Hi Antun,
> Any idea on what can cause MyProxy server to suddenly start not to recognize
> WMS/LB (which is trying to renew user's proxies) as authorized, after
> previously successfully renewing proxies on requests from the same WMS/LB and
> the same user for hours? The delegated credentials did not expire for that
> user. This is the excerpt from /var/log/messages:
>
> Jun 19 10:43:11 myproxy myproxy-server: <11733> Connection from 147.91.84.25
> Jun 19 10:43:11 myproxy myproxy-server: <22407> using trusted certificates
> directory /etc/grid-security/certificates
> Jun 19 10:43:11 myproxy myproxy-server: <22407> Authenticated client
> /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=host/wms.phy.bg.ac.yu
> Jun 19 10:43:11 myproxy myproxy-server: <22407> applying trusted_retrievers policy
> Jun 19 10:43:11 myproxy myproxy-server: <22407> applying authorized_retrievers
> policy
> Jun 19 10:43:11 myproxy myproxy-server: <22407> applying authorized_renewers
> policy
> Jun 19 10:43:11 myproxy myproxy-server: <22407> sending
> MYPROXY_AUTHORIZATION_RESPONSE
> Jun 19 10:43:11 myproxy myproxy-server: <22407> client chose X509_certificate
> Jun 19 10:43:11 myproxy myproxy-server: <22407> authorization failed
> Jun 19 10:43:11 myproxy myproxy-server: <22407> Exiting: certificate chain
> verification failed "/C=RS/O=AEGIS/OU=Institute of Physics
> Belgrade/CN=host/wms.phy.bg.ac.yu" not authorized by server's trusted_
> retrievers policy X509_verify_cert() failed authentication failed
> authentication failed
>
>
> After several minutes of such madness, MyProxy server suddenly again continues
> to renew proxy for this same WMS/LB (however, for another user, since for the
> original one all jobs are aborted; I am not sure if this is relevant, since
> the problem reported is that WMS/LB is not authorized).
>
> /etc/myproxy-server.config is created on 18 May, and since it is re-created
> each time myproxy service is restarted, which excludes the possibility that
> myproxy was restarted at 10:43 or so toady. authorized_renewers contains DN of
> WMS/LB, while authorized_retrievers is set to "*".
The WMS should never try to _retrieve_ a proxy. Instead it should always try
to _renew_ a proxy. Are you sure the WMS node is _only_ used as a WMS?
Note: passwordless proxies cannot be retrieved at all.
> Any idea is appreciated. Also, is it possible to convince WMS/LB not to give
> up immediately on a job for which it cannot renew the proxy, but to try again
> later (i.e. 10 minutes later would save the day here)?
AFAIK the proxy renewal daemon on the WMS does not give up immediately.
Furthermore, you wrote it started working only for another user, so the day
would not have been saved...
|