Certification report for patch 4583

Savannah patch

https://savannah.cern.ch/patch/?4583

Clean installation

Starting from an SL5, X86_64 clean installation.

cd /etc/yum.repos.d/
wget http://etics-repository.cern.ch:8080/repository/pm/volatile/repomd/id/ac719f8c-acf2-4131-b3b1-2edf7c8d109a/sl5_x86_64_gcc412/etics-volatile-build-by-id.repo
yum update
yum install glite-VOMS_mysql

Clean installation log

Upgrade from production

Starting from a working gLite 3.2 VOMS production installation. Upgrade log

After shutting down tomcat and cleaning up work directories:

service tomcat5 stop
rm -rf $CATALINA_HOME/webapps/*
rm -rf $CATALINA_HOME/work/*
service tomcat5 start

The installation is reconfigured via YAIM and works as expected. YAIM upgrade log

Configuration

MySQL

[root@cert-voms-01 ~]# /etc/init.d/mysqld start
[root@cert-voms-01 ~]# mysqladmin -uroot password '***'
[root@cert-voms-01 ~]# mysql -uroot -p***
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> grant all on *.* to 'root'@'cert-voms-01' identified by '***';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'root'@'cert-voms-01.cnaf.infn.it' identified by '***';
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

YAIM

[root@cert-voms-01 ~]# cat siteinfo/site-info.def 
MYSQL_PASSWORD="***"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.mysql"

root@cert-voms-01 ~]# cat siteinfo/services/glite-voms
# VOMS server hostname
VOMS_HOST=cert-voms-01.cnaf.infn.it 
VOMS_DB_HOST='localhost'

VO_CERT_MYSQL_VOMS_PORT=15000
VO_CERT_MYSQL_VOMS_DB_USER=cert_mysql_user
VO_CERT_MYSQL_VOMS_DB_PASS=***
VO_CERT_MYSQL_VOMS_DB_NAME=voms_cert_mysql_user

VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it

VOMS_ADMIN_CERT=/root/andreacert.pem

VOMS Admin

  • Add host certificate as administrator to the VO:
    [root@cert-voms-01 ~]# /opt/glite/sbin/voms-db-deploy.py add-admin --vo cert.mysql --cert hostcert.pem 
    Admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA' not found. It will be created...
    Adding ALL permissions on '/cert.mysql' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
    Adding ALL permissions on role '/cert.mysql/Role=VO-Admin' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
    

Certification

Basic checks

  • Check that VOMS admin responds:
    [root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-groups
     /cert.mysql
    [root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-users
    No users found in vo!
    

  • Create personal user:
    [root@cert-voms-01 ~]# voms-admin --vo cert.mysql create-user andreacert.pem 
    [root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-users
    /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti, /C=IT/O=INFN/CN=INFN CA - andrea.ceccanti@cnaf.infn.it
    

  • Create VOMS proxy:
    [andrea@voms-rd02-21 ~]$ voms-proxy-init -voms cert.mysql
    Enter GRID pass phrase:
    Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    Creating temporary proxy .................................................. Done
    Contacting  cert-voms-01.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it] "cert.mysql" Done
    Creating proxy .................................................... Done
    Your proxy is valid until Wed Dec 22 02:49:53 2010
    [andrea@voms-rd02-21 ~]$ voms-proxy-info -all
    subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti/CN=proxy
    issuer    : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    identity  : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    type      : proxy
    strength  : 1024 bits
    path      : /tmp/x509up_u503
    timeleft  : 11:59:55
    === VO cert.mysql extension information ===
    VO        : cert.mysql
    subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    issuer    : /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it
    attribute : /cert.mysql/Role=NULL/Capability=NULL
    timeleft  : 11:59:55
    uri       : cert-voms-01.cnaf.infn.it:15000
    

VOMS Admin test suite

Test VOMS-addMember   - OK
Test VOMS-assignRole   - OK
Test VOMS-crAttribute   - OK
Test VOMS-crGroup   - OK
Test VOMS-crRole   - OK
Test VOMS-crUser   - OK
Test VOMS-crUserNocert   - OK
Test VOMS-delAttribute   - OK
Test VOMS-delGroup   - OK
Test VOMS-delGroupAttribute   - OK
Test VOMS-delRole   - OK
Test VOMS-delRoleAttribute   - OK
Test VOMS-delUser   - OK
Test VOMS-delUserAttribute   - OK
Test VOMS-dismissRole   - OK
Test VOMS-listAttributes   - OK
Test VOMS-listGroupAttributes   - OK
Test VOMS-listGroups   - OK
Test VOMS-listMembers   - OK
Test VOMS-listRoleAttributes   - OK
Test VOMS-listRoles   - OK
Test VOMS-listSubGroups   - OK
Test VOMS-listUserAttributes   - OK
Test VOMS-listUserGroups   - OK
Test VOMS-listUserRoles   - OK
Test VOMS-listUsers   - OK
Test VOMS-listUsrWithRol   - OK
Test VOMS-removeMember   - OK
Test VOMS-setGroupAttribute   - OK
Test VOMS-setRoleAttribute   - OK
Test VOMS-setUserAttribute   - OK

