Certification Report for Patch 2771

Server certification

One VOMS server with Oracle backend and one with MySQL were deployed. Simple and DNS name based VOs were configured (atlas and org.glite.voms-test). Results from the automatic testsuite:

VOMS-addMember               - OK
VOMS-assignRole              - OK
VOMS-crAttribute             - OK
VOMS-crGroup                 - OK
VOMS-crRole                  - OK
VOMS-crUser                  - OK
VOMS-crUserNocert            - OK
VOMS-delAttribute            - OK
VOMS-delGroup                - OK
VOMS-delGroupAttribute       - OK
VOMS-delRole                 - OK
VOMS-delRoleAttribute        - OK
VOMS-delUser                 - OK
VOMS-delUserAttribute        - OK
VOMS-dismissRole             - OK
VOMS-listAttributes          - OK
VOMS-listGroupAttributes     - OK
VOMS-listGroups              - OK
VOMS-listMembers             - OK
VOMS-listRoleAttributes      - OK
VOMS-listRoles               - OK
VOMS-listSubGroups           - OK
VOMS-listUserAttributes      - OK
VOMS-listUserGroups          - OK
VOMS-listUserRoles           - OK
VOMS-listUsers               - OK
VOMS-listUsrWithRol          - OK
VOMS-removeMember            - OK
VOMS-setGroupAttribute       - OK
VOMS-setRoleAttribute        - OK
VOMS-setUserAttribute        - OK
VOMS-pr-attr                 - OK
VOMS-pr-bits                 - OK
VOMS-pr-cert                 - OK
VOMS-pr-conf                 - OK
VOMS-pr-dbg                  - OK
VOMS-pr-genattr              - OK
VOMS-pr-hlp                  - OK
VOMS-pr-hours                - OK
VOMS-pr-ign                  - OK
VOMS-pr-key                  - OK
VOMS-pr-limit                - OK
VOMS-pr-list                 - OK
VOMS-pr-noreg                - OK
VOMS-pr-order                - OK
VOMS-pr-out                  - OK
VOMS-pr-pver                 - OK
VOMS-pr-pwst                 - OK
VOMS-pr-quiet                - OK
VOMS-pr-RoleOrder            - OK
VOMS-pr-usg                  - OK
VOMS-pr-valid                - OK
VOMS-pr-verify               - OK
VOMS-pr-vers                 - OK
VOMS-pr-vlf                  - OK
VOMS-pr-vomses               - OK
VOMS-pr-warn                 - OK

These tests were run for both backends. The VOs were also switched in short FQAN mode and the operations with short FQAN proxies were verified. Upgrade of already deployed and configured VOMS servers with the current production version of VOMS were tested. The latter were left unused for a day to check whether inactivity creates problem for the server (bug #44936).

A random predefined VO structure was used to test high load on the voms-core server, using several users to request proxies with a list of roles and groups and looking for problems over a night period. No problems found.

There are no regression tests. The update I did to the automatic testsuite in October included checks for reoccurring of known important voms-core bugs.

Clients certification

For all nodes affected (namely glite-CREAM, glite-FTA_oracle, glite-FTS_oracle, glite-LB, glite-LFC_mysql, glite-LFC_oracle, glite-SE_dpm_disk, glite-SE_dpm_mysql, glite-UI, glite-VOBOX, glite-WMS, glite-WN, lcg-CE) tests were performed with both short and long FQAN proxies. RFC proxies were tested as well. Both DNS and simple named VOs were used. These tests were performed on the pairs:

• the respective node with the production voms api installed against the old VOMS server (old proxies)
• the respective node with the production voms api installed against the new VOMS server (new proxies)
• the respective node with the new voms api installed against the old VOMS server (old proxies)
• the respective node with the new voms api installed against the new VOMS server (new proxies)

glite-UI

The VOMS testsuite was run from the UI as well. Same results as above.

The LFC testsuite was run to check the new VOMS API on the LFC node. Results OK.

*Running CLI test set*
Executing LFC-cli-delcom
LFC-cli-delcom PASSED
Executing LFC-cli-getacl
LFC-cli-getacl PASSED
Executing LFC-cli-ln
LFC-cli-ln PASSED
Executing LFC-cli-mkdir
LFC-cli-mkdir PASSED
Executing LFC-cli-ping
LFC-cli-ping PASSED
Executing LFC-cli-rename
LFC-cli-rename PASSED
Executing LFC-cli-rmdir
LFC-cli-rmdir PASSED
Executing LFC-cli-setacl
LFC-cli-setacl PASSED
Executing LFC-cli-setcom
LFC-cli-setcom PASSED

Generic data management tests run OK (checking the VOMS API updated on the DPM node)

