uproot5 icon indicating copy to clipboard operation
uproot5 copied to clipboard
verified publisher icon scikit-hep

Uproot 5.2.0+ no longer respects URL parameters

Open chrisburr opened this issue 1 year ago • 2 comments

Since moving to fsspec uproot now strips URL parameters from XRootD URLs. In this case I use them to add EOS tokens to authenticate, but I've also known them be required to even access files for quirks of the storage system.

Running this on lxplus at CERN:

export MYEOSTOKEN=$(eos token --path /eos/lhcb/user/c/cburr/test1/ --permission r)
# Destroy kerberos credentials so the token in the URL is the only available auth method
kdestroy
  • 5.2.2 
In [1]: import os
   ...: import uproot
   ...: print(f"{uproot.__version__}")
   ...: f = uproot.open(f"root://eoslhcb.cern.ch//eos/lhcb/user/c/cburr/test.root?xrd.wantprot=unix&authz={os.environ['MYEOSTOKEN']}")
   ...: f.keys()
5.2.2

... truncated

OSError: File did not open properly: [ERROR] Server responded with an error: [3010] Unable to give access - user access restricted - unauthorized identity used ; Permission denied
  • 5.1.2 
In [1]: import os
   ...: import uproot
   ...: print(f"{uproot.__version__}")
   ...: f = uproot.open(f"root://eoslhcb.cern.ch//eos/lhcb/user/c/cburr/test.root?xrd.wantprot=unix&authz={os.environ['MYEOSTOKEN']}")
   ...: f.keys()
5.1.2
Out[1]:
['HltRoutingBitsMonitor;1',
 'HltRoutingBitsMonitor/rb_frac;1',
 'HltRoutingBitsMonitor/rb_count;1',
 'HltDecReportsMonitor;1',
 'HltDecReportsMonitor/pass_frac_ul;1',
 'HltDecReportsMonitor/pass_frac;1',
 'HltDecReportsMonitor/pass_count_ul;1',
 'HltDecReportsMonitor/pass_count;1']

chrisburr avatar Mar 12 '24 10:03 chrisburr

This is due to https://github.com/CoffeaTeam/fsspec-xrootd/issues/64

nsmith- avatar Aug 06 '24 02:08 nsmith-

As an aside, you can do this with http as well:

url = "https://eoslhcb.cern.ch//eos/lhcb/user/c/cburr/test.root?xrd.wantprot=unix&authz=" + token
fin = uproot.open(url, verify_ssl=False)
fin.keys()

or equivalently,

fin = uproot.open(url, verify_ssl=False, params={"xrd.wantprot": "unix", "authz": token})

Edit: to be secure on a machine without IGTF grid certificates trusted systemwide you can download the CERN CA, convert it to pem:

openssl x509 -in CERN\ Root\ Certification\ Authority\ 2.crt -out CERN\ Root\ Certification\ Authority\ 2.pem -outform PEM

and load it with

import ssl

sslctx = ssl.create_default_context()
sslctx.load_verify_locations("CERN Root Certification Authority 2.pem")
fin = uproot.open(
    url,
    ssl=sslctx,
    params={"xrd.wantprot": "unix", "authz": token},
)

though at this point one might as well use x509 user certs as in #1241

nsmith- avatar Aug 06 '24 02:08 nsmith-