User not authorized to publish

[JamesAnstey]

I'm trying to publish using v5.1.0b11 of the publisher. My publishing command is:

esgpublish --project cmip6 --map /esg/publish/test/mapfiles/CMIP6/CMIP/CCCma/CanESM5-1/historical/r1i1p1f1/CMIP6.CMIP.CCCma.CanESM5-1.historical.r1i1p1f1.EdayZ.va.gn.v20190429.map --no-auth

It results in this error:

2023-08-30 08:12:26 INFO     <?xml version="1.0" encoding="UTF-8"?><response status="error"><message>User:  is not authorized to publish/unpublish resource: CMIP6.CMIP.CCCma.CanESM5-1.historical.r1i1p1f1.EdayZ.va.gn.v20190429.va_EdayZ_CanESM5-1_historical_r1i1p1f1_gn_18500101-20141231.nc|crd-esgf-drc.ec.gc.ca</message></response>
2023-08-30 08:12:26 ERROR    code = 401

For the much older version of the publisher we were previously using, prior to running the publishing commands I did this:

myproxy-logon -s esgf-node.llnl.gov -l acrnpub -b -t 72 -o $HOME/.globus/certificate-file

Is this step still required for publishing? Or is the "not authorized" message due to something else?

Some extra info: I saw that another open issue also mentions error code 401, and in contrast to my error output, the output there refers to an openid. The openid referenced in the above myproxy-logon command (https://esgf-node.llnl.gov/esgf-idp/openid/acrnpub) is registered for publishing. The esg.ini file also had a [myproxy] section with info on this openid, but our updated esg.ini (made with esgmigrate I believe) doesn't have this.

[sashakames]

Hi @JamesAnstey yes to publish to production at LLNL, you'll still need a certificate. The myproxy-logon command is correct. There is a Python equivalent that can be installed that should take the same options: https://pypi.org/project/MyProxyClient/ you can write the file anywhere, then reference either in the command
The --noauth arg is for our test node. Use --cert <filename> or you can add it to the new esg.ini or esg.yaml file (if you upgraded)

[JamesAnstey]

Ok great, thanks for confirming @sashakames. I've been trying this:

myproxyclient logon -s esgf-node.llnl.gov -l acrnpub -b -t 72 -o $HOME/.globus/certificate-file

resulting in:

Enter password for user 'acrnpub' on MyProxy server 'esgf-node.llnl.gov':
Error retrieving credentials: [Errno 111] Connection refused

I've tried it many times, and also with another registered openid, so I think it's not just that I'm making password typos... Is the above myproxyclient command what you would use/recommend? I'm doing this in my esgf-pub env (still esgpublish version v5.1.0b11) with myproxyclient version 2.1.0.

If I can get the above myproxyclient command to work, then I would use --cert $HOME/.globus/certificate-file in my esgpublish command?

[sashakames]

Is port 7512 open to egress? This should work:

(base) pro9919288:metagrid ames4$ openssl s_client -connect esgf-node.llnl.gov:7512
CONNECTED(00000005)
depth=1 C = US, O = ESGF, OU = ANL, CN = Root Certificate Authority
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C = US, O = ESGF, OU = ANL, CN = Root Certificate Authority
verify return:1
depth=0 O = ESGF, OU = ESGF.ORG, CN = esgf-node.llnl.gov
verify return:1
---