|CCL HomeSoftware Community Operations||
HOWTO: Tips for Troubleshooting Security with Parrot and ChirpParrot and Chirp have a flexible security system that allows many different ways of authenticating users and authorizing access to data. However, this flexibility can lead to unexpected results. This document gives some tips on how to debug security problems in this system.
Most frequently, users receive permission denied messages because they have an unexpected identity in the system. If you are receiving such errors, use the parrot_whoami command to see your identity with respect to a particular host and file. For example:
% parrot_run tcsh % parrot_whoami /chirp/host.mydomain.edu/mydir unix:fred
When connecting to a Chirp server, a negotiation is performed to determine how to authenticate. To view this negotiation, run either Parrot or Chirp with the -d auth flag. This will show you the order in which authentication methods are tried, and may contain information about errors, such as a failure to load certificates.
To avoid variations in how you authenticate to different systems, use the -a option to pick exactly one method. For example, suppose the you want to access data with the ACL hostname:* RL. To ensure that you always authenticate with the hostname method, even if you have some other credentials available, run Parrot or Chirp with the -a hostname option.
The authorization rule is very simple: the user's identity must match a line in the ACL for access to be granted. When in doubt, figure out your identity with parrot_whoami and then read the ACL line by line, comparing your identity to the subject name or pattern.