Hi Mario,
did you cleared the cache of the PEPd and reloaded the policy into the PDP?
/etc/init.d/argus-pdp reloadpolicy
/etc/init.d/argus-pepd clearcache
if not, and if you checked right after adding the obligation, you might
got a cached response. I think the standard time for the PEPd to refresh
the cache is ~10min.
see also:
https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPEPDTroubleshoot
cheers,
Joël
On 25.08.11 10:33, Mario Kadastik wrote:
>> yes, this means that Argus works fine now. To obtain a mapping you have to add an obligation to your policy. You can find the documentation of the pap-admin here:
>>
>> https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI#Command_add_obligation_since_ver
>>
>> and the documentation about currently supported obligations here:
>>
>> https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage#The_obligation_stanza
>
>
> Hmm… I did add the obligation as documented, but the same error is both from pepcli as well as CREAM.
>
> [root@mercury argus]# pap-admin lp
>
> default (local):
>
> resource "http://authz-interop.org/xacml/resource/resource-type/wn" {
> obligation "http://glite.org/xacml/obligation/local-environment-map" {
> }
>
> action "http://glite.org/xacml/action/execute" {
> rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/cms/Role=lcgadmin" }
> rule permit { pfqan="/cms/Role=production/Capability=NULL" }
> rule permit { pfqan="/cms/Role=production" }
> rule permit { pfqan="/cms/Role=priorityuser/Capability=NULL" }
> rule permit { pfqan="/cms/Role=priorityuser" }
> rule permit { pfqan="/cms/Role=hiproduction/Capability=NULL" }
> rule permit { pfqan="/cms/Role=hiproduction" }
> rule permit { pfqan="/cms/Role=pilot/Capability=NULL" }
> rule permit { pfqan="/cms/Role=pilot" }
> rule permit { pfqan="/cms/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms" }
> rule permit { pfqan="/ops/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/ops/Role=lcgadmin" }
> rule permit { pfqan="/ops/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/ops" }
> rule permit { pfqan="/balticgrid/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/balticgrid/Role=lcgadmin" }
> rule permit { pfqan="/balticgrid/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/balticgrid" }
> }
> }
>
> resource ".*" {
> obligation "http://glite.org/xacml/obligation/local-environment-map" {
> }
>
> action ".*" {
> rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/cms/Role=lcgadmin" }
> rule permit { pfqan="/cms/Role=production/Capability=NULL" }
> rule permit { pfqan="/cms/Role=production" }
> rule permit { pfqan="/cms/Role=priorityuser/Capability=NULL" }
> rule permit { pfqan="/cms/Role=priorityuser" }
> rule permit { pfqan="/cms/Role=hiproduction/Capability=NULL" }
> rule permit { pfqan="/cms/Role=hiproduction" }
> rule permit { pfqan="/cms/Role=pilot/Capability=NULL" }
> rule permit { pfqan="/cms/Role=pilot" }
> rule permit { pfqan="/cms/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms" }
> rule permit { pfqan="/ops/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/ops/Role=lcgadmin" }
> rule permit { pfqan="/ops/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/ops" }
> rule permit { pfqan="/balticgrid/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/balticgrid/Role=lcgadmin" }
> rule permit { pfqan="/balticgrid/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/balticgrid" }
> }
> }
> [root@mercury argus]# pepcli -p https://mercury.hep.kbfi.ee:8154/authz -c ~/x509up_u101 -r myCE -a myA -t 60 -x --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem
> Resource: myCE
> Decision: Permit
> No Obligation received
> [root@mercury argus]#
>
> Mario Kadastik, PhD
> Researcher
>
> ---
> "Physics is like sex, sure it may have practical reasons, but that's not why we do it"
> -- Richard P. Feynman
--
SWITCH
Serving Swiss Universities
--------------------------
Joël Casutt, Informatics Engineer, Middleware
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
email: [log in to unmask] phone: +41 44 268 1573
|