Certification report patch #3536

Author(s): Gianni Pucciani, gianni.pucciani@cernNOSPAMPLEASE.ch

Patch: https://savannah.cern.ch/patch/?3536

Outcome: Certified

Clean installation

The installation was done using Yaimgen and the scripts available at TestAutomation. The installation was performed enabling both the production repository and the patch repository from ETICS. Certification tests were automatically run:
 > ./vnode-ygen.sh -i SL5-64-DH -r http://etics-repository.cern.ch/repository/pm/volatile
/repomd/name/patch3536/etics-volatile-build-by-id.repo -n glite-ARGUS
Creating a virtual machine with SL5-64-DH...
vNode CLI dir is /afs/cern.ch/user/p/pucciani/public/vnodecli/2.0.r52/
working on vtb-generic-54.cern.ch
Checking out new_usage branch of yaimgen on vtb-generic-54.cern.ch
ssh(8618) Warning: Permanently added 'vtb-generic-54.cern.ch,128.142.130.155' (RSA) to the list of known hosts.
/usr/bin/xauth:  creating new authority file /root/.Xauthority
Deploying glite-ARGUS on vtb-generic-54.cern.ch
Yaimgen called with argments: -r http://etics-repository.cern.ch/repository/pm/volatile/repomd/name/patch3536/etics-volatile-bui
ld-by-id.repo -n glite-ARGUS
INFO: Host: vtb-generic-54.cern.ch
INFO: Arch: SL5 x86_64, gLite 3.2
INFO: Calling yum update
INFO: Yum update executed
INFO: Creating repo files...
INFO: Downloading production repo file http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-ARGUS.repo
INFO: Downloading ETICS repo file http://etics-repository.cern.ch/repository/pm/volatile/repomd/name/patch3536/etics-volatile-bu
ild-by-id.repo
INFO: Installing glite-ARGUS pre-requisites
INFO: Installing default packages: ca_BitFace, ctb-vomscerts, java
which: no fetch-crl in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin)
INFO: Target is glite-ARGUS
INFO: Installing glite-ARGUS
INFO: glite-ARGUS installed!
INFO: Retrieving host credentials
INFO: Downloading YAIM configuration files
INFO: Running pre-config script preconfig/preconfig-glite-ARGUS.sh
INFO: Script preconfig/preconfig-glite-ARGUS.sh executed!
INFO: Sourcing config/config-glite-ARGUS.sh
INFO: Running YAIM config for node glite-ARGUS_server
INFO: Command:/opt/glite/yaim/bin/yaim -c -s /etc/yaim/site-info.def -n glite-ARGUS_server
INFO: Running post-config script postconfig/postconfig-glite-ARGUS.sh
INFO: Script postconfig/postconfig-glite-ARGUS.sh executed!
Checking out Argus tests
Argus tests available
Building arguments list for Argus tests
Running Argus tests with arguments: 
Using ./ARGUS-certconfig
START Fri Feb 12 10:44:29 CET 2010 
------------------------------------------------
Log files will be stored in /tmp/logs_100212104429
*Running PAP-CLI tests
test-PAP-FUNC-2.sh PASSED
test-list-policies.sh PASSED
test-ban-unban.sh PASSED
test-ban-unban-fqan.sh PASSED
test-remove-all-policies.sh PASSED
test-remove-policies.sh PASSED
test-policy-from-file.sh PASSED
test-upp-from-file.sh PASSED
*Running PAP-management tests
add-remove-localpap.sh PASSED
en-disable-pap.sh PASSED
pap-ping.sh PASSED
refresh-cache.sh PASSED
set-get-pap-orders.sh PASSED
set-get-poll-interval.sh PASSED
test-authz.sh PASSED
update-pap.sh PASSED
*Running PDP tests
test-configuration.sh PASSED
*Running PEP tests
test-configuration.sh PASSED
TEST_PASSED
Argus tests passed
INFO: Test test/test-glite-ARGUS.sh PASSED!
INFO: yaimgen.sh took 699 seconds to run
INFO: YAIMGEN terminated successfully
glite-ARGUS successfully deployed on vtb-generic-54.cern.ch

The rpms included in the patch have been checked :