Attached bugs

VOMS Admin gives terrifying error message when database is not reachable (https://savannah.cern.ch/bugs/?45425)

Less messages are printed by default by loggers. Logging configuration can be tuned by changing the verbosity of logger

<logger name="com.mchange" level="ERROR" />

to the WARN, INFO, DEBUG levels in $GLITE_LOCATION_VAR/etc/voms-admin/<VO_NAME>/logback.runtime.xml for the VO logs and in $GLITE_LOCATION/share/voms-admin/tools/classes/logback.xml for the database deploy scripts.

The voms-db-deploy.py utility also provides a method to check the connectivity to the database:

[root@cert-voms-01 classes]# /opt/glite/sbin/voms-db-deploy.py check-connectivity --vo cert.mysql
Checking database connectivity...
Connections could not be acquired from the underlying database!

===========================================================================================================================
Error connecting to the voms database! Check your database settings and ensure that the database backend is up and running.
============================================================================================================================

VOMS Admin background tasks are not resilient to transient database failures (https://savannah.cern.ch/bugs/?45567)

Fixed. Shutted down the database and checked that the background tasks do not die when the database is not reachable.

log excerpt:
16:16:38.935 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - UpdateCATask task done.
16:16:38.935 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - TaskStatusUpdater task starting...
16:16:38.956 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - TaskStatusUpdater task done.
16:16:38.957 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - ExpiredRequestsPurgerTask task starting...
16:16:38.964 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - ExpiredRequestsPurgerTask task done.
16:16:40.657 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - MembershipCheckerTask task starting...
16:16:40.760 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - MembershipCheckerTask task done.

After shutting down mysqld:

Last packet sent to the server was 1 ms ago.
   at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2622) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2916) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1631) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1723) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.Connection.execSQL(Connection.java:3250) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.Connection.setAutoCommit(Connection.java:5395) [mysql-connector-java-5.0.7.jar:na]
   at com.mchange.v2.c3p0.impl.NewProxyConnection.setAutoCommit(NewProxyConnection.java:881) [c3p0-0.9.1.jar:0.9.1]
   at org.hibernate.connection.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:61) [hibernate-3.2.6.ga.jar:3.2.6.ga]
   at org.hibernate.jdbc.ConnectionManager.openConnection(ConnectionManager.java:423) [hibernate-3.2.6.ga.jar:3.2.6.ga]
   ... 15 common frames omitted
16:17:38.735 [pool-1-thread-1] - ERROR o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - Swallowing the exception hoping it's a temporary failure.
...
Caused by: java.sql.SQLException: Connections could not be acquired from the underlying database!
   at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:106) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:529) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:128) [c3p0-0.9.1.jar:0.9.1]
   at org.hibernate.connection.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:56) [hibernate-3.2.6.ga.jar:3.2.6.ga]
   at org.hibernate.jdbc.ConnectionManager.openConnection(ConnectionManager.java:423) [hibernate-3.2.6.ga.jar:3.2.6.ga]
   ... 15 common frames omitted
Caused by: com.mchange.v2.resourcepool.CannotAcquireResourceException: A ResourcePool could not acquire a resource from its primary factory or source.
   at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1319) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:557) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:477) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:525) [c3p0-0.9.1.jar:0.9.1]
   ... 18 common frames omitted
16:18:10.958 [pool-1-thread-1] - ERROR o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - Swallowing the exception hoping it's a temporary failure.
...

After mysql restart:

16:20:38.732 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - TaskStatusUpdater task starting...
16:20:38.738 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - TaskStatusUpdater task done.
...
16:21:38.742 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - ExpiredRequestsPurgerTask task starting...
16:21:38.744 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - ExpiredRequestsPurgerTask task done.
16:21:40.656 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - MembershipCheckerTask task starting...
16:21:40.668 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - MembershipCheckerTask task done.

VOMS Admin should provide a way to see and manage unconfirmed request (https://savannah.cern.ch/bugs/?55988)

Fixed. Now VOMS Admin shows requests waiting for user confirmation in the admin home page.

Schermata_2010-12-21_a_16.28.29.png

[VOMS-ADMIN-2.5] Unhandled exception on adding ACL for a non-VO member (https://savannah.cern.ch/bugs/?60323)

Fixed. Now validation is performed correctly.

Schermata_2010-12-21_a_16.33.57.png

VOMS-Admin shows error to VO applicant if there is an SMTP error delivering a notification to a VO-admin (https://savannah.cern.ch/bugs/?62266)

Fixed. No error is shown to the user now even if one of the admins has an incorrect email message or the SMTP server is badly configured, but the exception is reported in the logs:

16:45:04.642 [pool-4-thread-1] - ERROR o.g.s.v.a.n.m.EmailNotification - Error setting up email notification!
org.apache.commons.mail.EmailException: Sending the email to the following server failed : wrong-host.cnaf.infn.it:25
   at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1138) [commons-email-1.1.jar:1.1]
   at org.apache.commons.mail.Email.send(Email.java:1163) [commons-email-1.1.jar:1.1]
   at org.glite.security.voms.admin.notification.messages.EmailNotification.send(EmailNotification.java:189) [EmailNotification.class:na]
   at org.glite.security.voms.admin.notification.NotificationService$NotificationRunner.run(NotificationService.java:104) [NotificationService$NotificationRunner.class:na]
   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) [na:1.6.0_22]
   at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) [na:1.6.0_22]
   at java.util.concurrent.FutureTask.run(FutureTask.java:138) [na:1.6.0_22]
   at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [na:1.6.0_22]
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [na:1.6.0_22]
   at java.lang.Thread.run(Thread.java:662) [na:1.6.0_22]
Caused by: javax.mail.SendFailedException: Send failed;

Membership expiration date format problem (https://savannah.cern.ch/bugs/?68966)

Fixed. Now the date can be set only using the datepicker control and the formatting respects the locale set for the application.

[VOMS-Admin] There are possible vulnerabilities in VOMS-Admin (https://savannah.cern.ch/bugs/?76587)

Fixed.

[VOMS] yaim voms ships confusing template configuration files (https://savannah.cern.ch/bugs/?76610)

Fixed.

[VOMS Admin] User request forms do not work as expected (https://savannah.cern.ch/bugs/?76628)

Fixed.

[VOMS Admin] Registration should be turned off when the service is started in read only mode (https://savannah.cern.ch/bugs/?76837)

Fixed.

[VOMS Admin] VOMS admin CA updater not started when registration is disabled (https://savannah.cern.ch/bugs/?76838)

Fixed.

[VOMS Admin] No notification sent to users when a membership removal request is approved/rejected by administrators (https://savannah.cern.ch/bugs/?76839)

Fixed.

[VOMS Admin] No notification is sent to administrators when a membership removal request is submitted by users (https://savannah.cern.ch/bugs/?76840)

Fixed.

[VOMS Admin] Submitting a request for the same certificate twice causes a stack trace to be printed (https://savannah.cern.ch/bugs/?76841)

Fixed.

[VOMS Admin] The notification delivery fails when all the admins have empty email addresses (https://savannah.cern.ch/bugs/?76842)

Fixed.

New features

Configurable anti-CSRF filter on the web service interfaces

After turning on the check via YAIM:

root@cert-voms-01 ~]# cat siteinfo/services/glite-voms | grep CSRF
VOMS_ADMIN_WS_CSRF_LOG_ONLY=false

voms-admin client version 2.0.15 succeds in accessing the web services:

[root@cert-voms-01 ~]# voms-admin --version
voms-admin v. 2.0.15
[root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-users
No users found in vo

while older versions fail since no anti-CSRF header is present in client requests:

[andrea@voms-rd02-21 ~]$ voms-admin --version
voms-admin v. 2.0.14
[andrea@voms-rd02-21 ~]$ voms-admin --host cert-voms-01.cnaf.infn.it --vo cert.mysql list-groups
org.glite.security.voms.admin.error.VOMSException: CSRF header guard missing from request!

Looking at the service log, it can be seen that the request was stopped:

17:37:40.962 [TP-Processor25] - WARN  o.g.s.v.a.service.CSRFGuardHandler - Incoming request from 192.168.100.21:44931 is missing CSRF prevention HTTP header

Check connectivity method in voms-db-deploy.py

voms-db-deploy.py now offers a check connectivity method that can be used to test connectivity to the database.

[root@cert-voms-01 ~]# /opt/glite/sbin/voms-db-deploy.py check-connectivity --vo cert.mysql
Checking database connectivity...
Database contacted succesfully
Checking database existence...
Found existing voms-admin 2.5.x database...

Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng Schermata_2010-12-21_a_16.28.29.png r2 r1 manage 70.2 K 2010-12-21 - 16:30 UnknownUser VOMS unconfirmed requests management page
PNGpng Schermata_2010-12-21_a_16.33.57.png r1 manage 92.6 K 2010-12-21 - 16:34 UnknownUser VOMS admin ACL input validation fix
Unknown file formatext full_result r1 manage 15.0 K 2010-12-21 - 15:38 UnknownUser VOMS Admin cli testsuite execution
Texttxt yaim-upgrade-log.txt r1 manage 7.1 K 2011-01-14 - 12:07 UnknownUser YAIM upgrade log
Texttxt yum-installation.txt r1 manage 81.6 K 2011-01-14 - 11:09 UnknownUser Yum clean log installation
Texttxt yum-upgrade.txt r1 manage 11.5 K 2011-01-14 - 12:06 UnknownUser Yum upgrade installation log
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2011-01-14 - unknown
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback