Hi Gonçalo,
not sure what's going wrong, but what you see in the Argus pepd log is
the FQANs from the payload proxy (the one which is put in
GLEXEC_CLIENT_CERT) and should certainly NOT have the pilot role.
You can also see that from the output:
Payload information:
Payload DN: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba/CN=proxy/CN=proxy/CN=proxy
Payload Primary FQAN: /cms/Role=NULL/Capability=NULL
The X509_USER_PROXY is used for the SSL handshake with the Argus server.
Somehow the payload proxy does not lead to a proper mapping. You might
find the reason in the syslog (as indicated by gLExec). It's important
to know what type of state is returned by the Argus PEPd (e.g.
indeterminate, not applicable etc.).
Cheers,
Mischa
On Thu, Jul 04, 2013 at 04:03:59PM +0100, Gonçalo Borges wrote:
> Hi All...
>
> I have some problem with gLexec for CMS.
>
> We are failing glexec nagios tests for CMS [1] with the following error:
>
> ---*---
> xxx.xxx.xxx.xxxt: WARNING: Error: error 203 executing
> /usr/sbin/glexec getting payload uid
> Ran at 2013-07-04 14:25:27 UTC (Thu Jul 4 15:25:27 WEST 2013) on
> host wn151.ncg.ingrid.pt as user:
> uid=3027013(cmsplt013) gid=3027000(cmsplt)
> groups=20284,3020000(cms),3027000(cmsplt)
>
> Pilot Information:
> X509_USER_PROXY=/home/cmsplt013/home_cream_846839750/cream_846839750.proxy
> DN: /DC=ch/DC=cern/OU=Organic
> Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea
> Sciaba/CN=proxy/CN=proxy/CN=proxy/CN=proxy/CN=proxy/CN=proxy
> Primary FQAN: /cms/Role=pilot/Capability=NULL
>
> (...)
>
> Glexec Invocation:
> Using glexec at /usr/sbin/glexec
> gLExec version: 0.9.6
> GLEXEC_SOURCE_PROXY: /home/cmsplt013/home_cream_846839750/CREAM846839750/nagios/probes/org.cms.glexec/testjob/tests/payloadproxy
> GLEXEC_TARGET_PROXY: /tmp/x509up_u3027013.glexec.4309
> [gLExec]: LCMAPS failed.
> The reason can be found in the syslog.
> Error: error 203 executing /usr/sbin/glexec getting payload uid
> ---*---
>
>
> The error 203 is an authorization error. Please note that the job is
> sent with the pilot role in the fqan.
> I've increased the log in ARGUS pepd, and I see the following for
> the timestamp of the failure:
>
>
> ---*---
> 2013-07-04 14:25:27.927Z - DEBUG [GLiteAuthorizationProfilePIP] -
> Extracting VOMS attribute certificate attributes
> 2013-07-04 14:25:27.940Z - DEBUG [GLiteAuthorizationProfilePIP] -
> Extracted virtual-organization attribute: Attribute{ id:
> http://glite.org/xacml/attribute/virtual-organization, dataType:
> http://www.w3.org/2001/XMLSchema#string, issuer: null, values:[cms]}
> *2013-07-04 14:25:27.940Z - DEBUG [GLiteAuthorizationProfilePIP] -
> Extracted fqan/primary attribute: Attribute{ id:
> http://glite.org/xacml/attribute/fqan/primary, dataType:
> http://glite.org/xacml/datatype/fqan, issuer: null,
> values:[/cms/Role=NULL/Capability=NULL]}**
> **2013-07-04 14:25:27.940Z - DEBUG [GLiteAuthorizationProfilePIP] -
> Extracted fqan attribute: Attribute{ id:
> http://glite.org/xacml/attribute/fqan, dataType:
> http://glite.org/xacml/datatype/fqan, issuer: null,
> values:[/cms/Role=NULL/Capability=NULL]}*
> ---*---
>
> Please note that the request arrived to ARGUS WITHOUT the pilot role
> in the FQAN, and therefore, is not authorized by ARGUS because the
> policy does not permit it.
>
> Does anyone seen such a behaviour?
>
> Cheers
> Goncalo
>
>
> [1] https://sam-cms-prod.cern.ch/nagios/cgi-bin/extinfo.cgi?type=2&host=ce02.ncg.ingrid.pt&service=org.cms.glexec.WN-gLExec-%2Fcms%2FRole%3Dpilot
>
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email [log in to unmask]
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
|