HOWTO: Tips for Troubleshooting Security with Parrot and Chirp

Parrot and Chirp have a flexible security system that allows many different ways of authenticating users and authorizing access to data. However, this flexibility can lead to unexpected results. This document gives some tips on how to debug security problems in this system.

Tip 1: Use parrot_whoami to verify your identity.

Most frequently, users receive permission denied messages because they have an unexpected identity in the system. If you are receiving such errors, use the parrot_whoami command to see your identity with respect to a particular host and file. For example:

% parrot_run tcsh
% parrot_whoami /chirp/host.mydomain.edu/mydir
unix:fred

Tip 2: Use -d auth to understand how you got your identity.

When connecting to a Chirp server, a negotiation is performed to determine how to authenticate. To view this negotiation, run either Parrot or Chirp with the -d auth flag. This will show you the order in which authentication methods are tried, and may contain information about errors, such as a failure to load certificates.

Tip 3: Use -a method to control how you authenticate.

To avoid variations in how you authenticate to different systems, use the -a option to pick exactly one method. For example, suppose the you want to access data with the ACL hostname:* RL. To ensure that you always authenticate with the hostname method, even if you have some other credentials available, run Parrot or Chirp with the -a hostname option.

Tip 4: When all else fails, read the ACL very carefully!

The authorization rule is very simple: the user's identity must match a line in the ACL for access to be granted. When in doubt, figure out your identity with parrot_whoami and then read the ACL line by line, comparing your identity to the subject name or pattern.

[an error occurred while processing this directive]