EGEE Web>SA3>EGEECertification>SA3Testing>CertificationReportForPatch4583 (2011-01-14, unknown)

EditAttachPDF

Certification report for patch 4583

Certification report for patch 4583

Savannah patch

https://savannah.cern.ch/patch/?4583

Clean installation

Starting from an SL5, X86_64 clean installation.

cd /etc/yum.repos.d/
wget http://etics-repository.cern.ch:8080/repository/pm/volatile/repomd/id/ac719f8c-acf2-4131-b3b1-2edf7c8d109a/sl5_x86_64_gcc412/etics-volatile-build-by-id.repo
yum update
yum install glite-VOMS_mysql

Clean installation log

Upgrade from production

Starting from a working gLite 3.2 VOMS production installation. Upgrade log

After shutting down tomcat and cleaning up work directories:

service tomcat5 stop
rm -rf $CATALINA_HOME/webapps/*
rm -rf $CATALINA_HOME/work/*
service tomcat5 start

The installation is reconfigured via YAIM and works as expected. YAIM upgrade log

Configuration

MySQL

[root@cert-voms-01 ~]# /etc/init.d/mysqld start
[root@cert-voms-01 ~]# mysqladmin -uroot password '***'
[root@cert-voms-01 ~]# mysql -uroot -p***
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> grant all on *.* to 'root'@'cert-voms-01' identified by '***';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'root'@'cert-voms-01.cnaf.infn.it' identified by '***';
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

YAIM

[root@cert-voms-01 ~]# cat siteinfo/site-info.def 
MYSQL_PASSWORD="***"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.mysql"

root@cert-voms-01 ~]# cat siteinfo/services/glite-voms
# VOMS server hostname
VOMS_HOST=cert-voms-01.cnaf.infn.it 
VOMS_DB_HOST='localhost'

VO_CERT_MYSQL_VOMS_PORT=15000
VO_CERT_MYSQL_VOMS_DB_USER=cert_mysql_user
VO_CERT_MYSQL_VOMS_DB_PASS=***
VO_CERT_MYSQL_VOMS_DB_NAME=voms_cert_mysql_user

VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it

VOMS_ADMIN_CERT=/root/andreacert.pem

VOMS Admin

Add host certificate as administrator to the VO:

[root@cert-voms-01 ~]# /opt/glite/sbin/voms-db-deploy.py add-admin --vo cert.mysql --cert hostcert.pem 
Admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA' not found. It will be created...
Adding ALL permissions on '/cert.mysql' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
Adding ALL permissions on role '/cert.mysql/Role=VO-Admin' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'

Certification

Basic checks

Check that VOMS admin responds:

[root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-groups
 /cert.mysql
[root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-users
No users found in vo!

Create personal user:

[root@cert-voms-01 ~]# voms-admin --vo cert.mysql create-user andreacert.pem 
[root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-users
/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti, /C=IT/O=INFN/CN=INFN CA - andrea.ceccanti@cnaf.infn.it

Create VOMS proxy:

[andrea@voms-rd02-21 ~]$ voms-proxy-init -voms cert.mysql
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
Creating temporary proxy .................................................. Done
Contacting  cert-voms-01.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it] "cert.mysql" Done
Creating proxy .................................................... Done
Your proxy is valid until Wed Dec 22 02:49:53 2010
[andrea@voms-rd02-21 ~]$ voms-proxy-info -all
subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti/CN=proxy
issuer    : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
identity  : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
type      : proxy
strength  : 1024 bits
path      : /tmp/x509up_u503
timeleft  : 11:59:55
=== VO cert.mysql extension information ===
VO        : cert.mysql
subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
issuer    : /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it
attribute : /cert.mysql/Role=NULL/Capability=NULL
timeleft  : 11:59:55
uri       : cert-voms-01.cnaf.infn.it:15000

VOMS Admin test suite

Test VOMS-addMember   - OK
Test VOMS-assignRole   - OK
Test VOMS-crAttribute   - OK
Test VOMS-crGroup   - OK
Test VOMS-crRole   - OK
Test VOMS-crUser   - OK
Test VOMS-crUserNocert   - OK
Test VOMS-delAttribute   - OK
Test VOMS-delGroup   - OK
Test VOMS-delGroupAttribute   - OK
Test VOMS-delRole   - OK
Test VOMS-delRoleAttribute   - OK
Test VOMS-delUser   - OK
Test VOMS-delUserAttribute   - OK
Test VOMS-dismissRole   - OK
Test VOMS-listAttributes   - OK
Test VOMS-listGroupAttributes   - OK
Test VOMS-listGroups   - OK
Test VOMS-listMembers   - OK
Test VOMS-listRoleAttributes   - OK
Test VOMS-listRoles   - OK
Test VOMS-listSubGroups   - OK
Test VOMS-listUserAttributes   - OK
Test VOMS-listUserGroups   - OK
Test VOMS-listUserRoles   - OK
Test VOMS-listUsers   - OK
Test VOMS-listUsrWithRol   - OK
Test VOMS-removeMember   - OK
Test VOMS-setGroupAttribute   - OK
Test VOMS-setRoleAttribute   - OK
Test VOMS-setUserAttribute   - OK

full_result: VOMS Admin cli testsuite execution log

Attached bugs

VOMS Admin gives terrifying error message when database is not reachable (https://savannah.cern.ch/bugs/?45425)

Less messages are printed by default by loggers. Logging configuration can be tuned by changing the verbosity of logger

<logger name="com.mchange" level="ERROR" />

to the WARN, INFO, DEBUG levels in $GLITE_LOCATION_VAR/etc/voms-admin/<VO_NAME>/logback.runtime.xml for the VO logs and in $GLITE_LOCATION/share/voms-admin/tools/classes/logback.xml for the database deploy scripts.

The voms-db-deploy.py utility also provides a method to check the connectivity to the database:

[root@cert-voms-01 classes]# /opt/glite/sbin/voms-db-deploy.py check-connectivity --vo cert.mysql
Checking database connectivity...
Connections could not be acquired from the underlying database!

===========================================================================================================================
Error connecting to the voms database! Check your database settings and ensure that the database backend is up and running.
============================================================================================================================

VOMS Admin background tasks are not resilient to transient database failures (https://savannah.cern.ch/bugs/?45567)

Fixed. Shutted down the database and checked that the background tasks do not die when the database is not reachable.

log excerpt:
16:16:38.935 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - UpdateCATask task done.
16:16:38.935 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - TaskStatusUpdater task starting...
16:16:38.956 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - TaskStatusUpdater task done.
16:16:38.957 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - ExpiredRequestsPurgerTask task starting...
16:16:38.964 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - ExpiredRequestsPurgerTask task done.
16:16:40.657 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - MembershipCheckerTask task starting...
16:16:40.760 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - MembershipCheckerTask task done.

After shutting down mysqld:

Last packet sent to the server was 1 ms ago.
   at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2622) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2916) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1631) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1723) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.Connection.execSQL(Connection.java:3250) [mysql-connector-java-5.0.7.jar:na]
   at com.mysql.jdbc.Connection.setAutoCommit(Connection.java:5395) [mysql-connector-java-5.0.7.jar:na]
   at com.mchange.v2.c3p0.impl.NewProxyConnection.setAutoCommit(NewProxyConnection.java:881) [c3p0-0.9.1.jar:0.9.1]
   at org.hibernate.connection.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:61) [hibernate-3.2.6.ga.jar:3.2.6.ga]
   at org.hibernate.jdbc.ConnectionManager.openConnection(ConnectionManager.java:423) [hibernate-3.2.6.ga.jar:3.2.6.ga]
   ... 15 common frames omitted
16:17:38.735 [pool-1-thread-1] - ERROR o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - Swallowing the exception hoping it's a temporary failure.
...
Caused by: java.sql.SQLException: Connections could not be acquired from the underlying database!
   at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:106) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:529) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:128) [c3p0-0.9.1.jar:0.9.1]
   at org.hibernate.connection.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:56) [hibernate-3.2.6.ga.jar:3.2.6.ga]
   at org.hibernate.jdbc.ConnectionManager.openConnection(ConnectionManager.java:423) [hibernate-3.2.6.ga.jar:3.2.6.ga]
   ... 15 common frames omitted
Caused by: com.mchange.v2.resourcepool.CannotAcquireResourceException: A ResourcePool could not acquire a resource from its primary factory or source.
   at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1319) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:557) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:477) [c3p0-0.9.1.jar:0.9.1]
   at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:525) [c3p0-0.9.1.jar:0.9.1]
   ... 18 common frames omitted
16:18:10.958 [pool-1-thread-1] - ERROR o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - Swallowing the exception hoping it's a temporary failure.
...

After mysql restart:

16:20:38.732 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - TaskStatusUpdater task starting...
16:20:38.738 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - TaskStatusUpdater task done.
...
16:21:38.742 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - ExpiredRequestsPurgerTask task starting...
16:21:38.744 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - ExpiredRequestsPurgerTask task done.
16:21:40.656 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - MembershipCheckerTask task starting...
16:21:40.668 [pool-1-thread-1] - DEBUG o.g.s.v.a.c.t.DatabaseTransactionTaskWrapper - MembershipCheckerTask task done.

VOMS Admin should provide a way to see and manage unconfirmed request (https://savannah.cern.ch/bugs/?55988)

Fixed. Now VOMS Admin shows requests waiting for user confirmation in the admin home page.

Schermata_2010-12-21_a_16.28.29.png

[VOMS-ADMIN-2.5] Unhandled exception on adding ACL for a non-VO member (https://savannah.cern.ch/bugs/?60323)

Fixed. Now validation is performed correctly.

