Bug 5992 – delegated user proxy job file is not being removed

Bug 5992 - delegated user proxy job file is not being removed

Summary:

delegated user proxy job file is not being removed

Status:	RESOLVED FIXED

Product:	GRAM
Component:	wsrf gram clients
Version:	4.0.7
Platform:	Macintosh All

Importance:	P2 major
Target Milestone:	4.0.8
Assigned To:	Martin Feller

URL:
Keywords:

Depends on:
Blocks:	6192
	Show dependency tree / graph

Reported:	2008-04-08 11:35 by Stuart Martin
Modified:	2008-07-18 14:35 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Stuart Martin 2008-04-08 11:35:52

I'm not sure if this is the fault of globusrun-ws or the GRAM service, but it
appears that the delegated user proxy file written by the gram service is not
removed at the end of the job.

here are the details>>>>>>>>>>

Subject: [TG-SECURITY] proxy cleanup and globusrun-ws

Mine's writeup says:

"Rachana said GRAM4 will clean up everything as long as delegation 
occurred via globusrun-ws"

I tested this with vdt-1.8.1, and the proxy doesn't appear to be cleaned 
up after my job completes.  Is it a bug?

[jbasney@vdt-test ~]$ globusrun-ws -J -F vdt-test.ncsa.uiuc.edu:9443 
-submit -streaming -c /opt/vdt-1.8.1/globus/bin/grid-proxy-info
Delegating user credentials...Done.
Submitting job...Done.
Job ID: uuid:b1c01052-0583-11dd-a7d3-000c29c0f2f7
Termination time: 04/09/2008 15:51 GMT
Current job state: Active
Current job state: CleanUp-Hold
subject  : /C=US/O=National Center for Supercomputing 
Applications/CN=Jim Basney/CN=525828164/CN=585434957
issuer   : /C=US/O=National Center for Supercomputing 
Applications/CN=Jim Basney/CN=525828164
identity : /C=US/O=National Center for Supercomputing 
Applications/CN=Jim Basney
type     : Proxy draft (pre-RFC) compliant limited proxy
strength : 512 bits
path     : 
/home/jbasney/.globus/gram_job_proxy_b1fac800-0583-11dd-a3d2-ec9fe762d43a
timeleft : 10:48:33
Current job state: CleanUp
Current job state: Done
Destroying job...Done.
Cleaning up any delegated credentials...Done.
[jbasney@vdt-test ~]$ ls -l 
/home/jbasney/.globus/gram_job_proxy_b1fac800-0583-11dd-a3d2-ec9fe762d43a
-rw------- 1 jbasney jbasney 3903 Apr  8 10:51 
/home/jbasney/.globus/gram_job_proxy_b1fac800-0583-11dd-a3d2-ec9fe762d43a
[jbasney@vdt-test ~]$

------- Comment #1 From Martin Feller 2008-04-08 11:37:23 -------

what GT version is vdt-1.8.1?
It works fine for me with 4.0.7 (and trunk)

------- Comment #2 From Jim Basney 2008-04-18 14:23:19 -------

To reproduce this bug, run the following:

  chmod go-rwx ~/.globus

Then we see in the container logs:

2008-04-18 14:19:01,286 DEBUG service.DelegationResource
[ServiceThread-13,notifyCredentialDelete:505] notify removal
2008-04-18 14:19:01,287 DEBUG utils.DelegatedCredential
[ServiceThread-13,credentialDeleted:498] entering credentialDeleted()
2008-04-18 14:19:01,287 DEBUG utils.DelegatedCredential
[ServiceThread-13,credentialDeleted:518] removed DelegatedCredential object
2008-04-18 14:19:01,288 DEBUG utils.DelegatedCredential
[ServiceThread-13,removeUserProxy:387] Ignoring job user proxy removal request.
2008-04-18 14:19:01,288 DEBUG utils.DelegatedCredential
[ServiceThread-13,credentialDeleted:532] leaving credentialDeleted()

The problem code in DelegatedCredential.removeUserProxy() is:

        if ((this.userProxyFile == null) || !this.userProxyFile.exists()) {
            if (logger.isDebugEnabled()) {
                logger.debug("Ignoring job user proxy removal request.");
            }
            return;
        }

This runs as user globus, but there's no guarantee that user globus has
permission to access any of the user's directories, so
this.userProxyFile.exists() may fail due to a permissions error even if the
file is there.  I suggest simply removing the 

   || !this.userProxyFile.exists()

part.

------- Comment #3 From Martin Feller 2008-04-21 08:54:53 -------

Right, i was a bit confused because sudo is used if the
user who runs the container is different from the local
user id of the user owning the proxy.
But the check for "this.userProxyFile.exists()" happens
too early. Homes on the machines where i tested it had
at least read access for other users, so i didn't find
it when i tested it.
What you suggest looks good to me.

------- Comment #4 From Martin Feller 2008-04-21 09:16:46 -------

Fixed. Change will be in 4.0.8

------- Comment #5 From Alain Roy 2008-05-01 16:12:59 -------

Mine Altunay and Jim Basney really want this in the next VDT release, but I
don't know when Globus 4.0.8 is coming out. Is it possible to get a patch for
this against Globus 4.0.7?

Thanks!
-alain

-----------------------------------------------------------------
Alain Roy
Open Science Grid Software Coordinator            roy@cs.wisc.edu
http://opensciencegrid.org                 http://vdt.cs.wisc.edu

------- Comment #6 From Alain Roy 2008-05-01 16:48:06 -------

Actually, I went ahead and guessed at a patch, based on what I saw in Globus
Bonsai. Does it look right to you?

http://vdt.cs.wisc.edu/patches/1.10.1/120__bugzilla_5992.diff

------- Comment #7 From Martin Feller 2008-05-05 15:12:25 -------

Yes, this looks ok to me.

------- Comment #8 From Alain Roy 2008-05-06 09:50:30 -------

Excellent, thanks for your feedback, Martin. 

-alain