Bug 3897 – Must modify Globus in order to use authorization callouts

Bug 3897 - Must modify Globus in order to use authorization callouts

Summary:

Must modify Globus in order to use authorization callouts

Status:	RESOLVED FIXED

Product:	GRAM
Component:	general
Version:	4.0.1
Platform:	PC All

Importance:	P3 major
Target Milestone:	4.0.2
Assigned To:	Peter Lane

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-11-08 14:59 by Alain Roy
Modified:	2006-10-19 09:57 (History)

Attachments
Patch for globus-gridmap-and-execute selection based on authz PDP (13.63 KB, patch) 2005-11-09 14:28, Peter Lane	Details
AuthorizationHelper.java (2.52 KB, text/plain) 2005-11-09 14:28, Peter Lane	Details
Patch for 4.0.1 release code (11.80 KB, patch) 2005-11-11 12:09, Peter Lane	Details
Hide Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Alain Roy 2005-11-08 14:59:43

Hello,

During the development of PRIMA, Peter Lane informed us that in order to have
Globus use the authorization callout successfully, we have to comment out code
in GRAM that checks the gridmap file. This is what he said:

2) Until we get some sort of plugin system going for sudo callouts,
you will have to edit the GRAM code to disable the use of the
globus-gridmap-and-execute app:
        2a) cvs co ws-gram
        2b) cd ws-gram/service/java/source
        2c) Edit
src/org/globus/exec/service/exec/JobManagerScript.java
        and comment out lines 146 throw 142. It should look like this:

        /*
        commandVector.add(
             new File(globusLocation +
GLOBUS_GRIDMAP_AND_EXECUTE).toString());
        if (gridMapFile != null)
        {
            commandVector.add("-g");
            commandVector.add(gridMapFile);
        }
        */
2e) Edit src/org/globus/exec/service/utils/UserProxyCreator.java and
comment out lines 101-117 as well as lines 123 and 129.  The code should
look like the following:

                    /*
                    if (gridMapFile != null)
                    {
                        command = new String[] {
                            sudo,
                            "-u",
                            this.credential.localUserId,
                            "-S",
                            gridMapAndExecute,
                            "-g",
                            gridMapFile,
                            proxyTool,
                            factoryHomeConfiguration.getGlobusLocation
(),
                            "-write",
                            this.credential.userProxyFile.getPath()
                        };
                    } else
                    {
                    */
                        command = new String[] {
                            sudo,
                            "-u",
                            this.credential.localUserId,
                            "-S",
                            //gridMapAndExecute,
                            proxyTool,
                            factoryHomeConfiguration.getGlobusLocation
(),
                            "-write",
                            this.credential.userProxyFile.getPath()
                        };
                    //}
        2e) ant


Is it possible to make a modification to Globus that will skip the gridmap file
if the authorization callout is defined, but use it if the authorization callout
is not defined? This would allow us to ship a single version of Globus in the
VDT that works whether or not the authorization callout is in use. 

Stu Martin tell us that this should be doable, and fairly quickly. That's great
news! Let us know how it goes. 

If you are able to make such a change, could you provide us with a patch file
for Globus 4.0.1, so that we can quickly distribute it?

Thanks!
-alain

------- Comment #1 From Peter Lane 2005-11-09 14:28:03 -------

Created an attachment (id=746) [details]
Patch for globus-gridmap-and-execute selection based on authz PDP

Requires AuthorizationHelper.java (also attached).

------- Comment #2 From Peter Lane 2005-11-09 14:28:55 -------

Created an attachment (id=747) [details]
AuthorizationHelper.java

------- Comment #3 From Peter Lane 2005-11-09 14:36:48 -------

The attachements are for the globus_4_0_branch code only.  The code is also
comitted to the branch, so it might be better just to update from CVS.  If you
need a patch from the official 4.0.1 source let me know.

I still need to make the same changes to the trunk code.

------- Comment #4 From Alain Roy 2005-11-09 14:44:01 -------

Yes, if I could get a patch for 4.0.1, that would be extremely useful. 

Also, I have two questions about AuthorizationHelper.java:

1) What directory does it go into? The same directory as JobManagerScript.java?
2) What changes do I need to make it build?

Thanks,
-alain

------- Comment #5 From Peter Lane 2005-11-11 12:09:14 -------

Created an attachment (id=749) [details]
Patch for 4.0.1 release code

------- Comment #6 From Alain Roy 2005-11-11 14:09:20 -------

Thanks for the patch, I appreciate it! It's all ready to go into the next VDT
build: the patch applies cleanly. 

One question: how do I make sure that AuthorizationHelper.java is built
correctly? Do I just put it into the org/globus/exec/service/utils directory,
and everything will work correctly? I'm not very familiar with how the Java
components in Java are built: do I need to modify an ant build.xml file
somewhere to make sure that it's built? I apologize if I'm clueless...

Thanks,
-alain

------- Comment #7 From Peter Lane 2005-11-11 14:28:40 -------

Sorry, forgot to answer that.  Yes, it goes in
ws-gram/service/java/source/src/org/globus/exec/service/utils/.

------- Comment #8 From Peter Lane 2005-11-11 18:40:31 -------

Since the code in the trunk has an independent adapter component, I couldn't
put
in an automatic check for the authz PDP.  Instead I added support for a system
property to explicitly turn usage of globus-gridmap-and-execute off.  Before
starting the container, you must set/add "-Dorg.globus.exec.disablegge=true" to
the GLOBUS_OPTIONS environment variable.

This needs to be documented, but since there's no 4.2 doc repository yet I'll
have to leave this bug open until such time as the doc can be created.

------- Comment #9 From John Weigand 2006-07-05 11:50:01 -------

Just added John Weigand (myself) to cc.