Hi Ionel,
> We have installed a single Argus server (argus.spacescience.ro)
> and we have for the moment a single CE (grid03.spacescience.ro)
> In the configuration files we have for:
> - users.conf : user accounts for pilot jobs are defined like this:
> 62101:pilops01:46010,45000:opspil,ops:ops:pilot
> 62102:pilops02:46010,45000:opspil,ops:ops:pilot
> ....
> 62110:pilops03:46010,45000:opspil,ops:ops:pilot
> - groups.conf :
> "/ops/NGI/Romania":::sgm:
> "/ops/ROLE=lcgadmin":::sgm:
> "/ops/ROLE=pilot":::pilot:
> "/ops/*"::::
> "/ops"::::
> - site-info.def:
> ARGUS_HOST="argus.spacescience.ro"
> USE_ARGUS=yes
> ARGUS_PEPD_ENDPOINTS="https://argus.spacescience.ro:8154/authz"
> CREAM_PEPC_RESOURCEID=urn:RO-13-ISS:argus:resource:ce
> GENERAL_PEPC_RESOURCEID=urn:RO-13-ISS:argus:resource:other
> CONFIG_PAP=yes
> CONFIG_PDP=yes
> CONFIG_PEP=yes
> PAP_ENTITY_ID="http://${ARGUS_HOST}/pap"
> PAP_ADMIN_DN="/DC=RO/DC=RomanianGRID/O=ISS/CN=Ionel STAN"
> PAP_POLL_INTERVAL=3600
> PAP_CONSISTENCY_CHECK=false
> PAP_CONSISTENCY_CHECK_REPAIR=false
> PDP_ENTITY_ID="http://${ARGUS_HOST}/pdp"
> PDP_RETENTION_INTERVAL=60
> PEP_ENTITY_ID="http://${ARGUS_HOST}/pepd"
> GLEXEC_WN_SCAS_ENABLED="no"
> GLEXEC_WN_ARGUS_ENABLED="yes"
> GLEXEC_WN_OPMODE="setuid"
> GLEXEC_WN_LOG_DESTINATION=file
> GLEXEC_WN_LOG_FILE=/var/log/glexec/glexec_log
> GLEXEC_WN_INPUT_LOCK=flock
> GLEXEC_WN_TARGET_LOCK=flock
>
> After a yaim configuration on CE, WNs and Argus we have the following :
> - WN:
> chown: cannot access `/etc/lcas/lcas-glexec.db': No such file or directory
> chmod: cannot access `/etc/lcas/lcas-glexec.db': No such file or directory
> - Argus:
> [root@argus ~]# pap-admin list-policies
>
> default (local):
>
> resource "http://authz-interop.org/xacml/resource/resource-type/wn" {
> obligation "http://glite.org/xacml/obligation/local-environment-map" {
> }
>
> action "http://glite.org/xacml/action/execute" {
> rule permit { pfqan="/alice/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/alice/Role=lcgadmin" }
> rule permit { pfqan="/alice/Role=production/Capability=NULL" }
> rule permit { pfqan="/alice/Role=production" }
> rule permit { pfqan="/alice/Role=pilot/Capability=NULL" }
> rule permit { pfqan="/alice/Role=pilot" }
> rule permit { fqan="/alice" }
> rule permit { pfqan="/alice/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/alice" }
> rule permit { pfqan="/dteam/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/dteam/Role=lcgadmin" }
> rule permit { pfqan="/dteam/Role=production/Capability=NULL" }
> rule permit { pfqan="/dteam/Role=production" }
> rule permit { fqan="/dteam" }
> rule permit { pfqan="/dteam/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/dteam" }
> rule permit { pfqan="/ops/NGI/Romania/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/ops/NGI/Romania" }
> rule permit { pfqan="/ops/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/ops/Role=lcgadmin" }
> rule permit { pfqan="/ops/Role=pilot/Capability=NULL" }
> rule permit { pfqan="/ops/Role=pilot" }
> rule permit { fqan="/ops" }
> rule permit { pfqan="/ops/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/ops" }
> }
> }
>
> OPS test fail:
> https://nagios.grid.ici.ro/nagios/cgi-bin/extinfo.cgi?type=2&host=grid03.spacescience.ro&service=org.sam.CREAMCE-JobState-ops
>
>
> Failed to create a delegation id for job
> https://wms304.cern.ch:9000/yuJBZFbFcXaXgBnfIjQ1ng: reason is CN=Alexandru
> Stanciu,O=ICI,DC=RomanianGRID,DC=RO not authorized for
> {http://www.gridsite.org/namespaces/delegation-2}getProxyReq
Is your CE also using Argus now? If so, it would need its own policy...
In any case, accesses to the CE as "ops" or "alice" fail as follows:
$ uberftp grid03.spacescience.ro pwd
220 grid03.spacescience.ro GridFTP Server 6.19 (gcc64, 1359994843-83)
[Globus Toolkit 5.2.3] ready.
530-Login incorrect. : globus_gss_assist: Error invoking callout
530-globus_callout_module: The callout returned an error
530-an unknown error occurred
530 End.
Check the usual list:
https://wiki.egi.eu/wiki/Tools/Manuals/TS03
Let's discuss this further in the ticket:
https://ggus.eu/ws/ticket_info.php?ticket=95276
|