Example 1 with XrootdTpcInfo
use of org.dcache.xrootd.tpc.XrootdTpcInfo in project dcache by dCache.
the class XrootdDoor method createOrGetRendezvousInfo.
public XrootdTpcInfo createOrGetRendezvousInfo(String key) {
synchronized (_tpcFdIndex) {
XrootdTpcInfo info = _tpcInfo.get(key);
if (info == null) {
info = new XrootdTpcInfo(key);
_tpcInfo.put(key, info);
Integer next = _tpcPlaceholder.getAndIncrement();
_tpcFdIndex.put(next, key);
info.setFd(next);
_log.debug("Added fhandle {} for key {}.", next, key);
}
_log.debug("info {} for key {}.", info, key);
return info;
}
}
Also used :
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
XrootdTpcInfo(org.dcache.xrootd.tpc.XrootdTpcInfo)
Example 2 with XrootdTpcInfo
use of org.dcache.xrootd.tpc.XrootdTpcInfo in project dcache by dCache.
the class XrootdRedirectHandler method conditionallyHandleThirdPartyRequest.
/**
* <p>Special handling of third-party requests. Distinguishes among
* several different cases for the open and either returns a response directly to the caller or
* proceeds with the usual mover open and redirect to the pool by returning <code>null</code>.
* Also verifies the rendezvous information in the case of the destination server contacting
* dCache as source.</p>
*
* <p>With the modified TPC lite (delegation) protocol, there is no
* need to wait for the rendezvous destination check by comparing the open from the source.</p>
*
* <p>There is also the case where no delegated proxy exists but
* a different authentication protocol (like ZTN/scitokens) is being used. It seems that even
* with delegation in this case the initiating client does not call open. A check for authz in
* the opaque data has been added (03/21/2021).</p>
*/
private XrootdResponse<OpenRequest> conditionallyHandleThirdPartyRequest(OpenRequest req, LoginSessionInfo loginSessionInfo, Map<String, String> opaque, FsPath fsPath, String remoteHost) throws CacheException, XrootdException, ParseException {
if (!_door.isReadAllowed(fsPath)) {
throw new PermissionDeniedCacheException("Read permission denied");
}
Subject subject = loginSessionInfo.getSubject();
Restriction restriction = loginSessionInfo.getRestriction();
if ("placement".equals(opaque.get("tpc.stage"))) {
FileStatus status = _door.getFileStatus(fsPath, subject, restriction, remoteHost);
int fd = _door.nextTpcPlaceholder();
_log.debug("placement response to {} sent to {} with fhandle {}.", req, remoteHost, fd);
return new OpenResponse(req, fd, null, null, status);
}
String tpcKey = opaque.get("tpc.key");
if (tpcKey == null) {
_log.debug("{} –– not a third-party request.", req);
// proceed as usual with mover + redirect
return null;
}
if (opaque.containsKey(Cgi.AUTHZ.key())) {
_log.debug("{} –– request contains authorization token.", req);
// proceed as usual with mover + redirect
return null;
}
enforceClientTlsIfDestinationRequiresItForTpc(opaque);
/*
* Check the session for the delegated credential to avoid hanging
* in the case that tpc cgi have been passed by the destination
* server even with TPC with delegation.
*/
if (req.getSession().getDelegatedCredential() != null) {
_log.debug("{} –– third-party request with delegation.", req);
// proceed as usual with mover + redirect
return null;
}
String slfn = req.getPath();
XrootdTpcInfo info = _door.createOrGetRendezvousInfo(tpcKey);
/*
* The request originated from the TPC destination server.
* If the client has not yet opened the file here,
* tells the destination to wait. If the verification, including
* time to live, fails, the request is cancelled. Otherwise,
* the destination is allowed to open the mover and get the
* normal redirect response.
*
* Note that the tpc info is created by either the client or the
* server, whichever gets here first. Verification of the key
* itself is implicit (it has been found in the map); correctness is
* further satisfied by matching org, host and file name.
*/
if (opaque.containsKey("tpc.org")) {
info.addInfoFromOpaque(slfn, opaque);
switch(info.verify(remoteHost, slfn, opaque.get("tpc.org"))) {
case READY:
_log.debug("Open request {} from destination server, info {}: " + "OK to proceed.", req, info);
/*
* This means that the destination server open arrived
* second, the client server open succeeded with
* the correct permissions; proceed as usual
* with mover + redirect.
*/
return null;
case PENDING:
_log.debug("Open request {} from destination server, info {}: " + "PENDING client open.", req, info);
/*
* This means that the destination server open arrived
* first; return a wait-retry reply.
*/
return new AwaitAsyncResponse<>(req, 3);
case CANCELLED:
String error = info.isExpired() ? "ttl expired" : "dst, path or org" + " did not match";
_log.warn("Open request {} from destination server, info {}: " + "CANCELLED: {}.", req, info, error);
_door.removeTpcPlaceholder(info.getFd());
return withError(req, kXR_InvalidRequest, "tpc rendezvous for " + tpcKey + ": " + error);
case ERROR:
/*
* This means that the destination server requested open
* before the client did, and the client did not have
* read permissions on this file.
*/
error = "invalid open request (file permissions).";
_log.warn("Open request {} from destination server, info {}: " + "ERROR: {}.", req, info, error);
_door.removeTpcPlaceholder(info.getFd());
return withError(req, kXR_InvalidRequest, "tpc rendezvous for " + tpcKey + ": " + error);
}
}
/*
* The request originated from the TPC client, indicating door
* is the source.
*/
if (opaque.containsKey("tpc.dst")) {
_log.debug("Open request {} from client to door as source, " + "info {}: OK.", req, info);
FileStatus status = _door.getFileStatus(fsPath, subject, restriction, remoteHost);
int flags = status.getFlags();
if ((flags & kXR_readable) != kXR_readable) {
/*
* Update the info with ERROR, so when the destination checks
* it, an error can be returned.
*/
info.setStatus(Status.ERROR);
return withError(req, kXR_InvalidRequest, "not allowed to read file.");
}
info.addInfoFromOpaque(slfn, opaque);
return new OpenResponse(req, info.getFd(), null, null, status);
}
/*
* The request originated from the TPC client, indicating door
* is the destination.
*
* First check for TLS capability if this is required.
*
* Remove the rendezvous info (not needed),
* allow mover to start and redirect the client to the pool.
*
* It is not necessary to delegate the tpc information through the
* protocol, particularly the rendezvous key, because it is part of
* the opaque data, and if any of the opaque tpc info is missing
* from redirected call to the pool, the transfer will fail.
*
* However, the calling method will need to fetch a delegated
* proxy credential and add that to the protocol.
*/
if (opaque.containsKey("tpc.src")) {
_log.debug("Open request {} from client to door as destination: OK;" + "removing info {}.", req, info);
_door.removeTpcPlaceholder(info.getFd());
// proceed as usual with mover + redirect
return null;
}
/*
* Something went wrong.
*/
String error = String.format("Request metadata is invalid: %s: %s, %s.", req, fsPath, remoteHost);
throw new CacheException(CacheException.THIRD_PARTY_TRANSFER_FAILED, error);
}
Also used :
Restriction(org.dcache.auth.attributes.Restriction)
PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException)
AwaitAsyncResponse(org.dcache.xrootd.protocol.messages.AwaitAsyncResponse)
FileStatus(org.dcache.xrootd.util.FileStatus)
XrootdTpcInfo(org.dcache.xrootd.tpc.XrootdTpcInfo)
FileIsNewCacheException(diskCacheV111.util.FileIsNewCacheException)
FileExistsCacheException(diskCacheV111.util.FileExistsCacheException)
FileNotFoundCacheException(diskCacheV111.util.FileNotFoundCacheException)
NotFileCacheException(diskCacheV111.util.NotFileCacheException)
TimeoutCacheException(diskCacheV111.util.TimeoutCacheException)
CacheException(diskCacheV111.util.CacheException)
PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException)
OpenResponse(org.dcache.xrootd.protocol.messages.OpenResponse)
Subject(javax.security.auth.Subject)
Example 3 with XrootdTpcInfo
use of org.dcache.xrootd.tpc.XrootdTpcInfo in project dcache by dCache.
the class XrootdPoolRequestHandler method doOnOpen.
/**
* Obtains the right mover channel using an opaque token in the request. The mover channel is
* wrapped by a file descriptor. The file descriptor is stored for subsequent access.
* <p>
* In the case that this is a write request as destination in a third party copy, a third-party
* client is started. The client issues login, open and read requests to the source server, and
* writes the responses to the file descriptor.
* <p>
* The third-party client also sends a sync response back to the client when the transfer has
* completed.
*/
@Override
protected XrootdResponse<OpenRequest> doOnOpen(ChannelHandlerContext ctx, OpenRequest msg) throws XrootdException {
try {
Map<String, String> opaqueMap = getOpaqueMap(msg.getOpaque());
UUID uuid = getUuid(opaqueMap);
if (uuid == null) {
_log.info("Request to open {} contains no UUID.", msg.getPath());
throw new XrootdException(kXR_NotAuthorized, "Request lacks the " + UUID_PREFIX + " property.");
}
enforceClientTlsIfDestinationRequiresItForTpc(opaqueMap);
NettyTransferService<XrootdProtocolInfo>.NettyMoverChannel file = _server.openFile(uuid, false);
if (file == null) {
_log.info("No mover found for {} with UUID {}.", msg.getPath(), uuid);
return redirectToDoor(ctx, msg, () -> {
throw new XrootdException(kXR_NotAuthorized, UUID_PREFIX + " is no longer valid.");
});
}
/*
* Stop any timer in case this is a reconnect.
*/
_server.cancelReconnectTimeoutForMover(uuid);
_log.debug("doOnOpen, called cancel on reconnect timers for {}", uuid);
XrootdProtocolInfo protocolInfo = file.getProtocolInfo();
try {
FileDescriptor descriptor;
boolean isWrite = file.getIoMode().contains(StandardOpenOption.WRITE);
if (msg.isNew() && !isWrite) {
throw new XrootdException(kXR_FileNotOpen, "File exists.");
} else if (msg.isDelete() && !isWrite) {
throw new XrootdException(kXR_Unsupported, "File exists.");
/*
* Some clients express only kXR_delete when then intend to write
* so we need to consider delete as a write request here.
*/
} else if ((msg.isNew() || msg.isReadWrite() || msg.isDelete()) && isWrite) {
boolean posc = (msg.getOptions() & kXR_posc) == kXR_posc || protocolInfo.getFlags().contains(XrootdProtocolInfo.Flags.POSC);
if (opaqueMap.containsKey("tpc.src")) {
_log.debug("Request to open {} is as third-party destination.", msg);
XrootdTpcInfo tpcInfo = new XrootdTpcInfo(opaqueMap);
tpcInfo.setDelegatedProxy(protocolInfo.getDelegatedCredential());
tpcInfo.setUid(protocolInfo.getTpcUid());
tpcInfo.setGid(protocolInfo.getTpcGid());
descriptor = new TpcWriteDescriptor(file, posc, ctx, _server, opaqueMap.get("org.dcache.xrootd.client"), tpcInfo, tlsSessionInfo);
} else {
descriptor = new WriteDescriptor(file, posc);
}
} else {
descriptor = new ReadDescriptor(file);
}
FileStatus stat = msg.isRetStat() ? stat(file) : null;
int fd = addDescriptor(descriptor);
_redirectingDoor = protocolInfo.getDoorAddress();
file = null;
_hasOpenedFiles = true;
return new OpenResponse(msg, fd, null, null, stat);
} finally {
if (file != null) {
file.release();
}
}
} catch (ParseException e) {
throw new XrootdException(kXR_ArgInvalid, e.getMessage());
} catch (IOException e) {
throw new XrootdException(kXR_IOError, e.getMessage());
}
}
Also used :
NettyTransferService(org.dcache.pool.movers.NettyTransferService)
FileStatus(org.dcache.xrootd.util.FileStatus)
XrootdProtocolInfo(org.dcache.vehicles.XrootdProtocolInfo)
IOException(java.io.IOException)
TpcWriteDescriptor(org.dcache.xrootd.tpc.TpcWriteDescriptor)
XrootdTpcInfo(org.dcache.xrootd.tpc.XrootdTpcInfo)
OpenResponse(org.dcache.xrootd.protocol.messages.OpenResponse)
ParseException(org.dcache.xrootd.util.ParseException)
UUID(java.util.UUID)
XrootdException(org.dcache.xrootd.core.XrootdException)
TpcWriteDescriptor(org.dcache.xrootd.tpc.TpcWriteDescriptor)
Example 4 with XrootdTpcInfo
use of org.dcache.xrootd.tpc.XrootdTpcInfo in project xrootd4j by dCache.
the class UnixClientAuthenticationHandler method doOnAuthenticationResponse.
@Override
protected void doOnAuthenticationResponse(ChannelHandlerContext ctx, InboundAuthenticationResponse response) throws XrootdException {
ChannelId id = ctx.channel().id();
int status = response.getStatus();
int streamId = client.getStreamId();
XrootdTpcInfo tpcInfo = client.getInfo();
switch(status) {
case kXR_ok:
LOGGER.debug("Authentication to {}, channel {}, stream {}, " + "sessionId {} succeeded; " + "passing to next handler.", tpcInfo.getSrc(), id, streamId, client.getSessionId());
ctx.fireChannelRead(response);
break;
default:
throw new XrootdException(kXR_error, "failed with status " + status);
}
}
Also used :
XrootdTpcInfo(org.dcache.xrootd.tpc.XrootdTpcInfo)
ChannelId(io.netty.channel.ChannelId)
XrootdException(org.dcache.xrootd.core.XrootdException)
Example 5 with XrootdTpcInfo
use of org.dcache.xrootd.tpc.XrootdTpcInfo in project xrootd4j by dCache.
the class GSIClientAuthenticationHandler method doOnAuthenticationResponse.
protected void doOnAuthenticationResponse(ChannelHandlerContext ctx, InboundAuthenticationResponse response) throws XrootdException {
/*
* handler will have been constructed on first
* sendAuthenticationRequest call
*/
if (requestHandler.isRequestExpired()) {
throw new XrootdException(kXR_InvalidRequest, "Authentication request response time expired.");
}
ChannelId id = ctx.channel().id();
int status = response.getStatus();
int streamId = client.getStreamId();
XrootdTpcInfo tpcInfo = client.getInfo();
switch(status) {
case kXR_ok:
LOGGER.debug("Authentication to {}, channel {}, stream {}, " + "sessionId {} succeeded; " + "passing to next handler.", tpcInfo.getSrc(), id, streamId, client.getSessionId());
ctx.fireChannelRead(response);
break;
case kXR_authmore:
LOGGER.debug("Authentication to {}, channel {}, stream {}, " + "sessionId {}, " + "proceeding to next step.", tpcInfo.getSrc(), id, streamId, client.getSessionId());
client.setAuthResponse(response);
sendAuthenticationRequest(ctx);
break;
default:
throw new XrootdException(kGSErrBadOpt, "wrong status from GSI authentication " + "response: " + status);
}
}
Also used :
XrootdTpcInfo(org.dcache.xrootd.tpc.XrootdTpcInfo)
XrootdException(org.dcache.xrootd.core.XrootdException)
ChannelId(io.netty.channel.ChannelId)
Aggregations
XrootdTpcInfo (org.dcache.xrootd.tpc.XrootdTpcInfo)7
XrootdException (org.dcache.xrootd.core.XrootdException)5
ChannelId (io.netty.channel.ChannelId)4
OpenResponse (org.dcache.xrootd.protocol.messages.OpenResponse)2
FileStatus (org.dcache.xrootd.util.FileStatus)2
CacheException (diskCacheV111.util.CacheException)1
FileExistsCacheException (diskCacheV111.util.FileExistsCacheException)1
FileIsNewCacheException (diskCacheV111.util.FileIsNewCacheException)1
FileNotFoundCacheException (diskCacheV111.util.FileNotFoundCacheException)1
NotFileCacheException (diskCacheV111.util.NotFileCacheException)1
PermissionDeniedCacheException (diskCacheV111.util.PermissionDeniedCacheException)1
TimeoutCacheException (diskCacheV111.util.TimeoutCacheException)1
IOException (java.io.IOException)1
UUID (java.util.UUID)1
AtomicInteger (java.util.concurrent.atomic.AtomicInteger)1
Subject (javax.security.auth.Subject)1
Restriction (org.dcache.auth.attributes.Restriction)1
NettyTransferService (org.dcache.pool.movers.NettyTransferService)1
XrootdProtocolInfo (org.dcache.vehicles.XrootdProtocolInfo)1
BucketData (org.dcache.xrootd.plugins.authn.gsi.GSIBucketUtils.BucketData)1
