Certification report patch 3284

Author(s): Gianni.Pucciani@cernNOSPAMPLEASE.ch

Patch: https://savannah.cern.ch/patch/index.php?3284

Outcome: Certified

RPM installation on CREAM CE

A CREAM CE was deployed on vtb-generic-109 enabling the patch repository for patches #3284 and #3536:
# ./vnode-ygen.sh -i SL5-64-DH -n glite-CREAM -p 3284 -p 3536
Creating a virtual machine with SL5-64-DH...
vNode CLI dir is /afs/cern.ch/user/p/pucciani/public/vnodecli/2.0.r52
working on vtb-generic-109.cern.ch
Checking out yaimgen on vtb-generic-109.cern.ch
/usr/bin/xauth:  creating new authority file /root/.Xauthority
Deploying glite-CREAM on vtb-generic-109.cern.ch
Yaimgen called with argments:  -n glite-CREAM -p 3284 -p 3536
INFO: Host: vtb-generic-109.cern.ch
INFO: Arch: SL5 x86_64, gLite 3.2
INFO: Calling yum update
INFO: Yum update executed
INFO: Retrieving repo files...
INFO: Downloading production repo file http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-CREAM.repo
INFO: Retrieving repo file for patch 3284
INFO: Retrieving repo file for patch 3536
INFO: No target specific pre-installations
INFO: Installing default packages: ca_BitFace, ctb-vomscerts, java
which: no fetch-crl in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin)
INFO: Target is glite-CREAM
INFO: Installing glite-CREAM
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Importing GPG key 0x6B8D79E6 "Dag Wieers (Dag Apt Repository v1.0) <dag@wieers.com>" from http://linuxsoft.cern.ch/cern/slc5X/x86_64/RPM-GPG-KEYs/RPM-GPG-KEY-dag
INFO: glite-CREAM installed!
INFO: Retrieving host credentials
INFO: Downloading YAIM configuration files
INFO: Running pre-config script preconfig/preconfig-glite-CREAM.sh
INFO: No pre-config preconfig/preconfig-glite-CREAM.sh available
INFO: No config file to source
INFO: WARNING: YG_YAIM_NODES is empty, YAIM will not be called
INFO: Script postconfig/postconfig-glite-CREAM.sh not available.
INFO: Script test/test-glite-CREAM.sh not available.
INFO: yaimgen.sh took 204 seconds to run
INFO: YAIMGEN terminated successfully
glite-CREAM successfully deployed on vtb-generic-109.cern.ch

The glite-authz-gsi-pep-callout was installed:

[root@vtb-generic-109 ~]# yum install glite-authz-gsi-pep-callout
Loaded plugins: downloadonly, kernel-module
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package glite-authz-gsi-pep-callout.x86_64 0:1.1.0-3.sl5 set to be updated
--> Processing Dependency: glite-authz-pep-c >= 1.3.0 for package: glite-authz-g
si-pep-callout
--> Running transaction check
---> Package glite-authz-pep-c.x86_64 0:1.3.0-4.sl5 set to be updated
--> Finished Dependency Resolution
Beginning Kernel Module Plugin
Finished Kernel Module Plugin

Dependencies Resolved

================================================================================
 Package                       Arch     Version         Repository         Size
================================================================================
Installing:
 glite-authz-gsi-pep-callout   x86_64   1.1.0-3.sl5     ETICS-name-3284    88 k
Installing for dependencies:
 glite-authz-pep-c             x86_64   1.3.0-4.sl5     ETICS-name-3536   245 k

Transaction Summary
================================================================================
Install      2 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 334 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): glite-authz-gsi-pep-callout-1.1.0-3.sl5.x86_64.rp |  88 kB     00:00
(2/2): glite-authz-pep-c-1.3.0-4.sl5.x86_64.rpm          | 245 kB     00:00
--------------------------------------------------------------------------------
Total                                           2.6 MB/s | 334 kB     00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : glite-authz-pep-c                                        1/2
  Installing     : glite-authz-gsi-pep-callout                              2/2

Installed:
  glite-authz-gsi-pep-callout.x86_64 0:1.1.0-3.sl5

Dependency Installed:
  glite-authz-pep-c.x86_64 0:1.3.0-4.sl5

Complete!

