On Fri, Sep 27, 2013 at 04:40:04PM +0000, SCHAER Frederic wrote:
> It's always like that... Now it's working.
> 
> Could it be that restarting the argus daemons is not equivalent to
> running "/etc/init.d/argus-pepd clearcache ; /etc/init.d/argus-pdp
> reloadpolicy" (which I just tried) ?

Hi,

in any case, you should do the argus-pdp reloadpolicy before the
argus-pepd clearcache. It's also wise to add a few second delay between
the two, as the script will (most probably) return before it has
actually finalized the action.
Also see GGUS ticket https://ggus.eu/ws/ticket_info.php?ticket=96228

    Cheers,
    Mischa

> De : LHC Computer Grid - Rollout [mailto:[log in to unmask]] De la part de SCHAER Frederic
> Envoyé : vendredi 27 septembre 2013 18:22
> À : [log in to unmask]
> Objet : [PROVENANCE INTERNET] [LCG-ROLLOUT] argus configuration problems
> 
> Hi,
> 
> I hope someone can help me on this...
> I'm attempting to configure a CREAM CE, with ARGUS enabled, using yaim.
> 
> I did get those up and running without argus, but with it configured the CREAM CE refuses to get any job or delegation with this error at submit time :
> 2013-09-27 17:59:17,745 FATAL - CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR not authorized for {http://www.gridsite.org/namespaces/delegation-2}getProxyReq
> 
> On the CREAM, the logs are :
> 
> 27 Sep 2013 17:59:17,736 org.glite.ce.commonj.authz.axis2.AuthorizationHandler - request for OPERATION={http://www.gridsite.org/namespaces/delegation-2}getProxyReq; REMOTE_REQUEST_ADDRESS=192.54.206.17; USER_DN=CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR; USER_FQAN={ /vo.irfu.cea.fr/Role=NULL/Capability=NULL; };  NOT AUTHORIZED
> 27 Sep 2013 17:59:17,736 org.apache.axis2.engine.AxisEngine - Authorization error
> org.apache.axis2.AxisFault: Authorization error
> (blah blah)
> 
> I've tried many things, enabled debug logging for pepd/pdp/pap, without success.
> I only can see in the pepd logs :
> 
> 2013-09-27 15:59:17.701Z - DEBUG [PEPDaemonRequestHandler] - A decision of Indeterminate was reached by https://pre7231.datagrid.cea.fr:8152/authz in response t
> o request _4ea7ebd25f09d74db4839473b77372a7
> 2013-09-27 15:59:17.701Z - DEBUG [PEPDaemonRequestHandler] - Processing obligations
> 2013-09-27 15:59:17.701Z - DEBUG [ObligationService] - Obligations in effect for this result: []
> 2013-09-27 15:59:17.701Z - INFO [protocol] - Complete hessian response
> Response{ results:[Result{ decision(2): Indeterminate, resourceId: http://datagrid.cea.fr/cream-pre7230, status: Status{ statusCode: StatusCode{ code: urn:oasis
> :names:tc:xacml:1.0:status:ok, subCode: null}, message: null}, obligations:[]}], request: Request{ subjects:[Subject{ category: urn:oasis:names:tc:xacml:1.0:sub
> ject-category:access-subject, attributes:[Attribute{ id: http://glite.org/xacml/attribute/subject-issuer, dataType: urn:oasis:names:tc:xacml:1.0:data-type:x500N
> ame, issuer: null, values:[CN=CNRS2,O=CNRS,C=FR, CN=CNRS2-Projets,O=CNRS,C=FR, CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR, CN=GRID2-FR,O=CNRS,C=FR]}, Attri
> bute{ id: urn:oasis:names:tc:xacml:1.0:subject:key-info, dataType: http://www.w3.org/2001/XMLSchema#string, issuer: null, values:[-----BEGIN CERTIFICATE-----
> 
> I also increased logging to debug in the pdp, but actually nothing usefull is loggued except maybe this "syntax error" :
> 
> 2013-09-27 15:59:17.661Z - DEBUG [TargetMatcherImpl] - Matching with function: http://glite.org/xacml/algorithm/fqan-match
> 2013-09-27 15:59:17.662Z - DEBUG [AbstractCombiningAlgorithm] - Syntax error occurred.
> 2013-09-27 15:59:17.662Z - DEBUG [AbstractCombiningAlgorithm] - Target match resulted in: INDETERMINATE
> 2013-09-27 15:59:17.662Z - DEBUG [RuleFirstApplicableAlgorithm] - Evaluation of ae03359a-dd41-4fd9-b3cc-aae355e1d95e was: INDETERMINATE
> 
> 
> My policy contains this for the VO in question :
> 
> resource "http://datagrid.cea.fr/cream-pre7230" {
>     obligation "http://glite.org/xacml/obligation/local-environment-map" {}
>     action ".*" {
> 
>      rule permit {pfqan = "/vo.irfu.cea.fr/Role=NULL/Capability=NULL" }
>      rule permit {pfqan = "/vo.irfu.cea.fr" }
>     }
> }
> 
> I loaded it with "pap-admin apf"
> 
> Would someone have an Idea of what I did wrong ?
> I tried unsetting the env variable "GT_PROXY_MODE=old" on the UI, without success.
> 
> So now... I don't know what else to try to get something working ?
> Any idea ?
> I've seen warnings about terena certificates, but AFAIK, I'm not using one.
> I'm probably wrong in my policy, but... how/why ?
> 
> Any help would be greatly appreciated :]
> 
> Thanks && regards
> Frederic Schaer

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email [log in to unmask]
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..