Bugzilla – Bug 5608
More details in security logging please
Last modified: 2008-01-16 16:39:44
You need to
before you can comment on or make changes to this bug.
Two authz logging requests:
1) Getting the filename of the gridmap in use
When a gridmap authorization fails (and maybe even when it succeeds), could we
get the filename of the gridmap if the gridmap came from a file? As people
deploy more service-specific gridmap files it will help debugging if we know
which file is in use for a particular decision. Otherwise we have to trace
back the WSDL name of the operation (namespace:op) to a particular service,
then go find that service's security descriptor to see what gridmap it's using.
2) Gridmap authorization failed: peer <anonymous>
Could we get the IP of the failed client in these messages?
Another bit of security logging, this time for container startup:
If the container fails to start in secure mode, it would be nice to have a
friendly error message like:
"In the gloabl security descriptor <path to descriptor>, the container is
configured to look
for <type of credential> at <path to credential>. [If it's a proxy and the
proxy doesn't exist/is
expired, suggest running grid-proxy-init]
Fixed issue (1) in branch and trunk.
Fixed issue (3), container startup logging, fixed in trunk and branch
Added client IP address in error messages with anonymous client access.
In GT 4.0.x, secure transport adds default principal value to peer subject,
while secure conversation does not. This affects how policy is enforced and
cannot be changed in branch. So in GridMapAuthz, with anonymous secure
transport access, authz fails with "<anonymous> not in gridmap", but with
anonymous secure conversation access, authz fails with "anonymous peer".This
cannot be fixed in branch, since it changes authz policy enforcement behavior.
Trunk code has been fixed such that principal set is empty with anonymous
*** Bug 4338 has been marked as a duplicate of this bug. ***