Bug 6054 - DefaultIndexService ignores gridmap setting
: DefaultIndexService ignores gridmap setting
Status: RESOLVED FIXED
: Java WS Core
globus_wsrf_core
: 4.0.5
: PC Linux
: P3 normal
: 4.0.8
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2008-05-01 00:23 by
Modified: 2008-11-10 14:24 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2008-05-01 00:23:04
The WSRF framework ignore the <gridmap> setting specified in the SecurityConfig
for the MDS DefaultIndexService.

(a) If the container is configured to use gridmap authorization, the
container-wide gridmap will be used instead.

(b) If the container is using PRIMA and has no gridmap specified globally, the
authentication fails with the message

> 2008-05-01 13:47:51,051 WARN  client.ServiceGroupRegistrationClient [Timer-5,status:472]  
> Warning: Could not register https://ng2hpcdev.canterbury.ac.nz:8443/wsrf/services/ManagedJobFactoryService
> to servicegroup at https://ng2hpcdev.canterbury.ac.nz:8443/wsrf/services/DefaultIndexService -- check the URL and that the remote service is up.
> Remote exception was org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: Policy decision failed [Caused by: No gridmap file]

I have been able to work around this problem by either adding host DN to the
system-wide grid-mapfile for (a), or adding /etc/grid-securirt/mds-grid-mapfile
as the container-wide gridmap for (b): add the following line to
$GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml

    <gridmap value="/etc/grid-security/mds-grid-mapfile"/>

I have been trying to debug this issue by looking at what's happening in the
org.globus.wsrf.impl framework, and it appears that the GridMapAuthorization
class somehow "forgets" it's "servicePath" - the JNDI name of the service it's
instantiated for, and cannot afterwards retrieve the service-specific gridmap
file, and ends up accessing the container-wide one if it exists (or with an
error otherwise).

What makes the error surprising is that after the container is started, the
authorization calls succeeds for the first time, but keeps failing after that.

Touching the MDS security config file -
/opt/vdt/globus/etc/globus_wsrf_mds_index/index-security-config.xml - causes a
refresh of the config, and fixes the servicePath field in GridMapAuthorization
- but only for one autorization call, and then it breaks again.

When ran for the first time, GridMapAuthorization successfully retrieves a
GridMap:
> 2008-05-01 12:08:35,556 DEBUG authorization.GridMapAuthorization [ServiceThread-13,isPermitted:99] Grid map authz
> 2008-05-01 12:08:35,557 DEBUG authorization.GridMapAuthorization [ServiceThread-13,isPermitted:124] Service DefaultIndexService
> 2008-05-01 12:08:35,558 DEBUG descriptor.SecurityPropertiesHelper [ServiceThread-13,getGridMap:194] getGridMap DefaultIndexService
> 2008-05-01 12:08:35,558 DEBUG descriptor.ServiceSecurityConfig [ServiceThread-13,getGridMap:254] Get gridmap DefaultIndexService

While when ran any subsequent time, it passes a null jndiPath to
retrieveGridMap(jndiPath)

> 2008-05-01 12:08:35,685 DEBUG descriptor.ServiceSecurityConfig [ServiceThread-12,refresh:173] Refresh called DefaultIndexService
> 2008-05-01 12:08:35,685 DEBUG descriptor.ServiceSecurityConfig [ServiceThread-12,initialize:92] Already initialized: DefaultIndexService
> 2008-05-01 12:08:35,686 DEBUG security.SecurityManagerImpl [ServiceThread-12,getSystemSubject:73] Get system subject
> 2008-05-01 12:08:35,686 DEBUG descriptor.ContainerSecurityConfig [ServiceThread-12,getConfig:84] initialize called
> 2008-05-01 12:08:35,686 DEBUG descriptor.ContainerSecurityConfig [ServiceThread-12,refresh:227] Refresh not required
> 2008-05-01 12:08:35,686 DEBUG authorization.AuthorizationHandler [ServiceThread-12,invoke:50] Authorization
> 2008-05-01 12:08:35,686 DEBUG authorization.AuthorizationHandler [ServiceThread-12,invoke:66] Service path DefaultIndexService
> 2008-05-01 12:08:35,802 DEBUG authorization.AuthorizationHandler [ServiceThread-12,invoke:92] Resource is null: false
> 2008-05-01 12:08:35,803 DEBUG authorization.AuthorizationHandler [ServiceThread-12,invoke:113] Sec desc after resource is false
> 2008-05-01 12:08:35,803 DEBUG descriptor.ServiceSecurityConfig [ServiceThread-12,getSecurityDescriptor:264] Get descriptor DefaultIndexService
> 2008-05-01 12:08:35,803 DEBUG authorization.AuthorizationHandler [ServiceThread-12,invoke:127] Sec desc after service is true
> 2008-05-01 12:08:35,804 DEBUG authorization.AuthorizationHandler [ServiceThread-12,invoke:149] Sec desc after container is true
> 2008-05-01 12:08:35,804 DEBUG authorization.AuthorizationHandler [ServiceThread-12,invoke:172] Invoking authorize on authz chain
> 2008-05-01 12:08:35,804 DEBUG util.AuthUtil [ServiceThread-12,getOperationName:238] Trying to find {http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ServiceGroup-1.2-draft-01.xsd}Add
> 2008-05-01 12:08:35,804 DEBUG util.AuthUtil [ServiceThread-12,getOperationName:253] Operation in question {http://mds.globus.org/index/2004/07/12}add
> 2008-05-01 12:08:35,804 DEBUG authorization.GridMapAuthorization [ServiceThread-12,isPermitted:99] Grid map authz
> 2008-05-01 12:08:35,804 DEBUG authorization.GridMapAuthorization [ServiceThread-12,isPermitted:124] Service null
> 2008-05-01 12:08:35,804 DEBUG descriptor.SecurityPropertiesHelper [ServiceThread-12,getGridMap:194] getGridMap null
> 2008-05-01 12:08:35,805 DEBUG descriptor.ServiceSecurityConfig [ServiceThread-12,getGridMap:254] Get gridmap null
> 2008-05-01 12:08:35,805 DEBUG descriptor.SecurityPropertiesHelper [ServiceThread-12,getGridMap:203] Service gridmap null
> 2008-05-01 12:08:35,805 DEBUG descriptor.ContainerSecurityConfig [ServiceThread-12,getConfig:84] initialize called
> 2008-05-01 12:08:35,810 WARN  client.ServiceGroupRegistrationClient [Timer-5,status:472] Warning: Could not register https://ng2hpcdev.canterbury.ac.nz:8443/wsrf/services/ManagedJobFactoryService to servicegroup at https://ng2hpcdev.canterbury.ac.nz:8443/wsrf/services/DefaultIndexService -- check the URL and that the remote service is up.  Remote exception was org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: Policy decision failed [Caused by: No gridmap file]

This worked all fine in GT 4.0.3 (distributed with VDT 1.6.1) and is broken in
GT 4.0.5 (distributed with VDT 1.8.1).

I don't know whether it's related to:
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=2743

Any toughts?

If needed, I can provide a complete container-real.log for starting the
container, with log4j.category.org.globus.wsrf.impl.security=DEBUG

Cheers,
Vladimir
------- Comment #1 From 2008-05-05 17:00:31 -------
Thanks for the detailed bug report.

Fix has been committed to branch and advisory published at
http://globus.org/toolkit/advisories.html

Thanks,
Rachana