Test report for patch 3084

Setup

The certification tests were done in two parts. First the test were done using an UI and a WMS machine following these test instructions. Most did not appear on that nodetype, so a glite-GLEXEC_wn was also install to verify the bugs.

Certification tests

The ouput of these tests is attached to this page

Bugs attached to the patch

bug #23534: Problem with lcas-voms-plugin in glexec

This bug seems old, and could not be reproduced. The test files were expired. The segfault hints that it might the the same issue as in bug #52054

bug #29845: LCAS fails to parse "multi-delegated" proxy

The multi-delegation and the abrupt ending of the lcas logs which matches the segfault in bug #52054 seems to inficate that this is the same problem

bug #41472: glexec fails if valid VOMS proxy also contains expired extensions

Could not reporoduce from description, but bug states that this too probably the same as bug #52054

bug #43842: LCAS seg faults on wrong certificate selection in certain cases

Without more info in the bug description, assume it's the same as bug #52054

bug #46037: When using glexec on a WN, the LCAS userban plugin has a malformed user DN

Bug verified on glite-GLEXEC_wn, bug does not affect glite-WMS, it has to do with number of delegations, bug probably related to bug #52054. Bug confirmed, and fix certified.

same certificate, different number of delegations

LCAS   0: 2009-07-15.16:06:02-25129 :   lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /opt/glite/etc/lcas/ban_users.db
LCAS   0: 2009-07-15.16:06:02-25129 : lcas_gridlist(): no entry found for /C=CH/O=CERN/OU=GD
LCAS   0: 2009-07-15.16:06:02-25129 : lcas.mod-lcas_run_va(): authorization granted by plugin /opt/glite/lib/modules/lcas_userban.mod
LCAS   0: 2009-07-15.16:06:02-25129 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509():
LCAS   0: 2009-07-15.16:06:02-25129 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509(): vomsdir = /etc/grid-security/vomsdir/
LCAS   0: 2009-07-15.16:06:02-25129 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509(): certdir = /etc/grid-security/certificates/
LCAS   0: 2009-07-15.16:06:02-25129 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms data structure initialized
LCAS   0: 2009-07-15.16:06:02-25129 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509(): We got something, errNo = 0
LCAS   0: 2009-07-15.16:06:02-25129 :   lcas_plugin_voms-print_vomsdata(): 1 *******************************************
LCAS   0: 2009-07-15.16:06:02-25129 :   lcas_plugin_voms-print_vomsdata(): SIGLEN: 256
LCAS 0: 2009-07-15.16:06:02-25129 :     lcas_plugin_voms-print_vomsdata(): USER:   /C=CH/O=CERN/OU=GD
LCAS 0: 2009-07-15.16:06:02-25129 :     lcas_plugin_voms-print_vomsdata(): UCA:    /C=CH/O=CERN/OU=GD/CN=Test user 100


LCAS   0: 2009-07-15.16:35:18-29270 : lcas_gridlist(): no entry found for /C=CH/O=CERN
LCAS   0: 2009-07-15.16:35:18-29270 : lcas.mod-lcas_run_va(): authorization granted by plugin /opt/glite/lib/modules/lcas_userban.mod
LCAS   0: 2009-07-15.16:35:18-29270 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509():
LCAS   0: 2009-07-15.16:35:18-29270 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509(): vomsdir = /etc/grid-security/vomsdir/
LCAS   0: 2009-07-15.16:35:18-29270 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509(): certdir = /etc/grid-security/certificates/
LCAS   0: 2009-07-15.16:35:18-29270 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms data structure initialized
LCAS   0: 2009-07-15.16:35:18-29270 :   lcas_plugin_voms-plugin_confirm_authorization_from_x509(): We got something, errNo = 0
LCAS   0: 2009-07-15.16:35:18-29270 :   lcas_plugin_voms-print_vomsdata(): 1 *******************************************
LCAS   0: 2009-07-15.16:35:18-29270 :   lcas_plugin_voms-print_vomsdata(): SIGLEN: 256
LCAS 0: 2009-07-15.16:35:18-29270 :     lcas_plugin_voms-print_vomsdata(): USER:   /C=CH/O=CERN
LCAS 0: 2009-07-15.16:35:18-29270 :     lcas_plugin_voms-print_vomsdata(): UCA:    /C=CH/O=CERN/OU=GD/CN=Test user 100

After applying patch

LCAS   2: 2009-07-16.09:47:13-30551 : LCAS authorization request
LCAS   0: 2009-07-16.09:47:13-30551 :   lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /opt/glite/etc/lcas/ban_users.db
LCAS   0: 2009-07-16.09:47:13-30551 :   lcas_userban.mod-plugin_confirm_authorization(): entry found for /C=CH/O=CERN/OU=GD/CN=Test user 100
LCAS   0: 2009-07-16.09:47:13-30551 : lcas.mod-lcas_run_va(): authorization failed for plugin /opt/glite/lib/modules/lcas_userban.mod

bug #47661: Error messages in log file when glexec fails because proxy is expired

Could not reproduce on glite-GLEXEC_wn, assume it is fixed in this patch

bug #52054: [LCAS/VOMS-API] Segfault when number of proxy delegations > number of RDn's

This seems to be the real bug that causes many problems. It was verified on production version of glite-GLEXEC_wn

[vtb-generic-67] /root > /opt/glite/sbin/glexec /usr/bin/id
Segmentation fault

subject   : /C=CH/O=CERN/OU=GD/CN=Test user 100/CN=proxy/CN=proxy/CN=proxy/CN=proxy/CN=proxy/CN=proxy
issuer    : /C=CH/O=CERN/OU=GD/CN=Test user 100/CN=proxy/CN=proxy/CN=proxy/CN=proxy/CN=proxy
identity  : /C=CH/O=CERN/OU=GD/CN=Test user 100/CN=proxy/CN=proxy/CN=proxy/CN=proxy/CN=proxy
type      : proxy
strength  : 1024 bits
path      : /tmp/x509up_u0
timeleft  : 11:56:20

After patch deployment the bug is fixed

[vtb-generic-67] /root > /opt/glite/sbin/glexec /usr/bin/id
uid=501(glitetest) gid=1344(glitetest) groups=1096664514

A regression test has been written for this bug. It is with the normal certification tests since it did not fit the regression test framework.

bug #52417: [LCAS] lcas segfaults when proxy is malformed

Without more info in the bug description, assume it's the same as bug #52054. After more discussion in the patch, got testing instructions for the bug, but could not verify.

Node type tests

glite-WMS

Tested with the certfication test suite

glite-GLEXEC_wn

Tested during the bug test

lcg-CE

Made a basic lcg-CE installtion and a glite-UI installation. Ran direct submission tests with globus-job-submit. Tested both a banned and a normal user before applying the patch, and after applying the patch. Everything worked as it should.

Before patch, allowed user:

[vtb-generic-97] /home/glitetest > globus-job-submit vtb-generic-54.cern.ch /bin/echo "Hello World" 
https://vtb-generic-54.cern.ch:20001/16679/1247745393/

Before patch, banned user:

[vtb-generic-97] /home/glitetest > globus-job-submit vtb-generic-54.cern.ch /bin/echo "Hello World" 
GRAM Job submission failed because authentication with the remote server failed (error code 7)

After patch, allowed user:

[vtb-generic-97] /home/glitetest > globus-job-submit vtb-generic-54.cern.ch /bin/echo "Hello World" 
https://vtb-generic-54.cern.ch:20001/17365/1247745582/

After patch, banned user

[vtb-generic-97] /home/glitetest > globus-job-submit vtb-generic-54.cern.ch /bin/echo "Hello World" 
GRAM Job submission failed because authentication with the remote server failed (error code 7)

glite-VOBOX

Did not find any service that uses LCAS, no testing was done

glite-SCAS

Installed a glite-GLEXEC_wn, and a glite-SCAS node, and made the wn use the SCAS node. Ran tests with an allowed certificate, multi-delegate certificate and a banned certificate both before and after installing the patch. The multi-delegated proxy failed before the patch installation but succeeded after. No issues discovered.

glite-CREAM

Installed a UI, a CREAM CE and a worker node with torque on the CERN testbed. Submitted jobs directly to the CE from the UI. Jobs arrived in the queue as correct users. The LCAS logs with old version

 Jul 21 14:32:51 vtb-generic-54 glexec[22258]: Initialization LCAS version 1.3.7
Jul 21 14:32:51 vtb-generic-54 glexec[22258]: LCAS authorization request
Jul 21 14:32:51 vtb-generic-54 glexec[22258]: Termination LCAS

Then installed the patch and everything worked as before.

Jul 21 14:40:51 vtb-generic-54 glexec[23057]: Initialization LCAS version 1.3.11.2
Jul 21 14:40:51 vtb-generic-54 glexec[23057]: LCAS authorization request
Jul 21 14:40:51 vtb-generic-54 glexec[23057]: Termination LCAS

Did not find problems with the new patch.