[pcwww06] /home/gpucciani/scli/trunk > ./savannah -o get -t patch -g jra1mdw -i 3536 -n "RPM name(s)"
==> at https://savannah.cern.ch/my/
==> at https://savannah.cern.ch/patch/?3536
 glite-ARGUS-3.2.2-1.sl5.x86_64.rpm
glite-authz-pap-1.1.1-1.noarch.rpm
glite-authz-pdp-1.1.0-2.noarch.rpm
glite-authz-pep-c-1.3.0-2.sl5.x86_64.rpm
glite-authz-pepd-1.1.1-1.noarch.rpm
glite-authz-pep-c-cli-1.3.0-2.sl5.x86_64.rpm
glite-yaim-argus_server-1.1.0-3.noarch.rpm
glite-yaim-core-4.0.11-2.noarch.rpm
fetch-crl-2.6.3-1.noarch.rpm
and compared with the one installed on the certification machine:
[root@vtb-generic-54 ~]#  rpm -qa | egrep '(glite-authz|glite-ARGUS|glite-yaim|fetch-crl)'
glite-yaim-argus_server-1.1.0-3.noarch
glite-authz-pepd-1.1.1-1.noarch
glite-yaim-core-4.0.11-2.noarch
glite-authz-pep-c-1.3.0-2.sl5.x86_64
glite-authz-pap-1.1.1-1.noarch
glite-ARGUS-3.2.2-1.sl5.x86_64
glite-authz-pdp-1.1.0-2.noarch
glite-authz-pep-c-cli-1.3.0-2.sl5.x86_64
fetch-crl-2.7.0-2.noarch

An important thing to note is that the pepd use ssl by default now;

[root@vtb-generic-54 argus]# grep SSL pepd/conf/pepd.ini
enableSSL = true

To test the installation with glexec (adding a policy using the yaimgen post-configuration file) the pepcli was used:

[root@vtb-generic-54 postconfig]# ./postconfig-glite-ARGUS.sh 
Post-Configuration script for glite-ARGUS
Altering pap_authorization.ini
PAP authorization file changed
Ok.
PAP restarted
Removing current policies
Policies removed
Storing policy to permit glexec requests
Policy stored
Disabling PEP cache
Restarting PEP
PEP restarted
Restarting PDP
PDP restarted

[root@vtb-generic-54 postconfig]# /opt/argus/pap/bin/pap-admin lp

default (local):

resource "http://authz-interop.org/xacml/resource/resource-type/wn" {
    obligation "http://glite.org/xacml/obligation/local-environment-map" {
    }

    action "http://authz-interop.org/xacml/action/action-type/execute-now" {
        rule deny { subject="CN=Test user 303,OU=GD,O=CERN,C=CH" }
        rule permit { fqan="/dteam" }
    }
}

[root@vtb-generic-54 ~]# /opt/glite/bin/pepcli -p https://vtb-generic-54.cern.ch:8154/authz -c ./proxy_testuser_300  -r http://authz-interop.org/xacml/resource/resource-type/wn -a http://authz-interop.org/xacml/action/action-type/execute-now --capath /etc/grid-security/certificates/ --cert /root/user_certificates/test_user_300_cert.pem --key /root/user_certificates/test_user_300_key.pem
Key password: 
Resource: http://authz-interop.org/xacml/resource/resource-type/wn
Decision: Permit
Obligation: http://glite.org/xacml/obligation/local-environment-map/posix (caller should resolve POSIX account mapping)
Username: dteam043
Group: dteam

Note that now in order to use the pepcli against the https endpoint you have to authenticate using --cert and --key. Not using these options, the pepcli fails with:

[root@vtb-generic-54 ~]# /opt/glite/bin/pepcli -p https://vtb-generic-54.cern.ch:8154/authz -c ./proxy_testuser_300  -r http://authz-interop.org/xacml/resource/resource-type/wn -a http://authz-interop.org/xacml/action/action-type/execute-now                                  
pepcli:ERROR: failed to authorize XACML request: [11]: authorize: processing error: PEPd[https://vtb-generic-54.cern.ch:8154/authz]: sending XACML request failed: curl[35]: SSL connect error.

It is possible to authenticate as user 300 and ask authorization for user 303 (MUPJ scenario):

[root@vtb-generic-54 ~]# /opt/glite/bin/pepcli -p https://vtb-generic-54.cern.ch:8154/authz -c ./proxy_testuser_303  -r http://authz-interop.org/xacml/resource/resource-type/wn -a http://authz-interop.org/xacml/action/action-type/execute-now --capath /etc/grid-security/certificates/ --cert /root/user_certificates/test_user_300_cert.pem --key /root/user_certificates/test_user_300_key.pem
Key password: 
Resource: http://authz-interop.org/xacml/resource/resource-type/wn
Decision: Deny
but not using the subject:
[root@vtb-generic-54 ~]# /opt/glite/bin/pepcli -p https://vtb-generic-54.cern.ch:8154/authz -s "CN=Test user 303,OU=GD,O=CERN,C=CH"  -r http://authz-interop.org/xacml/resource/resource-type/wn -a http://authz-interop.org/xacml/action/action-type/execute-now --capath /etc/grid-security/certificates/ --cert /root/user_certificates/test_user_300_cert.pem --key /root/user_certificates/test_user_300_key.pem
Key password: 
Decision: Deny
Status: urn:oasis:names:tc:xacml:1.0:status:processing-error
Status message: Subject did not contain the required subject certificate

