Bug 3897 - Must modify Globus in order to use authorization callouts
: Must modify Globus in order to use authorization callouts
Status: RESOLVED FIXED
: GRAM
general
: 4.0.1
: PC All
: P3 major
: 4.0.2
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2005-11-08 14:59 by
Modified: 2006-10-19 09:57 (History)


Attachments
Patch for globus-gridmap-and-execute selection based on authz PDP (13.63 KB, patch)
2005-11-09 14:28, Peter Lane
Details
AuthorizationHelper.java (2.52 KB, text/plain)
2005-11-09 14:28, Peter Lane
Details
Patch for 4.0.1 release code (11.80 KB, patch)
2005-11-11 12:09, Peter Lane
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2005-11-08 14:59:43
Hello,

During the development of PRIMA, Peter Lane informed us that in order to have
Globus use the authorization callout successfully, we have to comment out code
in GRAM that checks the gridmap file. This is what he said:

2) Until we get some sort of plugin system going for sudo callouts,
you will have to edit the GRAM code to disable the use of the
globus-gridmap-and-execute app:
        2a) cvs co ws-gram
        2b) cd ws-gram/service/java/source
        2c) Edit
src/org/globus/exec/service/exec/JobManagerScript.java
        and comment out lines 146 throw 142. It should look like this:

        /*
        commandVector.add(
             new File(globusLocation +
GLOBUS_GRIDMAP_AND_EXECUTE).toString());
        if (gridMapFile != null)
        {
            commandVector.add("-g");
            commandVector.add(gridMapFile);
        }
        */
2e) Edit src/org/globus/exec/service/utils/UserProxyCreator.java and
comment out lines 101-117 as well as lines 123 and 129.  The code should
look like the following:

                    /*
                    if (gridMapFile != null)
                    {
                        command = new String[] {
                            sudo,
                            "-u",
                            this.credential.localUserId,
                            "-S",
                            gridMapAndExecute,
                            "-g",
                            gridMapFile,
                            proxyTool,
                            factoryHomeConfiguration.getGlobusLocation
(),
                            "-write",
                            this.credential.userProxyFile.getPath()
                        };
                    } else
                    {
                    */
                        command = new String[] {
                            sudo,
                            "-u",
                            this.credential.localUserId,
                            "-S",
                            //gridMapAndExecute,
                            proxyTool,
                            factoryHomeConfiguration.getGlobusLocation
(),
                            "-write",
                            this.credential.userProxyFile.getPath()
                        };
                    //}
        2e) ant


Is it possible to make a modification to Globus that will skip the gridmap file
if the authorization callout is defined, but use it if the authorization callout
is not defined? This would allow us to ship a single version of Globus in the
VDT that works whether or not the authorization callout is in use. 

Stu Martin tell us that this should be doable, and fairly quickly. That's great
news! Let us know how it goes. 

If you are able to make such a change, could you provide us with a patch file
for Globus 4.0.1, so that we can quickly distribute it?

Thanks!
-alain
------- Comment #1 From 2005-11-09 14:28:03 -------
Created an attachment (id=746) [details]
Patch for globus-gridmap-and-execute selection based on authz PDP

Requires AuthorizationHelper.java (also attached).
------- Comment #2 From 2005-11-09 14:28:55 -------
Created an attachment (id=747) [details]
AuthorizationHelper.java
------- Comment #3 From 2005-11-09 14:36:48 -------
The attachements are for the globus_4_0_branch code only.  The code is also
comitted to the branch, so it might be better just to update from CVS.  If you
need a patch from the official 4.0.1 source let me know.

I still need to make the same changes to the trunk code.
------- Comment #4 From 2005-11-09 14:44:01 -------
Yes, if I could get a patch for 4.0.1, that would be extremely useful. 

Also, I have two questions about AuthorizationHelper.java:

1) What directory does it go into? The same directory as JobManagerScript.java?
2) What changes do I need to make it build?

Thanks,
-alain
------- Comment #5 From 2005-11-11 12:09:14 -------
Created an attachment (id=749) [details]
Patch for 4.0.1 release code
------- Comment #6 From 2005-11-11 14:09:20 -------
Thanks for the patch, I appreciate it! It's all ready to go into the next VDT
build: the patch applies cleanly. 

One question: how do I make sure that AuthorizationHelper.java is built
correctly? Do I just put it into the org/globus/exec/service/utils directory,
and everything will work correctly? I'm not very familiar with how the Java
components in Java are built: do I need to modify an ant build.xml file
somewhere to make sure that it's built? I apologize if I'm clueless...

Thanks,
-alain
------- Comment #7 From 2005-11-11 14:28:40 -------
Sorry, forgot to answer that.  Yes, it goes in
ws-gram/service/java/source/src/org/globus/exec/service/utils/.
------- Comment #8 From 2005-11-11 18:40:31 -------
Since the code in the trunk has an independent adapter component, I couldn't
put
in an automatic check for the authz PDP.  Instead I added support for a system
property to explicitly turn usage of globus-gridmap-and-execute off.  Before
starting the container, you must set/add "-Dorg.globus.exec.disablegge=true" to
the GLOBUS_OPTIONS environment variable.

This needs to be documented, but since there's no 4.2 doc repository yet I'll
have to leave this bug open until such time as the doc can be created.
------- Comment #9 From 2006-07-05 11:50:01 -------
Just added John Weigand (myself) to cc.