Bug 6055 – WS-GRAM accepts a limited proxy for job execution

Bug 6055 - WS-GRAM accepts a limited proxy for job execution

Summary:

WS-GRAM accepts a limited proxy for job execution

Status:	RESOLVED FIXED

Product:	GRAM
Component:	wsrf managed job factory service
Version:	4.0.5
Platform:	Open Science Grid (OSG) All

Importance:	P3 major
Target Milestone:	4.0.8
Assigned To:	Martin Feller

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-05-01 13:28 by Jim Basney
Modified:	2008-05-30 16:35 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Jim Basney 2008-05-01 13:28:21

According to <http://dev.globus.org/wiki/Security/ProxyCertTypes>, limited
proxies should not be able to launch GRAM jobs, but it seems that WS-GRAM does
not implement this restriction:

[jbasney@vdt-test ~]$ grid-proxy-init -limited
Your identity: /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney
Enter GRID pass phrase for this identity:
Creating proxy ..................................... Done
Your proxy is valid until: Fri May  2 01:26:54 2008
[jbasney@vdt-test ~]$ grid-proxy-info
subject  : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney/CN=366424407
issuer   : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney
identity : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney
type     : Proxy draft (pre-RFC) compliant limited proxy
strength : 512 bits
path     : /tmp/x509up_u25555
timeleft : 11:59:58
[jbasney@vdt-test ~]$ globusrun-ws -J -F vdt-test.ncsa.uiuc.edu:9443 -submit
-streaming -c /opt/vdt-1.8.1/globus/bin/grid-proxy-info
Delegating user credentials...Done.
Submitting job...Done.
Job ID: uuid:2f55b186-17ac-11dd-9c4a-000c29c0f2f7
Termination time: 05/02/2008 18:26 GMT
Current job state: Active
Current job state: CleanUp-Hold
subject  : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney/CN=366424407/CN=525828164/CN=370197346
issuer   : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney/CN=366424407/CN=525828164
identity : /C=US/O=National Center for Supercomputing
Applications/OU=People/CN=Jim Basney
type     : Proxy draft (pre-RFC) compliant limited proxy
strength : 512 bits
path     :
/home/jbasney/.globus/gram_job_proxy_2f8bae80-17ac-11dd-a9a9-a8d85f28aa83
timeleft : 11:59:51
Current job state: CleanUp
Current job state: Done
Destroying job...Done.
Cleaning up any delegated credentials...Done.

------- Comment #1 From Rachana Ananthakrishnan 2008-05-19 18:09:21 -------

Issue here was with service security descriptor policy on limited proxy
rejection not being honored. Committed fix to trunk and branch. I'll publish
update package on this.

------- Comment #2 From Rachana Ananthakrishnan 2008-05-20 10:20:18 -------

Advisory published: http://www-unix.globus.org/toolkit/advisories.html. Bug can
be closed once Martin has verified GRAM issue is resolved.

------- Comment #3 From Martin Feller 2008-05-20 10:35:08 -------

trunk:
* limited proxy, running globusrun-ws
   => ... [JWSSEC-59] Limited proxy is not accepted ...

* regular proxy and running globusrun-ws:
   => ok


4.0 branch:
* limited proxy, running globusrun-ws
   => ... Limited proxy is not accepted ...
* regular proxy and running globusrun-ws:
   => ok

------- Comment #4 From Martin Feller 2008-05-20 10:44:11 -------

marking fixed

------- Comment #5 From Stuart Martin 2008-05-30 16:35:34 -------

Will be in 4.2.0 also