The configuration files were:

[root@vtb-generic-109 ~]# cat /etc/grid-security/gsi-authz.conf
# Globus authorization and mapping callout to the ARGUS GSI PEP Callout module
# format: globus_mapping <library_path> <function_name>
#globus_mapping /opt/glite/lib/libgsi_pep_callout_gcc32dbg.so authz_pep_callout

globus_mapping /opt/glite/lib64/libgsi_pep_callout_gcc64dbg.so authz_pep_callout
[root@vtb-generic-109 ~]# cat /etc/grid-security/gsi-pep-callout.conf
#
# GSI PEP Callout configuration example
#
pep_url   https://vtb-generic-54.cern.ch:8154/authz
xacml_resourceid http://vtb-generic-109.cern.ch/cream/gridftp

GridFTP tests


[root@vtb-generic-109 ~]# /etc/init.d/globus-gridftp restart
Shutting down globus-gridftp-server:                       [FAILED]
Starting globus-gridftp-server                             [  OK  ]


The PAP was loaded with the following policy:
[root@vtb-generic-54 argus]# pap/bin/pap-admin lp

default (local):

resource "http://vtb-generic-109.cern.ch/cream/gridftp" {
    obligation "http://glite.org/xacml/obligation/local-environment-map" {
    }

    action "file" {
        rule deny { subject="CN=Test user 303,OU=GD,O=CERN,C=CH" }
        rule permit { fqan="/dteam" }
    }
}


[root@vtb-generic-54 argus]# pdp/sbin/pdpctl.sh reloadPolicy

[root@vtb-generic-54 argus]# pepd/sbin/pepdctl.sh clearResponseCache

The user dteam043 was created on the CREAM host.

[testuser@vtb-generic-17 ~]$ edg-gridftp-ls --proxy=proxy_test_user --verbose gsiftp://vtb-generic-109.cern.ch/~
-rw-r--r--   1 dteam043 dteam043          124 Mar 15 15:22 .bashrc
-rw-r--r--   1 dteam043 dteam043           33 Mar 15 15:22 .bash_logout
drwxr-xr-x   4 dteam043 dteam043         4096 Mar 15 15:22 .mozilla
drwxr-xr-x   3     root     root         4096 Mar 15 15:22 ..
-rw-r--r--   1 dteam043 dteam043          176 Mar 15 15:22 .bash_profile
-rw-r--r--   1 dteam043 dteam043          515 Mar 15 15:22 .emacs
-rw-r--r--   1 dteam043 dteam043          658 Mar 15 15:22 .zshrc
drwx------   3 dteam043 dteam043         4096 Mar 15 15:22 .


with syslog showing:
Mar 15 15:41:45 vtb-generic-109 gsi_pep_callout[27124]: pep_authorize: 1 PEPd failover URLs available
Mar 15 15:41:45 vtb-generic-109 gsi_pep_callout[27124]: pep_authorize: sending XACML request to PEPd: https://vtb-generic-54.cern.ch:8154/authz
Mar 15 15:41:47 vtb-generic-109 gsi_pep_callout[27124]: pep_authorize: PEPd[https://vtb-generic-54.cern.ch:8154/authz]: XACML Response decoded and unmarshalled.
Mar 15 15:41:47 vtb-generic-109 gsi_pep_callout[27124]: User /C=CH/O=CERN/OU=GD/CN=Test user 300 mapped to dteam043


Tested with globus-url-copy:
[testuser@vtb-generic-17 ~]$ globus-url-copy gsiftp://vtb-generic-109.cern.ch/etc/hosts file:/tmp/copied3.txt
[testuser@vtb-generic-17 ~]$ ls -l /tmp/copied3.txt
-rw-rw-r--  1 testuser testuser 27 Mar 15 15:47 /tmp/copied3.txt
[testuser@vtb-generic-17 ~]$ cat /tmp/copied3.txt
127.0.0.1        localhost

Tested with banned user:
[testuser@vtb-generic-17 ~]$ export X509_USER_PROXY=proxy_test_user_303 
[testuser@vtb-generic-17 ~]$ globus-url-copy gsiftp://vtb-generic-109.cern.ch/etc/hosts file:/tmp/copied4.txt

error: globus_ftp_client: the server responded with an error
530 530-Login incorrect. : globus_gss_assist: Error invoking callout
530-globus_callout_module: The callout returned an error
530-an unknown error occurred
530 End.


with syslog showing:
Mar 15 15:48:08 vtb-generic-109 gsi_pep_callout[27139]: pep_authorize: 1 PEPd failover URLs available
Mar 15 15:48:08 vtb-generic-109 gsi_pep_callout[27139]: pep_authorize: sending XACML request to PEPd: https://vtb-generic-54.cern.ch:8154/authz
Mar 15 15:48:08 vtb-generic-109 gsi_pep_callout[27139]: pep_authorize: PEPd[https://vtb-generic-54.cern.ch:8154/authz]: XACML Response decoded and unmarshalled.
Mar 15 15:48:08 vtb-generic-109 gsi_pep_callout[27139]: authz_pep_callout: gsi_pep_callout_error: Authorization error: Can not map /C=CH/O=CERN/OU=GD/CN=Test user 303 to local identity gsi_pep_callout_error: Authorization error: XACML Response did not authorize: /C=CH/O=CERN/OU=GD/CN=Test user 303 gsi_pep_callout_error: Authorization error: XACML Decision: Deny, XACML Status: urn:oasis:names:tc:xacml:1.0:status:ok

-- GianniPucciani - 02-Mar-2010

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2010-03-15 - GianniPucciani
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback