Authenticating to Tornado as a TrustedHost

[martynia]

Hi, when trying to call a method on Tornado from an agent running on a Dirac host ("TrustedHost"), I'm getting 401. I defined a property like this:

    auth_getMetadata = ["Operator", "TrustedHost"]

    def export_getMetadata(self):
           pass

In the CS, the Tornado based Service hasDefault = authenticated in the Authorisation section. Are those 2 requirements contradictory ?

cheers, JM

[fstagni]

These 2 requirements are not necessarily contradictory. I would anyway:

• do not use auth_* for methods that are not "silly" ones like "echo" or "ping", but instead add the auth requirements in ConfigTemplate.cfg file
• the "TrustedHost" is not something that I would use: a host certificate should probably have the "Operator" property anyway.

[martynia]

The host cert has got the Operator property, which is also listed in auth_getMetadata., so the problem must be somewhere else.

[martynia]

@sfayer pointed out, that it was a client, not a server problem. A line printed in a log:

Tornado/Tornado/Authorization WARN: User is invalid or does not belong to the group it's saying

suggests that the Authz is going a "user" route (this is why the server accepts the same call, when issued from a Dirac client using a Dirac_admin proxy), however in this case we get 401, when using a host certificate ("host" route)

How to solve this problem, still using requests.post() ?

[martynia]

Solved with writing a Tornado client.

[fstagni]

Can this question be considered as "solved"? (answered)

[martynia]

Yes.