Bug 4021 - globus-start-container -containerDesc not working
: globus-start-container -containerDesc not working
Status: RESOLVED FIXED
: Java WS Security
Authentication
: unspecified
: PC Linux
: P3 critical
: ---
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2005-12-07 16:36 by
Modified: 2005-12-09 15:38 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2005-12-07 16:36:42
The -containerDesc option to globus-start-container doesn't seem to be working
in the trunk. When I specify the following security config file:

<?xml version="1.0" encoding="UTF-8"?>
<containerSecurityConfig
xmlns="http://www.globus.org/security/descriptor/container"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.globus.org/security/descriptor
name_value_type.xsd" xmlns:param="http://www.globus.org/security/descriptor">
    <defaultAuthzParam>
        <interceptor name="gridmap">
            <parameter>
                <param:nameValueParam>
                    <param:parameter name="gridmap-file"
                                     value=""/>
                </param:nameValueParam>
            </parameter>
        </interceptor>
    </defaultAuthzParam>
</containerSecurityConfig>

I expect that the container will run with my user creds, but when I try to
submit a job with globusrun-ws -self I get the following error:

GSS Major Status: Unexpected Gatekeeper or Service Name
globus_gsi_gssapi: Authorization denied: The name of the remote entity
(/C=US/O=PGL Inc./CN=host/logan), and the expected name for the remote entity
(/DC=org/DC=doegrids/OU=People/CN=Peter G Lane 364243) do not match

Thinking that the file was being ignored in favor of
$GLOBUS_LOCATION/etc/globus_wsrf_core/globus_security_descriptor.xml, I
commented out the <credential> stuff so that it would look like the above
descriptor. Unfortunately I get an even stranger error:

GSS Major Status: General failure
globus_gsi_gssapi: internal problem with SSL BIO: SSL_read rc=-1
OpenSSL Error: pem_lib.c:637: in library: PEM routines, function PEM_read_bio:
no start line Expecting: CERTIFICATE
------- Comment #1 From 2005-12-09 15:38:21 -------
The command line option descriptor has been fixed. The second issue 
with "authorization denied" has been moved to a separate bug.