Bug 6055 - WS-GRAM accepts a limited proxy for job execution
: WS-GRAM accepts a limited proxy for job execution
Status: RESOLVED FIXED
: GRAM
wsrf managed job factory service
: 4.0.5
: Open Science Grid (OSG) All
: P3 major
: 4.0.8
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2008-05-01 13:28 by
Modified: 2008-05-30 16:35 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2008-05-01 13:28:21
According to <http://dev.globus.org/wiki/Security/ProxyCertTypes>, limited
proxies should not be able to launch GRAM jobs, but it seems that WS-GRAM does
not implement this restriction:

[jbasney@vdt-test ~]$ grid-proxy-init -limited
Your identity: /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney
Enter GRID pass phrase for this identity:
Creating proxy ..................................... Done
Your proxy is valid until: Fri May  2 01:26:54 2008
[jbasney@vdt-test ~]$ grid-proxy-info
subject  : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney/CN=366424407
issuer   : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney
identity : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney
type     : Proxy draft (pre-RFC) compliant limited proxy
strength : 512 bits
path     : /tmp/x509up_u25555
timeleft : 11:59:58
[jbasney@vdt-test ~]$ globusrun-ws -J -F vdt-test.ncsa.uiuc.edu:9443 -submit
-streaming -c /opt/vdt-1.8.1/globus/bin/grid-proxy-info
Delegating user credentials...Done.
Submitting job...Done.
Job ID: uuid:2f55b186-17ac-11dd-9c4a-000c29c0f2f7
Termination time: 05/02/2008 18:26 GMT
Current job state: Active
Current job state: CleanUp-Hold
subject  : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney/CN=366424407/CN=525828164/CN=370197346
issuer   : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney/CN=366424407/CN=525828164
identity : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney
type     : Proxy draft (pre-RFC) compliant limited proxy
strength : 512 bits
path     :
/home/jbasney/.globus/gram_job_proxy_2f8bae80-17ac-11dd-a9a9-a8d85f28aa83
timeleft : 11:59:51
Current job state: CleanUp
Current job state: Done
Destroying job...Done.
Cleaning up any delegated credentials...Done.
------- Comment #1 From 2008-05-19 18:09:21 -------
Issue here was with service security descriptor policy on limited proxy
rejection not being honored. Committed fix to trunk and branch. I'll publish
update package on this.
------- Comment #2 From 2008-05-20 10:20:18 -------
Advisory published: http://www-unix.globus.org/toolkit/advisories.html. Bug can
be closed once Martin has verified GRAM issue is resolved.
------- Comment #3 From 2008-05-20 10:35:08 -------
trunk:
* limited proxy, running globusrun-ws
   => ... [JWSSEC-59] Limited proxy is not accepted ...

* regular proxy and running globusrun-ws:
   => ok


4.0 branch:
* limited proxy, running globusrun-ws
   => ... Limited proxy is not accepted ...
* regular proxy and running globusrun-ws:
   => ok
------- Comment #4 From 2008-05-20 10:44:11 -------
marking fixed
------- Comment #5 From 2008-05-30 16:35:34 -------
Will be in 4.2.0 also