS/cernbox devs.

@pcanal or @Axel are the right people to comment here, let’s ping them (and feel free to open a dedicated issue with the feature request on GitHub).

Cheers,
Enrico

Axel · September 10, 2022, 4:00pm

You can use /eospublic (not sure why that’s not an option) or create a “web page” from your eos space - IIRC http doesn’t have the rate limit that /eospublic has?

Re ssh plugin: yes why not. I don’t know what it would take. I think we should call that out as a possible contribution; I don’t expect us to squeeze that into our plans. We’ll need a feature request on GitHub with the “help wanted” (or whatever we call that) label.

Wile_E_Coyote · September 10, 2022, 5:18pm

I think “eospublic” was not feasible due to space quota (or something like this).

@Axel If you know how to make a “web page” out of the “/eos/user/s/somebody/example/data” directory (for “root https://.../file.root” access), please let me know.

Axel · September 12, 2022, 10:19am

See https://webeos.docs.cern.ch/