XRootD advice needed

I want to access ROOT files like that (note: “eosuser”, not “eospublic”):

root root://eosuser.cern.ch//eos/user/s/somebody/example/data/file.root

What would “somebody” need to do to allow other people to access such files remotely?
Assume two cases:

  • I have no “lxplus” account (I only know the “full path” to the files),
  • I have a “lxplus” account, and I can access these files when I’m logged in via ssh there (i.e., “ls /eos/user/s/somebody/example/data” works fine).

Thanks in advance,
Wile E.

Hi @Wile_E_Coyote ,

this is more a question for EOS/cernbox developers than for ROOT devs, but I think on “somebody”'s side they need to share the file with you or with an e-group you are part of (e.g. via the interface at https://cernbox.cern.ch) and then on your side you need to create a kerberos ticket that xrootd can pick up to authenticate you.

For example this is me trying to access a file in my EOS space from my laptop, from outside CERN, without and with an appropriate kerberos ticket:

~ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
~ root -l -b -q -e 'TFile::Open("root://eosuser.cern.ch//eos/user/e/eguiraud/Run2012BC_DoubleMuParked_Muons.root")'

Error in <TNetXNGFile::Open>: [ERROR] Server responded with an error: [3010] Unable to give access - user access restricted - unauthorized identity used ; Permission denied

(TFile *) nullptr

~ kinit -f eguiraud@CERN.CH
Password for eguiraud@CERN.CH:
~ root -l -b -q -e 'TFile::Open("root://eosuser.cern.ch//eos/user/e/eguiraud/Run2012BC_DoubleMuParked_Muons.root")'

(TFile *) 0x557ab8ca3680


@eguiraud Thanks. Your solution works only for people who have an account on “lxplus” AND the Kerberos utilities (i.e., kinit) are installed on the remote machine, which is usually not the case (when I say “remote machine”, I don’t mean a laptop, of course).

In principle, I am looking for a way to let “anonymous” users access these files (and in case one also has an account on “lxplus”, without requiring kerberos).

As a side note … it’s already been asked several times … why don’t you create a plugin handler for “ssh://”?

I am not sure that’s possible, but that’s really a question for EOS/cernbox devs.

@pcanal or @Axel are the right people to comment here, let’s ping them (and feel free to open a dedicated issue with the feature request on GitHub).


You can use /eospublic (not sure why that’s not an option) or create a “web page” from your eos space - IIRC http doesn’t have the rate limit that /eospublic has?

Re ssh plugin: yes why not. I don’t know what it would take. I think we should call that out as a possible contribution; I don’t expect us to squeeze that into our plans. We’ll need a feature request on GitHub with the “help wanted” (or whatever we call that) label.

I think “eospublic” was not feasible due to space quota (or something like this).

@Axel If you know how to make a “web page” out of the “/eos/user/s/somebody/example/data” directory (for “root https://.../file.root” access), please let me know.

See https://webeos.docs.cern.ch/