*Running LCG_UTILS test set*
Executing DM-lcg-alias.sh
DM-lcg-alias.sh PASSED
Executing DM-lcg-cp-gsiftp.sh
DM-lcg-cp-gsiftp.sh PASSED
Executing DM-lcg-cp.sh
DM-lcg-cp.sh PASSED
Executing DM-lcg-cr-gsiftp.sh
DM-lcg-cr-gsiftp.sh PASSED
Executing DM-lcg-cr.sh
DM-lcg-cr.sh PASSED
Executing DM-lcg-list.sh
DM-lcg-list.sh PASSED
Executing DM-lcg-ls.sh
DM-lcg-ls.sh PASSED
Executing DM-lcg-rep.sh
DM-lcg-rep.sh PASSED
Executing DM-lcg-rf.sh
DM-lcg-rf.sh PASSED
*Running GFAL test set*
Executing test-gfal.sh
test-gfal.sh PASSED
WARNING! lcg-gt lcg-sd have been skipped due to bug #43002
Executing test-lcg-utils.sh
test-lcg-utils.sh PASSED

glite-FTA_oracle, glite-FTS_oracle

Both voms-api updated FTS/FTA and production one checked from the UI. Transfer jobs completed successfully. Proxy renewal functionality verified as working.

glite-LFC_mysql, glite-LFC_oracle

Both voms-api updated LFC and production one checked from the UI.

glite-SE_dpm_mysql, glite-SE_dpm_disk

Both voms-api updated DPM and production one checked from the UI.

glite-WN

Proxy manupulations checked manually with a predefined structure of the VOs. VOMS test suite not applicable because the voms-admin client is not available on the WN.

Data management checked from the WN as well as in the UI case. Same results as above.

glite-WMS, glite-LB

Jobs were submitted to both the lcg-CE and glite-CREAM via the WMS node. Communication between the proxy renewal-MyProxy and proxy renewal-VOMS were checked in detail when the simple proxy or the AC expires.

Problems were observed only when using short FQAN proxies. The proxy renewal daemon running on the WMS node fails to renew such a proxy. This resulted in the opening of bug #48025

lcg-CE

Jobs were submitted directly the the lcg-CE. No problems observed with both short and long FQAN proxies. LCAS/LCMAP issues with RFC proxies still present (see the bug below).

glite-CREAM

Jobs were submitted directly the the lcg-CE. No problems observed with both short and long FQAN proxies.

Bugs attached to this patch

VOMS libraries doesn't use symlink (bug #30454)

Checked. Only the noglobus dynamic library symlink creation is not fixed (because the RPM is not a part of this patch). This is not a problem for the reporter (Data Management) because they don't link against noglobus. The latter will be deprecated in the 1.9 series so this bug was moved to state "Fix certified".

Bug in org.glite.security.voms prevents building of dbgpthr flavors (bug #39947)

Not a functionality issue. Reported by VDT. Moved to state "Ready for review".

VOMS Java API vulnerability - Fake any role (bug #41883)

Moved to "Ready for review". The precertification report assured it was verified. (Needs coding to check; Vincenzo said he wrote a test and assured this is fixed as well). Not checked by me in order not to further delay this patch.

[VOMS]: Memory leak in the api (bug #43306)

Important problem affecting seriously LFC. Reproduced and verified as fixed.

[VOMS 1.8.8-2] VOMS server stops handling requests after 8 hrs (bug #44936)

Reproduced and verified as fixed.

Problem with VOMS API Java: for some VOs the .lsc file is not considered (bug #45330)

Verified by the submitter. Moved to "Fixed". CREAM will rely on that from now on so that this is not considered for regression testing.

"certificate in chain has been revoked" error with voms-api-java (bug #46505)

Verified by the submitter. Moved to "Fixed". CREAM will rely on that from now on so that this is not considered for regression testing.

VOMS_Init() breaks handling of new-style cert. proxies in Globus libraries (bug #47090)

Verified by the submitter. Moved to "Ready for review". The bug was discovered during new development and newer globus versions (not production related). However due to the nature of the fix, paranoid checks of all nodes that this patch touches were done. That is what broke the fix for the bug below, which was detached from the patch.

Bugs detached from this patch

gLite CE submission with RFC proxy chain failed (bug #45318)

Reintroduced by the fix for #47090. Detached from the patch.

Bugs opened during the certification of this patch

Proxy renewal problem (WMS node) when using short FQANs (bug #48025)

Scenario:

A VO operated in short FQAN mode; A job submitted using a proxy which first FQAN does not contain a role (a proxy created with "voms-proxy-init -voms vo_name" is enough to reproduce). The proxyrenewal daemon on the WMS node fails to renew such a proxy with the error "VOMS_Contact() failed". The log of the VOMS server shows that a wrong command was sent. 'B/vo_name:' instead of 'G/vo_name'.

From: org.glite.security.proxyrenewal/src/voms.c

attribs = (*voms_cert)->std;

if (attribs[0]->role == NULL || strcmp (attribs[0]->role, "NULL") == 0 )
ret = asprintf(command, "G%s", attribs[0]->group);
else
ret = asprintf(command, "B%s:%s", attribs[0]->group, attribs[0]->role);

, where voms_cert is VOMS_Init(NULL, NULL)->data

The VOMS API initializes with an empty string the field "role". Looks like either the VOMS API or the proxy renewal daemon needs to be changed.

-- DimitarShiyachki - 20 Apr 2009