Bug 7250 – limited delegations do not work with --voms option

Bug 7250 - limited delegations do not work with --voms option

Summary:

limited delegations do not work with --voms option

Status:	RESOLVED FIXED

Product:	MyProxy
Component:	MyProxy
Version:	5.3
Platform:	PC Linux

Importance:	P3 normal
Target Milestone:	---
Assigned To:	Jim Basney

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-05-05 09:36 by Maarten Litmaath
Modified:	2012-05-28 19:10 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Maarten Litmaath 2012-05-05 09:36:07

Dear MyProxy developers,
below is an illustration of how getting a limited delegation (by using a
limited proxy) does not work correctly with the "--voms" option:

-----------------------------------------------------------------------------
$ grid-proxy-info
subject  : /DC=ch/DC=cern/OU=computers/CN=wmsmon01.cern.ch/CN=limited proxy
issuer   : /DC=ch/DC=cern/OU=computers/CN=wmsmon01.cern.ch
identity : /DC=ch/DC=cern/OU=computers/CN=wmsmon01.cern.ch
type     : limited legacy globus proxy
strength : 512 bits
path     : /tmp/limited.pem
timeleft : 0:44:38
-----------------------------------------------------------------------------
$ myproxy-get-delegation -V
myproxy-logon version MYPROXYv2 (v5.3 17 Jan 2011 OCSP)
-----------------------------------------------------------------------------
$ myproxy-get-delegation -l wmsmon01-proxy -o /tmp/foo.pem -n --voms ops
Your identity: /DC=.../OU=.../CN=.../CN=proxy/CN=proxy/CN=limited proxy
Contacting  lcg-voms.cern.ch:15009
[/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "ops" Done
Creating proxy ...................................... Done
Your proxy is valid until Sat May  5 10:33:54 2012
Error: Certificate verify failed.
A credential has been received for user wmsmon01-proxy in /tmp/foo.pem.
-----------------------------------------------------------------------------

The resulting proxy has a final delegation that is not limited,
due to voms-proxy-init being called without the "-limited" option:

-----------------------------------------------------------------------------
$ grid-proxy-info -f /tmp/foo.pem
subject  : /DC=.../OU=.../CN=.../CN=proxy/CN=proxy/CN=limited proxy/CN=proxy
issuer   : /DC=.../OU=.../CN=.../CN=proxy/CN=proxy/CN=limited proxy
identity : /DC=.../OU=.../CN=...
type     : full legacy globus proxy
strength : 2048 bits
path     : /tmp/foo.pem
timeleft : 10:59:03
-----------------------------------------------------------------------------
$ voms-proxy-info -all -file /tmp/foo.pem
subject   : /DC=.../OU=.../CN=.../CN=proxy/CN=proxy/CN=limited proxy/CN=proxy
issuer    : /DC=.../OU=.../CN=.../CN=proxy/CN=proxy/CN=limited proxy
identity  : /DC=.../OU=.../CN=.../CN=proxy/CN=proxy/CN=limited proxy
type      : proxy
strength  : 2048 bits
path      : /tmp/foo.pem
timeleft  : 10:59:36
=== VO ops extension information ===
VO        : ops
subject   : /DC=.../OU=.../CN=...
issuer    : /DC=.../OU=computers/CN=lcg-voms.cern.ch
attribute : /ops/Role=NULL/Capability=NULL
timeleft  : 11:58:37
uri       : lcg-voms.cern.ch:15009
-----------------------------------------------------------------------------

That makes the proxy unusable:

-----------------------------------------------------------------------------
$ export X509_USER_PROXY=/tmp/foo.pem
-----------------------------------------------------------------------------
$ uberftp ce207 pwd
220 ce207.cern.ch GridFTP Server 3.33 (gcc64pthr, 1305148829-80)
[Globus Toolkit 5.0.3] ready.
530-globus_xio: Authentication Error
530-globus_gsi_callback_module: Could not verify credential
530-globus_gsi_callback_module: Could not verify credential
530-globus_gsi_callback_module: Error with limited proxy certificate:
Can't sign a non-limited, non-independent proxy with a limited proxy
530 End.
-----------------------------------------------------------------------------

Can you let myproxy-get-delegation supply the "-limited" option to
voms-proxy-init when the delegated proxy is limited?

------- Comment #1 From Jim Basney 2012-05-07 12:52:58 -------

Fix committed to CVS:
http://lists.globus.org/pipermail/myproxy-commit/2012-May/000677.html

Will appear in MyProxy v5.7.

------- Comment #2 From Jim Basney 2012-05-28 19:10:26 -------

Fixed in MyProxy v5.7 released today.