Schermata_2010-12-21_a_16.33.57.png

VOMS-Admin shows error to VO applicant if there is an SMTP error delivering a notification to a VO-admin (https://savannah.cern.ch/bugs/?62266)

Fixed. No error is shown to the user now even if one of the admins has an incorrect email message or the SMTP server is badly configured, but the exception is reported in the logs:

16:45:04.642 [pool-4-thread-1] - ERROR o.g.s.v.a.n.m.EmailNotification - Error setting up email notification!
org.apache.commons.mail.EmailException: Sending the email to the following server failed : wrong-host.cnaf.infn.it:25
   at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1138) [commons-email-1.1.jar:1.1]
   at org.apache.commons.mail.Email.send(Email.java:1163) [commons-email-1.1.jar:1.1]
   at org.glite.security.voms.admin.notification.messages.EmailNotification.send(EmailNotification.java:189) [EmailNotification.class:na]
   at org.glite.security.voms.admin.notification.NotificationService$NotificationRunner.run(NotificationService.java:104) [NotificationService$NotificationRunner.class:na]
   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) [na:1.6.0_22]
   at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) [na:1.6.0_22]
   at java.util.concurrent.FutureTask.run(FutureTask.java:138) [na:1.6.0_22]
   at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [na:1.6.0_22]
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [na:1.6.0_22]
   at java.lang.Thread.run(Thread.java:662) [na:1.6.0_22]
Caused by: javax.mail.SendFailedException: Send failed;

Membership expiration date format problem (https://savannah.cern.ch/bugs/?68966)

Fixed. Now the date can be set only using the datepicker control and the formatting respects the locale set for the application.

[VOMS-Admin] There are possible vulnerabilities in VOMS-Admin (https://savannah.cern.ch/bugs/?76587)

Fixed.

[VOMS] yaim voms ships confusing template configuration files (https://savannah.cern.ch/bugs/?76610)

Fixed.

[VOMS Admin] User request forms do not work as expected (https://savannah.cern.ch/bugs/?76628)

Fixed.

[VOMS Admin] Registration should be turned off when the service is started in read only mode (https://savannah.cern.ch/bugs/?76837)

Fixed.

[VOMS Admin] VOMS admin CA updater not started when registration is disabled (https://savannah.cern.ch/bugs/?76838)

Fixed.

[VOMS Admin] No notification sent to users when a membership removal request is approved/rejected by administrators (https://savannah.cern.ch/bugs/?76839)

Fixed.

[VOMS Admin] No notification is sent to administrators when a membership removal request is submitted by users (https://savannah.cern.ch/bugs/?76840)

Fixed.

[VOMS Admin] Submitting a request for the same certificate twice causes a stack trace to be printed (https://savannah.cern.ch/bugs/?76841)

Fixed.

[VOMS Admin] The notification delivery fails when all the admins have empty email addresses (https://savannah.cern.ch/bugs/?76842)

Fixed.

New features

Configurable anti-CSRF filter on the web service interfaces

After turning on the check via YAIM:

root@cert-voms-01 ~]# cat siteinfo/services/glite-voms | grep CSRF
VOMS_ADMIN_WS_CSRF_LOG_ONLY=false

voms-admin client version 2.0.15 succeds in accessing the web services:

[root@cert-voms-01 ~]# voms-admin --version
voms-admin v. 2.0.15
[root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-users
No users found in vo

while older versions fail since no anti-CSRF header is present in client requests:

[andrea@voms-rd02-21 ~]$ voms-admin --version
voms-admin v. 2.0.14
[andrea@voms-rd02-21 ~]$ voms-admin --host cert-voms-01.cnaf.infn.it --vo cert.mysql list-groups
org.glite.security.voms.admin.error.VOMSException: CSRF header guard missing from request!

Looking at the service log, it can be seen that the request was stopped:

17:37:40.962 [TP-Processor25] - WARN  o.g.s.v.a.service.CSRFGuardHandler - Incoming request from 192.168.100.21:44931 is missing CSRF prevention HTTP header

Check connectivity method in voms-db-deploy.py

voms-db-deploy.py now offers a check connectivity method that can be used to test connectivity to the database.

[root@cert-voms-01 ~]# /opt/glite/sbin/voms-db-deploy.py check-connectivity --vo cert.mysql
Checking database connectivity...
Database contacted succesfully
Checking database existence...
Found existing voms-admin 2.5.x database...

Attachments

Topic attachments
I	Attachment	History	Action	Size	Date	Who	Comment
png	Schermata_2010-12-21_a_16.28.29.png	r2 r1	manage	70.2 K	2010-12-21 - 16:30	UnknownUser	VOMS unconfirmed requests management page
png	Schermata_2010-12-21_a_16.33.57.png	r1	manage	92.6 K	2010-12-21 - 16:34	UnknownUser	VOMS admin ACL input validation fix
ext	full_result	r1	manage	15.0 K	2010-12-21 - 15:38	UnknownUser	VOMS Admin cli testsuite execution
txt	yaim-upgrade-log.txt	r1	manage	7.1 K	2011-01-14 - 12:07	UnknownUser	YAIM upgrade log
txt	yum-installation.txt	r1	manage	81.6 K	2011-01-14 - 11:09	UnknownUser	Yum clean log installation
txt	yum-upgrade.txt	r1	manage	11.5 K	2011-01-14 - 12:06	UnknownUser	Yum upgrade installation log

Topic revision: r6 - 2011-01-14 - unknown

EGEE

Main.WebList

Welcome Guest

- Cern Search
- TWiki Search
- Google Search
EGEE All webs

Copyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback