Skip to content

Handle directories permission denied error in drop privs mode#2291

Merged
jhiemstrawisc merged 7 commits into
PelicanPlatform:mainfrom
h2zh:drop-privs-dirs-fix
Jun 11, 2025
Merged

Handle directories permission denied error in drop privs mode#2291
jhiemstrawisc merged 7 commits into
PelicanPlatform:mainfrom
h2zh:drop-privs-dirs-fix

Conversation

@h2zh

@h2zh h2zh commented May 5, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

This PR is built on top of #2120, which should be reviewed first.

During the development of the above PR, I notice there are several other permissions denied errors happened on several directories/locations, as below:

WARNING[2025-03-17T17:06:33Z] Failed to open auth database for reload:open /etc/pelican/server-web-passwd: permission denied

WARNING[2025-03-17T17:07:03Z] Failed to load key /etc/pelican/issuer-keys/pelican_generated_1740770124479586092_2096306543.pem: failed to read key file: open /etc/pelican/issuer-keys/pelican_generated_1740770124479586092_2096306543.pem: permission denied

ERROR[2025-03-17T17:08:03Z] Failure when generating authfile: Failed to create a generated authfile /run/pelican/xrootd/cache/authfile-cache-generated: open /run/pelican/xrootd/cache/authfile-cache-generated: permission denied

ERROR[2025-03-17T17:08:03Z] Failure when emitting the scitokens.cfg: Failed to create a temporary scitokens file /run/pelican/xrootd/cache/scitokens-generated.cfg.tmp: open /run/pelican/xrootd/cache/scitokens-generated.cfg.tmp: permission denied

WARNING[2025-04-30T13:45:36Z] Failure during xrootd maintenance routine: Failure when opening certificate key pair file to pass to xrootd: open /run/pelican/xrootd/cache/pelican/copied-tls-creds.crt: permission denied

WARNING[2025-03-17T17:07:03Z] Failure during cache director-based health test clean up routine: stat /run/pelican/cache/namespace/pelican/monitoring: permission denied

All of them except the last one are resolved in this PR - I didn't fix the last one because it is not urgent and xrootd already has a purge mechanism to deal with test files cleanup - I created a separate issue for this problem #2265

How to test

If you are on a fresh container, spin up all four Pelican services as usual to set up the initial configs. Then shut them down and restart Pelican services in drop privs mode by setting the following configs in pelican.yaml

Server:
  DropPrivileges: true
  UnprivilegedUser: pelican

Check the logging, search for "permissions denied". There should not be any result except the "cache director-based health test clean up .... permission denied". Also consider doing other basic tests.

@h2zh h2zh added bug Something isn't working cache Issue relating to the cache component origin Issue relating to the origin component labels May 5, 2025
@h2zh h2zh added this to the v7.17 milestone May 5, 2025
@h2zh h2zh linked an issue May 5, 2025 that may be closed by this pull request
Fix directories permission denied error in drop privs mode #2292
Closed
7 tasks
@h2zh h2zh force-pushed the drop-privs-dirs-fix branch 4 times, most recently from 2f981a8 to 1f37a2d Compare May 6, 2025 18:11
@h2zh h2zh mentioned this pull request May 6, 2025
Merged
@h2zh h2zh requested review from bbockelm and jhiemstrawisc and removed request for bbockelm May 7, 2025 14:26
jhiemstrawisc
jhiemstrawisc requested changes May 8, 2025
View reviewed changes
Comment thread config/init_server_creds.go Outdated
Comment thread config/init_server_creds.go Outdated
Comment thread config/mkdirall.go Outdated
Comment thread config/mkdirall.go Outdated
Comment thread self_monitor/self_monitor.go Outdated
Comment thread xrootd/authorization.go Outdated
Comment thread xrootd/authorization.go Outdated
Comment thread xrootd/authorization.go Outdated
Comment thread xrootd/authorization.go Outdated
Comment thread config/init_server_creds.go Outdated
@h2zh h2zh mentioned this pull request May 12, 2025
Merged
@h2zh h2zh force-pushed the drop-privs-dirs-fix branch from 1f37a2d to c44653a Compare May 28, 2025 19:04
h2zh added 7 commits May 28, 2025 19:50
@h2zh
Fix perms/owners of issuer-keys dir and server-web-passwd file
f1ca0d7
@h2zh
Handle authfile and SciTokens config with xrdhttp-pelican
5bba033 
- Use xrdhttp-pelican to move them into the directories owned by xrootd user
- The `SelfTestFileCopy` function has been generalized and renamed to `FileCopyToXrootdDir`. This enhanced function now leverages the xrdhttp-pelican plugin to support a wider range of file copy operations into XRootD-owned directories
@h2zh
Fixed the permissions error in XRootD certificates update
bda6e43
@h2zh
Fix "chown" on Windows
14049ac
@h2zh
Address comments
1752e38
@h2zh
Use os.CreateTemp to handle temporary authfile and scitokens cfg fi…
8149a46 
…le creation
@h2zh
Create a helper function to unify permission and ownership setting in…
6f52b71 
… a cross-platform way
@h2zh h2zh force-pushed the drop-privs-dirs-fix branch from c44653a to 6f52b71 Compare May 28, 2025 19:50
@h2zh

h2zh commented May 28, 2025

Copy link
Copy Markdown
Contributor Author

Hey @jhiemstrawisc, when you re-review this PR, I'd recommend taking a commit-by-commit approach for the last three commits, rather than viewing the entire diff at once.

@h2zh h2zh requested a review from jhiemstrawisc May 29, 2025 14:07
jhiemstrawisc
jhiemstrawisc approved these changes Jun 11, 2025
View reviewed changes

@jhiemstrawisc jhiemstrawisc left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks, @h2zh!

@jhiemstrawisc jhiemstrawisc merged commit 4f19c57 into PelicanPlatform:main Jun 11, 2025
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhiemstrawisc jhiemstrawisc jhiemstrawisc approved these changes

@bbockelm bbockelm Awaiting requested review from bbockelm

Assignees

@jhiemstrawisc jhiemstrawisc

Labels

bug Something isn't working cache Issue relating to the cache component origin Issue relating to the origin component

Projects

None yet

Milestone

v7.17

Development

Successfully merging this pull request may close these issues.

Fix directories permission denied error in drop privs mode

2 participants

@h2zh @jhiemstrawisc