Test report

Local tests

The current set of server tests available on CVS were successfully run during the automatic deployment

Glexec requests

The glexec tests were done using the production WN with the new pep-c rpm glite-security-lcmaps-plugins-c-pep-1.0.3-1.sl5.x86_64

Request with an allowed proxy user:

[testuser@vtb-generic-74 ~]$ ./glexec-test.sh proxy_testuser_300
vtb-generic-74.cern.ch
===
Fri Feb 12 11:40:21 CET 2010
===
uid=18758(dteam043) gid=2688(dteam)
Glexec returned 0

Request from a banned user:

[testuser@vtb-generic-74 ~]$ ./glexec-test.sh proxy_testuser_303
vtb-generic-74.cern.ch
===
Fri Feb 12 11:40:24 CET 2010
===
[gLExec]:   LCMAPS failed, see '/var/log/glexec/lcas_lcmaps.log' for more info.
Glexec returned 203

with lcas_lcmaps.log showing:

LCMAPS 1: 2010-02-12.11:40:24-23507 : checkResponseSanity: Error: the decision for result[0] is Deny. This means your request is not allowed to continue based on this decision.
LCMAPS 1: 2010-02-12.11:40:24-23507 : oh_process_uidgid: Error: checkResponseSanity() returned a failure condition in the response message. Stopped looking into the obligations

Using a proxy with the vo org.glite.voms-test for which the PAP has no rule defined:

[testuser@vtb-generic-74 ~]$ ./glexec-test.sh proxy_testuser_300_ogvt 
vtb-generic-74.cern.ch
===
Fri Feb 12 11:51:35 CET 2010
===
[gLExec]:   LCMAPS failed, see '/var/log/glexec/lcas_lcmaps.log' for more info.
Glexec returned 203

with lcas_lcmaps.log showing:

LCMAPS 1: 2010-02-12.11:51:35-23553 : checkResponseSanity: Error: the decision for result[0] is Not Applicable. This means your request is not allowed to continue based on this decision.
LCMAPS 1: 2010-02-12.11:51:35-23553 : oh_process_uidgid: Error: checkResponseSanity() returned a failure condition in the response message. Stopped looking into the obligations

Upgrade from production

Argus was installed using the production repository via Yaimgen with:
[pcwww06] /home/gpucciani/svn/vnodeygen > ./vnode-ygen.sh -i SL5-64-DH -r prod -n glite-ARGUS
Creating a virtual machine with SL5-64-DH...
vNode CLI dir is /afs/cern.ch/user/p/pucciani/public/vnodecli/2.0.r52/
working on vtb-generic-52.cern.ch
Checking out new_usage branch of yaimgen on vtb-generic-52.cern.ch
/usr/bin/xauth:  creating new authority file /root/.Xauthority
Deploying glite-ARGUS on vtb-generic-52.cern.ch
Yaimgen called with argments: -r prod -n glite-ARGUS
INFO: Host: vtb-generic-52.cern.ch
INFO: Arch: SL5 x86_64, gLite 3.2
INFO: Calling yum update
INFO: Yum update executed
INFO: Creating repo files...
INFO: Downloading production repo http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-ARGUS.repo
INFO: Installing glite-ARGUS pre-requisites
INFO: Installing default packages: ca_BitFace, ctb-vomscerts, java
which: no fetch-crl in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin)
INFO: Target is glite-ARGUS
INFO: Installing glite-ARGUS
INFO: glite-ARGUS installed!
INFO: Retrieving host credentials
INFO: Downloading YAIM configuration files
INFO: Running pre-config script preconfig/preconfig-glite-ARGUS.sh
INFO: Script preconfig/preconfig-glite-ARGUS.sh executed!
INFO: Sourcing config/config-glite-ARGUS.sh
INFO: Running YAIM config for node glite-ARGUS_server
INFO: Command:/opt/glite/yaim/bin/yaim -c -s /etc/yaim/site-info.def -n glite-ARGUS_server
INFO: Running post-config script postconfig/postconfig-glite-ARGUS.sh
INFO: This program took 146 seconds to run
ERROR: Post-configuration postconfig/postconfig-glite-ARGUS.sh FAILED
IT'S BUSINESS TIME! Look at /var/log/yaimgen.log
yaimgen falied
Note that the post-configuration script failed because it was adapted to the new Argus 1.1 version.

The patch was installed and the service upgraded with:

[root@vtb-generic-52 yum.repos.d]# wget http://etics-repository.cern.ch/repository/pm/volatile/repomd/name/patch3536/e
tics-volatile-build-by-id.repo
--2010-02-12 15:37:17--  http://etics-repository.cern.ch/repository/pm/volatile/repomd/name/patch3536/etics-volatile-b
uild-by-id.repo
Resolving etics-repository.cern.ch... 128.142.130.62
Connecting to etics-repository.cern.ch|128.142.130.62|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2591 (2.5K)
Saving to: `etics-volatile-build-by-id.repo'

100%[============================================================================>] 2,591       --.-K/s   in 0s      

2010-02-12 15:37:17 (124 MB/s) - `etics-volatile-build-by-id.repo' saved [2591/2591]

[root@vtb-generic-52 yum.repos.d]# yum upgrade
[...]
Updated:
  dnsmasq.x86_64 0:2.51-1.el5.rf                            glite-ARGUS.x86_64 0:3.2.2-1.sl5                          
  glite-authz-pap.noarch 0:1.1.1-1                          glite-authz-pdp.noarch 0:1.1.0-2                          
  glite-authz-pep-c.x86_64 0:1.3.0-2.sl5                    glite-authz-pep-c-cli.x86_64 0:1.3.0-2.sl5                
  glite-authz-pepd.noarch 0:1.1.1-1                         glite-yaim-argus_server.noarch 0:1.1.0-3                  
  ipw2200-firmware.noarch 0:3.0-3.nodist.rf                 lftp.x86_64 0:4.0.5-1.el5.rf                              
  mtr.x86_64 2:0.75-1.el5.rf                                nmap.x86_64 2:5.00-1.el5.rf                               
  rsync.x86_64 0:3.0.7-1.el5.rf                             subversion.x86_64 0:1.6.6-0.1.el5.rf                      
  syslinux.x86_64 0:3.84-1.el5.rf                           udftools.x86_64 0:1.0.0b3-3.el5.rf                        

Complete!

And the configuration re-run:

[root@vtb-generic-52 preconfig]# /opt/glite/yaim/bin/yaim -c -s /etc/yaim/site-info.def -n glite-ARGUS_server
[...]
   INFO: Configuration Complete.                                               [  OK  ]
   INFO: YAIM terminated succesfully.

Post-configuration and test run:

[root@vtb-generic-52 postconfig]# ./postconfig-glite-ARGUS.sh 
Post-Configuration script for glite-ARGUS
Altering pap_authorization.ini
PAP authorization file changed
Ok.
PAP restarted
Removing current policies
Policies removed
Storing policy to permit glexec requests
Policy stored
Disabling PEP cache
Restarting PEP
PEP restarted
Restarting PDP
PDP restarted

[root@vtb-generic-52 test]# ./test-glite-ARGUS.sh 
Checking out Argus tests
Argus tests available
Building arguments list for Argus tests
Running Argus tests with arguments: 
Using ./ARGUS-certconfig
START Fri Feb 12 15:50:41 CET 2010 
------------------------------------------------
Log files will be stored in /tmp/logs_100212155041
*Running PAP-CLI tests
test-PAP-FUNC-2.sh PASSED
test-list-policies.sh PASSED
test-ban-unban.sh PASSED
test-ban-unban-fqan.sh PASSED
test-remove-all-policies.sh PASSED
test-remove-policies.sh PASSED
test-policy-from-file.sh PASSED
test-upp-from-file.sh PASSED
*Running PAP-management tests
add-remove-localpap.sh PASSED
en-disable-pap.sh PASSED
pap-ping.sh PASSED
refresh-cache.sh PASSED
set-get-pap-orders.sh PASSED
set-get-poll-interval.sh PASSED
test-authz.sh PASSED
update-pap.sh PASSED
*Running PDP tests
test-configuration.sh PASSED
*Running PEP tests
test-configuration.sh PASSED
TEST_PASSED
Argus tests passed

Bug fixes

The bugs attached to the patch have been checked, the Savannah items have been updated.

-- GianniPucciani - 02-Feb-2010

Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r9 - 2010-02-15 - GianniPucciani
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback