dcache icon indicating copy to clipboard operation
dcache copied to clipboard
verified publisher icon dCache

Rename fails with HTTP 500 with storage.read

Open vokac opened this issue 4 months ago • 1 comments

Renaming file with just storage.read capability returns HTTP 500 with dCache 10.2.13. I would expect something like HTTP 403, e.g. with existing file test.rename

$ curl --capath /etc/grid-security/certificates -L -I -H "Authorization: Bearer ${BEARER_TOKEN}" https://se1.farm.particle.cz:443/atlas/atlasdatadisk/SAM/test.rename
HTTP/1.1 200 OK
Date: Mon, 25 Aug 2025 11:07:07 GMT
Server: dCache/10.2.13
Accept-Ranges: bytes
ETag: "0000170443BBD05D47E0BDA60A1408CDC263_-521672848"
Last-Modified: Mon, 25 Aug 2025 11:05:51 GMT
Content-Length: 692252

rename to test.renamed fails with exception

$ curl -v --capath /etc/grid-security/certificates -L -X MOVE -H "Authorization: Bearer ${BEARER_TOKEN}" -H "Destination: https://se1.farm.particle.cz:443/atlas/atlasdatadisk/SAM/test.renamed" https://se1.farm.particle.cz:443/atlas/atlasdatadisk/SAM/test.rename
*   Trying 2001:718:401:6025:2::1000:443...
* Connected to se1.farm.particle.cz (2001:718:401:6025:2::1000) port 443 (#0)
...
> MOVE /atlas/atlasdatadisk/SAM/test.rename HTTP/1.1
> Host: se1.farm.particle.cz
> User-Agent: curl/7.76.1
> Accept: */*
> Authorization: Bearer eyJraWQiOiJyc2EyIiwiYWxnIjoiUlMyNTYifQ.eyJ3bGNnLnZlciI6IjEuMCIsInN1YiI6ImI0MWJkMjI0LTk1MWUtNDdiOS04Zjg2LWMyMzRlNDkxZDhiNCIsImF1ZCI6InNlMS5mYXJtLnBhcnRpY2xlLmN6IiwibmJmIjoxNzU2MTE5OTk1LCJzY29wZSI6InN0b3JhZ2UucmVhZDpcL2F0bGFzZGF0YWRpc2tcL1NBTVwvIiwiaXNzIjoiaHR0cHM6XC9cL2F0bGFzLWF1dGguY2Vybi5jaFwvIiwiZXhwIjoxNzU2MTQxNTk1LCJpYXQiOjE3NTYxMTk5OTUsImp0aSI6IjhlNDc4MTQ0LTc1NmQtNDQ5OS05MTM2LWQzNjRmZTNlMzc0ZSIsImNsaWVudF9pZCI6IjU3MTBmNDE5LTFiZDItNGIxYi1hZmQyLTk1NGY3YjFmMDAwNSJ9.SIGNATURE_REMOVED
> Destination: https://se1.farm.particle.cz:443/atlas/atlasdatadisk/SAM/test.renamed
> 
...
< HTTP/1.1 500 Server Error
< Date: Mon, 25 Aug 2025 11:08:07 GMT
< Server: dCache/10.2.13
< Content-Type: text/plain;charset=utf-8
< Content-Length: 349
< 
Internal problem: CacheException(rc=10018;msg=Restriction CompositeRestriction[Unrestricted, MultiTargetedRestriction[Authorisation{allowing [LIST, DOWNLOAD, READ_METADATA] on /atlas/atlasdatadisk/SAM}, Authorisation{allowing [MANAGE, UPLOAD, DELETE, READ_METADATA, UPDATE_METADATA] on /upload}]] denied activity MANAGE on /atlas/atlasdatadisk/SAM)
* Connection #0 to host se1.farm.particle.cz left intact

Token content (storage prefix for this issuer is set to /atlas, audience is accepted by storage)

{
  "wlcg.ver": "1.0",
  "sub": "b41bd224-951e-47b9-8f86-c234e491d8b4",
  "aud": "se1.farm.particle.cz",
  "nbf": 1756119995,
  "scope": "storage.read:/atlasdatadisk/SAM/",
  "iss": "https://atlas-auth.cern.ch/",
  "exp": 1756141595,
  "iat": 1756119995,
  "jti": "8e478144-756d-4499-9136-d364fe3e374e",
  "client_id": "5710f419-1bd2-4b1b-afd2-954f7b1f0005"
}

vokac avatar Aug 25 '25 11:08 vokac

https://rb.dcache.org/r/14571/

DmitryLitvintsev avatar Nov 18 '25 21:11 DmitryLitvintsev