Bug 6271 – Proxy cleanup doesn't check for authz callouts, uses grid-mapfile check

Bug 6271 - Proxy cleanup doesn't check for authz callouts, uses grid-mapfile check

Summary:

Proxy cleanup doesn't check for authz callouts, uses grid-mapfile check

Status:	RESOLVED FIXED

Product:	GRAM
Component:	wsrf managed execution job service
Version:	development
Platform:	Open Science Grid (OSG) All

Importance:	P3 normal
Target Milestone:	4.0.9
Assigned To:	Martin Feller

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-07-30 11:56 by Charles Bacon
Modified:	2008-09-18 14:28 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Charles Bacon 2008-07-30 11:56:39

From OSG:
I am getting a Web Services GRAM (OSG 1.0) warning in my log apparently due
problem deleting the certificate on job completion. The jobs get authenticated,
run, complete and exit on the submitter but the log pops an error saying an
attempt to delete the proxy failed. I am pretty sure the sudoers file is fine.
The error is apparently being caused by the script
/osglocal/osgce/globus/libexec/globus-gram-local-proxy-tool attempting to
access the gridmap file, which being that our site uses PRIMA is not there.
Again authentication, execution and job exit all work (testing via
globusrun-ws). The script called to clean up the proxy just seems to fail to
delete the file because uscms001 is not in the gridmapfile. uscms001 is what I
get mapped to at UCSD.

From talking to Martin:
The cleanup step doesn't have the same logic about avoiding
globus-gridmap-and-execute that other calls to sudo have.  This needs to be
fixed.

------- Comment #1 From Martin Feller 2008-08-25 09:40:06 -------

This will be a bit difficult to test for me.
Debug output in DelegatedCredential.java shows me that a gridmap check is
now no longer part of the command when the proxy file is deleted if gridmap
authorization is disabled in the security descriptor of MJFS, but i would
feel better if they could run a quick test in their environment with their
use-case before i commit the change to 4.0 branch or 4.2 branch.
Can you ask them if they can test it if i provide a jar for them?

########### 

# command with gridmap authorization ENabled in sec desc of MJFS:

/usr/bin/sudo -u feller -S \
  /opt/GT_4.0.7/libexec/globus-gridmap-and-execute \
  -g /etc/grid-security/grid-mapfile \
  /opt/GT_4.0.7/libexec/globus-gram-local-proxy-tool \
  /opt/GT_4.0.7 -delete \
  /opt/feller/.globus/gram_job_proxy_4cbff7d0-72b1-11dd-ae3b-d08a8522f688

# command with gridmap authorization DISabled in sec desc of MJFS:

/usr/bin/sudo -u feller -S \
  /opt/GT_4.0.7/libexec/globus-gram-local-proxy-tool \
  /opt/GT_4.0.7 -delete \
  /opt/feller/.globus/gram_job_proxy_79cf27a0-72b1-11dd-a14a-cd7000013687

------- Comment #2 From Martin Feller 2008-09-18 14:19:55 -------

committed to 4.0 branch