Hi,
We've playing around with glexec+Argus (EMI-I release) some more and
found some inconsistencies between the way CEs and Argus create entries
in the gridmapdir (which is nfs-shared between them). I'm not sure if
there's a proper list to report these, but if experts could comment,
we'd be grateful.
So, I have been mapped by both Argus and CE using my CMS proxy with
"/cmses" group as primary or secondary fqan, as a result there are four
different mappings (first two are from Argus and second two from CE),
where there should be just two:
[root@gaergus ~]# lt /etc/grid-security/gridmapdir/| grep delgad
-rw-r--r-- 2 root root 0 Feb 11 2010
%2fdc%3des%2fdc%3dirisgrid%2fo%3dciemat%2fcn%3dantonio-delgado-peris:cmses:cms
-rw-r--r-- 2 root root 0 Sep 7 2010
%2fdc%3des%2fdc%3dirisgrid%2fo%3dciemat%2fcn%3dantonio-delgado-peris:cms:cmses
-rw-r--r-- 2 root root 0 Jun 13 17:03
%2fdc%3des%2fdc%3dirisgrid%2fo%3dciemat%2fcn%3dantonio%2ddelgado%2dperis:cms
-rw-r--r-- 2 root root 0 Jun 14 16:44
%2fdc%3des%2fdc%3dirisgrid%2fo%3dciemat%2fcn%3dantonio%2ddelgado%2dperis:cmses
So, the differences I see are:
1) CE converts '-' char to '%2d', while Argus doesn't.
2) CE appends the primary role/group to the end of DN, while Argues
appends all role/groups in order
3) CE uptimes modification time of the link, while Argus doesn't
(1) and (2) result in double mapping for each role/group combination I
use, this means that I can be mapped to different uids when I should be
mapped to the same one. It also means that our site may run out of
accounts twice as fast.
(3) means (AFAICT) that the cron to expire grid mappings may remove
mappings that are new believing they are old.
So, any comment on this? Do you think we should be very concerned by
these issues... I mean, even to discourage Argus usage while they are
not solved? In principle we have been asked to have this up by 30th June...
Thank you.
Cheers,
Antonio
|