Skip to content

Consistent error return code for not authorized user #8056

Open
Open
Consistent error return code for not authorized user#8056
@cfgamboa

Description

@cfgamboa
cfgamboa
opened on Mar 30, 2026

Dear all,

on 11.2.3 dCache, return codes for client seem no to be consistent across protocols.
For example, if the cgamboa is a username currently included in the ban file.

When using ROOT (gfal-ls error: 52 (Invalid exchange) - Failed to stat file (Invalid exchange) may need to be improved of be consistent with the one given by using DAVS


[cgamboa@spool0104 ~]$ gfal-ls root://dcint-door002.sdcc.bnl.gov/pnfs/usatlas.bnl.gov/cgamboa/
gfal-ls error: 52 (Invalid exchange) - Failed to stat file (Invalid exchange)

[cgamboa@spool0104 ~]$gfal-copy -f /etc/services roots://dcint-door002.sdcc.bnl.gov/pnfs/usatlas.bnl.gov/cgamboa/test.1
Copying file:///etc/services   [FAILED]  after 0s                                                                                                                                                                                                               
gfal-copy error: 52 (Invalid exchange) - Error on XrdCl::CopyProcess::Run(): [FATAL] Auth failed: No protocols left to try (destination)

When using DAVS

[cgamboa@spool0104 ~]$ gfal-ls davs://dcint-door002.sdcc.bnl.gov/pnfs/usatlas.bnl.gov/cgamboa/test.1
gfal-ls error: 13 (Permission denied) - Result HTTP 401 : Authentication Error  after 1 attempts

[cgamboa@spool0104 ~]$ gfal-copy -f davs://dcint-door002.sdcc.bnl.gov/pnfs/usatlas.bnl.gov/cgamboa/test.1 /dev/null
gfal-copy error: 13 (Permission denied) - Could not stat the source: Result HTTP 401 : Authentication Error  after 1 attempts

Testing a ban user (cgamboa)

[dcint-core001] (local) admin > \s gPlazma@* explain login username:cgamboa
gPlazma@dcint-frontend001Domain:
    LOGIN FAIL
     |    in: UserNamePrincipal[cgamboa]
     |
     +--AUTH OK
     |   |
     |   +--x509 OPTIONAL:FAIL (no X.509 certificate chain) => OK
     |   |
     |   +--voms OPTIONAL:FAIL (no X509 certificate chain) => OK
     |   |
     |   +--oidc OPTIONAL:FAIL (No bearer token in the credentials) => OK
     |
     +--MAP OK
     |   |    added: GidPrincipal[31152,primary]
     |   |           UidPrincipal[9102]
     |   |
     |   +--gridmap OPTIONAL:OK => OK
     |   |
     |   +--vorolemap OPTIONAL:FAIL (no record) => OK
     |   |
     |   +--authzdb SUFFICIENT:OK => OK (ends the phase)
     |          added: GidPrincipal[31152,primary]
     |                 UidPrincipal[9102]
     |
     +--ACCOUNT FAIL
     |   |
     |   +--banfile REQUISITE:FAIL (user banned) => FAIL (ends the phase)
     |

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions